Thursday, June 30, 2011

Configure window boxes to Forward and Collect Events

Event Forwarding
MS finally made improvement a bit on Event viewer, this is one I like very much: Event Subscriptions, which enables you log all events to a single remote computer. Two types of subscriptions here : Source-initiated and Collector-initiated subscriptions.
Using ‘Event Forwarding’ requires configuring both the source and collector computers to enable ‘Windows Remote Management’ and ‘Windows Event Collector’ services.
Source-initiated subscriptions: Create event subscription without defining the event source computers, multiple remote event source computers can be added to forward events to the collector computers, this is should be done by GP.
Collector-initiated subscriptions:  Create event subscription by specifying the computer name.
Collector-initiated subscriptions:   
1.       On each source computer, type the elevated command prompt:   winrm quickconfig
2.       On the collector computer ( destination) , type the elevated command prompt: wecutil qc
3.       Add the computer account of the collector computer to the local Administrators group on each of the source computers.
If you add the collector computer to “Event Log Readers” group, that will do as well, love the command sets, you can try this:
Net localgroup “Event Log Readers” <computer_name>$@<domain_name>  /add
.       Add the NETWORK SERVICE account of the source computer to localgroup “Event Log Readers" on each of the source computers.

Source-initiated subscriptions:

Alternatively you can use this command :
wevtutil <command> /r:<remote_computer_name> /u:<user_name> /p:<password>
NOTE: You must enable the Remote Event Log Management exception in the Windows Firewall Settings on the remote computer to which you want to connect.

No comments:

Post a Comment