1

I'm trying to set up Windows Event Forwarding on a Windows 2012 R2 collector server. I was looking to collect events from Windows Defender, which comes by default on Windows 7 and 8 clients. I know that Windows Defender is not supported by Microsoft on 2012 R2. I just want to collect the events with a subscription from the supported clients. When I look in the Application and Services log, I can't find the Windows Defender application on the collector server (because I think the feature is not installed so it can't be listed here).

The path should be as follow:

Applications and Services Logs/Microsoft/Windows/Windows Defender/Operational,

like described in this technet post: https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_start/access-scan-logs/1066927e-35c8-4e66-ae3b-ca542776312c

Maybe someone who knows how I can collect these logs? Or should I create a PS script which moves the desired logs to another location like the Security log so my 2012R2 server can collect the events?

frederict
  • 11
  • 4

3 Answers3

0

Windows provides event forwarding feature. refer to link : https://www.youtube.com/watch?v=sZj_9e3AHFk

Mr.kang
  • 109
  • 5
  • Could you edit your post to correct spelling (feature) and give more details about what we can see on the video, rather than just a link (eg summurize video content). – bgtvfr May 23 '17 at 14:54
0

Copy the XML from event viewer from another computer that has the event log. Right-click > Filter > XML tab. Add that XML to your collector subscription, or create a new subscription. 

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
    <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>
  </Query>
</QueryList>
Greg Askew
  • 35,880
  • 5
  • 54
  • 82
0

I have successfully setup a Server 2012 R2 as the Event Collector Server for Windows Defender. The following are the steps.

On Windows 10/8.1 workstation, create a custom event view and select Windows Defender/Operation.

Export Custom View and copy the XML file to Server 2012 R2.

Import XML file to Custom Views on Server 2012 R2. There will be an error. You can ignore that error because there is no Windows Defender on Server 2012 R2.

Create a Subscription on Server 2012 R2. Click on the down arrow on on the Select Events... and select Copy from existing Custom View and select the Source workstations.

That is it. Windows Defender event should forward to the Server 2012 R2.

Derek
  • 1