I recently got some feedback from someone who was trying to use gowinlog to subscribe to the “Forwarded Events” channel on a Windows server. It was not going as planned.
For context, “Forwarded Events” is a special channel - the default channel where events from Event Subscription are stored. These events are pulled (or pushed) from remote machines and stored on a single system to simplify administration. “Forwarded Events” shows up in the Event Viewer just like your standard, local logs.
The mention of logs from a remote machine made me wonder if this was going to be possible without some code changes. gowinlog is mostly a thin wrapper around EvtSubscribe and related APIs. One of the arguments to
Session, a connection to a remote system which should allow you to subscribe to logs without configuring forwarding. Or that’s how I read it. I haven’t plumbed the depths of remote Windows logging (I’ve barely skimmed the surface of local Windows logging), so this was new territory.
Get-EventLogfrom Powershell didn’t show a “Forwarded Events” channel. That’s bad news. I read the man page for
Get-EventLog and realized it’s deprecated and I should be using the intuitively-named Get-WinEvent so I can see fancy Windows Event Log logs as well as “classic” logs. Cool story.
Get-WinEvent showed the same list of channels as the Event Viewer, including “Forwarded Events”. Dead end.
Finally, I came across a Splunk post about Event Forwarding, which mentions offhandedly that the default forwarding log is “ForwardedEvents” (all one word). In a fit of desperation, I try subscribing to “ForwardedEvents” and everything fits together. Hooray.
- You can’t have spaces in your channel names when you call
EvtSubscribe. Just take the spaces out and everything will work. This isn’t in the docs as far as I could see, and it’s not reflected in the Event Viewer or
EvtSubscribedoes work with Event Forwarding out of the box. There might be more corner cases I’ll cover later.
- You should always use
Get-EventLogto work with event logs.