diff --git a/packages/win_event_col.xml b/packages/win_event_col.xml
new file mode 100755
index 0000000000000000000000000000000000000000..a0ed6105e49a42b2dd10f75abacfccf759d8087a
--- /dev/null
+++ b/packages/win_event_col.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<packages>
+
+<!-- install the Event Viewer Subscriptions settings for the Event Log Collecter Server.  Along with the GPO for the Collector Server the firewall needs tweeking, see below.  This is all that is needed to make a Event Log Server.  Another GPO is used for all of the clients, this tells them the name of the Server to send events to. -->
+
+<package id="win_event_col" name="Windows Event Collector Service" revision="%VERSION%" priority="50" reboot="false">
+
+	<variable name="VERSION"  value="1" />
+	<variable name="CONFIG"  value="server_config.xml" />
+
+	<check type='registry' condition='equals' path='%WPKG_REG%\event_collection\version' value="%version%" />
+
+	<install cmd='cmd /c wecutil cs "%WPKGSHAREBASE%\%WPKGINSTITUTION%-config\windows_event_collector_service\%CONFIG%"' />
+	<install cmd='reg add %WPKG_REG%\event_collection /t reg_sz /v version /d %version% /f' />
+	<install cmd='cmd /c netsh http add urlacl url=http://+:5985/wsman/ sddl="D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)"' />
+
+	<remove cmd='cmd /c wecutil ds "maths.cam.ac.uk domain collection"' />
+	<remove cmd='reg delete %WPKG_REG%\event_collection /f' />
+	<remove cmd='cmd /c netsh http delete urlacl url=http://+:5985/wsman/' />
+
+</package>
+</packages>
+
+<!--
+Run the following in an admin cmd window on the server - open up the firewall:
+
+netsh http show urlacl
+netsh http delete urlacl url=http://+:5985/wsman/
+netsh http add urlacl url=http://+:5985/wsman/ sddl="D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)"
+			-->
+