We use the ‘Open event log Api’ to get the information from the event log of each Domain Controller.
We use the following function in our code:- https://msdn.microsoft.com/en-us/library/windows/desktop/aa363672%28v=vs.85%29.aspx
All firewalls located between the agent and the system that is being polled for events must allow communication on at least one of the following ports:
TCP port 135
UDP port 137
UDP port 138
TCP port 139
TCP port 445
To verify the Windows Firewall allows Remote Event Log Management:
Log in to the remote system.
Select Start > Programs > Administrative Tools, and then click Windows Firewall with Advanced Security.
Click Inbound Rules.
Verify that the Enabled column lists Yes for all of the Remote Event Log Management firewall rules.
List of ports used by WinCollect to remotely poll for events:
TCP port 135 Microsoft Endpoint Mapper
UDP port 137 NetBIOS name service
UDP port 138 NetBIOS datagram service
TCP port 139 NetBIOS session service
TCP port 445 Microsoft Directory Services for file transfers that use a Windows share
Note: If you are using DNS for name resolution, you may need to also verify that UDP and TCP port 53 are listening. You might need to have firewall exceptions in place on your Windows firewall for these ports.