By default, every Windows computer in your organization keeps its own local event logs. You examined these logs in the Searching event logs for specific events recipe. The logs on SRV1
, for example, are separate from the logs on DC1
. In larger environments, analyzing event logs across large number of servers is complex. With 100 servers, you would need to run a script on each of those 100 servers, which could become quite complex. Having each server forward events to a central computer can simplify this task greatly.
Also consider what happens if a server is compromised. Hackers often clear event logs after doing naughty things on a hacked machine. This helps to cover the hacker's tracks. A best security practice is to get the event details sent to a central and hopefully more secure server as quickly as possible. With Windows, you can use using event forwarding to achieve this.
Forwarding event logs to a central server allows you to centralize your log...