Many of my students have been unsure how to use a new feature of Windows 2008 and Windows 7 called the Event collector. This feature allows one or more computers to forward a copy of events from selected logs, to a different computer that is called an event collector. For example, assume that I have four servers. I want to have three of the servers send any critical and error events from their Applications and System logs to one server so that I can review them.
My assumptions for this article are that all four computers are domain joined. Only domain joined computers can use this feature. My other assumptions are that my computers will communicate using HTTP port 5985 and none of my servers are domain controllers. Below I will outline the steps based upon my assumptions.
1. Decide which computer will be the collector of events and which computer(s) will be forwarding events to the collector.
2. Logon to each computer that will forward events as an Administrator and open a command prompt as an Administrator.
a. Type winrm quickconfig and press Enter. WinRM will then ask you about adding a WinRM firewall exception as show below. This screen shot is from a Windows Server 2008 R2 computer. (You may be prompted to set the WinRM service to a delayed auto start and setting the WinRM firewall exception. This is the behavior of Windows 7.) Accept the change(s).
b. Continue performing this step on all computers that will be sending events.
3. Now you are ready to logon to the collector. This is the computer that will be collecting the events.
a. Again, type winrm quickconfig and press Enter.
b. Then type wecutil qc and press Enter. This will allow users on a different computer to subscribe to (send) events on this computer.
c. When prompted to change the wecutil startup mode, click y and press Enter.
d. Type Exit and press Enter to exit the command prompt.
4. Click Start| Administrative Tools |Computer Management.
5. Expand the Event Viewer and select the Subscriptions node.
a. Right-click on Subscriptions and select Create Subscription.
b. In the Subscription Properties page, in the Subscription name field, type a
subscription name i.e. Server1 logs.
c. In the Subscription Type and source computers section, verify that Collector
initiated is selected and click Select Computers.
i. Click Add Domain Computer and type the name of the server and click Check Names.
ii. Click OK.
iii. Click Test.
iv. Read the message. Click OK.
d. Click Select Events.
i. In the Logged field, use the drop-down list and select Last 24 hours.
ii. In the Event level field, select Critical, Error and Warning.
iii. Select By Log. Using the drop-down list expand Windows Logs and
select Application and System logs.
iv. Click OK.
e. Click Advanced.
i. Verify that the Machine Account is selected.
ii. Examine the port. (Remember the firewall will need to allow traffic from this port.)
iii. Click OK.
f. Click OK to close the Subscription Properties screen.
6. Your next task is to add the collector computer’s account to each of the local Administrator’s groups. (If you are using a domain controller, you will need to set up a user account that has permissions to read the event logs.)
7. Once that task is finished, expand the Event Viewer\Windows Logs\Forwarded Events.
8. This is the location that your logs from the other servers will send a copy of their Critical and Errors that are displayed in their System and Application logs.
- Janet Nichols, Windows Server Expert; MCT, MCSE, MCITP: Enterprise Admin, Server Admin; Windows 7 EDA, MCTS LinkIn with Janet
Nice post. That is the real way to explain anything. I read all the information. You explained all the necessary information in very good way like points and the screen shots.Thanks.
ReplyDeleteeSignature