Ok. This is kind of a long post but bear with me, as I'm providing as much info as I can. I'm trying to get event log forwarding in Windows 2008 to work with customs scripts, and my goal is to have a centralized log server that collects the information from all my other servers. It doesn't sound too complicated ... right? Initially, I set up the event forwarding as indicated here (http://www.windowsecurity.com/articles/centralized-auditing-here-free.html ), and with some minor tweaks (changed the heartbeat interval and the max latency time) had it working. The problem came when I tried to copy the logs from my central log server via a vbscript to a backup location: All the logs except "Forwarded Events" and "Setup" were copied. Here's the relevant part of my vbscript handling the backups at the moment: thisPC = "." currDir = <My backup directory> REM FUNCTIONS Function BackLogs() Set WMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate, (Backup, Security)}!\\" _ & thisPC & "\root\cimv2") Set allLogs = WMIService.ExecQuery ("Select * from Win32_NTEventLogFile") For Each logFile in allLogs strBackupLog = LogFile.BackupEventLog _ (currDir & "\" & logFile.LogFileName & ".evt") Next End Function So I did some digging and found out -at least with the 'Forwarded Events' log- that it is not part of the EventLog.getEventLogs() array because it is a channel (http://sync-io.net/go/blog/ ). So I followed the steps in the aforementioned website to create a ForwardedEvents classic log, in hopes that it would fix part of my problem. The only thing I did differently was creating the log manually in the registry instead of doing Step 1, because I couldn't figure out in what context to execute that statement. This are the Registry Entries for my log right now: HKLM\System\CurrentControlSet\Services\EventLog\ForwardedEvents Name Type Value Default REG_SZ (value not set) DisplayNameFile REG_EXPAND_SZ %systemroot%\system32\wevtapi.dll DisplayNameID REG_DWORD 0x00000105 (261) File REG_EXPAND_SZ %systemroot%\system32\winevt\Logs\ForwardedEvents.evtx MaxSize REG_DWORD 0x01400000 (2091520) PrimaryModule REG_SZ ForwardedEvents RestrictGuestAccess REG_DWORD 0x000000001 (1) Retention RED_DWORD 0x000000000 (0) After creating this entry, I now have a ForwardedEvents 'classic' log in the EventViewer and I can successfully backup the data in it with my custom script. However, no new data is getting logged into the ForwardedEvents log from my other server. The subscription runtime status for the server now says ERROR. The description for this error is as follows: [PC_1.logtest] - Error - Last retry time: 8/5/2009 9:43:03AM. Code (0x8033801B): The WS-Management service cannot process the request. WS-Management cannot identify the enumeration context ID in the SOAP packet. The packet may have been invalid, or the operation may have timed out. Next retry time: 8/5/2009 10:23:25AM I have since ruled out the 'operation has timed out' portion of the error, because the connectivity test in the subscription area succeeds, the packet capture of the interaction reveals that both servers are communicating and a HTTP return status of 500 (Internal Error) is returned by the event source to the event collector at the very end of the interaction (I can upload the packet capture if needed). So, here's what I'm thinking right now: 1) There is an error in the creation of the ForwardedEvents 'classic' log, and the Event Source doesn't know how to forward the information to the Event Collector properly. 2) The EventCollector is requesting something that it shouldn't, and the Event Source doesn't know how to reply to it. 3) Is there a way to backup channels into a log file? That could save me all this hassle. 4) Is this even the right approach to this scenario? Testing Environment: Both test servers connected through a router that has no ACLs or anything that might interrupt traffic. Both test servers are running Windows Server 2008 SP2 (32-bit). The Windows Firewall on both servers is turned off. Both test servers are Domain Controllers in my test domain. The Event Collector is also the DHCP and DNS server for the domain. Make any suggestions you think might help, because I'm working on an isolated test lab, so I'm not worried at all about losing information, bringing down the servers, or anything like that. Zo...

UPDATE: Sporadically, some Information events are getting logged into the ForwardedEvents log I created. However, it is too intermittent and too unreliable to consider the issue solved, AND I still get the same error at the end. I haven't really changed anything as I'm considering (and starting to work with) other options. Has anyone else stumbled upon this issue? I'd hate to drop this approach only to find out later that I was a 'registry key' (or something similar) away from getting it to work.

I just spent 2 days trying to figure out a solution for this exact problem, came up with this powershell script copy c:\windows\System32\Winevt\Logs\ForwardedEvents.evtx c:\Backup.evtx [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog("ForwardedEvents") Creadit for the Clear-Winevent script goes to Shay Levy http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/a6f0786b-fe04-4887-aa3a-07f8e5bfa1d9/ still having trouble signing the script (self-signed) so if you know how to do this, let me know....