Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Friday, August 14, 2009

Event Subscription procedure that actually works.

I have been very frustrated with Microsoft’s Event Subscription procedure. First of all, it does not work. I have tried many times and cannot get past the part where you add the collector computer account to the local administrators group on the sender computer. I even watched a video from Microsoft that did everything but showed you that it worked. Below is my Event Subscription procedure.


The test environment is in a Windows 2008 R2 Hyper-V environment.


MCT-DC1 : Windows Server 2008 R2 Domain controllers – Will be the collector.

MCT-Core-1 : Windows Server 2008 Core

MCT-SRV-1 : Windows Server 2008 member server

The prep work:

First off, we need to use a service account. When creating a service account, I recommend a long, complex password. We will be setting the password not to expire so having a long and complex password will help with security.


· Open Active Directory Users and Computers.

· Create a user account inside Managed Service Accounts.

o If you do not have this OU, create the user account where appropriate for your domin.

o Username: EventCollector

o Password: Pa$$w0rd (please use a very cryptic password in your environment.)

o Uncheck User must change password at next logon.

o Check Password never expires.

o Click Next.

o Click Finish.

Now we must prep the firewall on each computer that will be sending events. In this exercise, MCT-Core-1, and MCT-SRV-1 will be our senders. The winrm quickconfig command that we will be executing will create an WinRM listener on each client.

On all the computers:

· Click Start

· Type CMD

· Press Enter

· Type winrm quickconfig and press Enter.

· Press Y when prompted.

On the Server Core:

We also need to execute an additional command on the collector (MCT-DC1) to configure the Windows Event Collector Service.

· In the command prompt window, type wecutil qc.

· Press Y when prompted.

We now need to add the service account to the Event Log Readers group.

On your Windows Server 2008 member servers:

· Click Start.

· Right click Computer and click Manage.

· Server Manger will now open.

· Click Configuration à Local Users and Groups à Groups.

· Double click Event Log Readers

· Click Add.

· Enter the name of your service account.

· You may be asked for domain admin credentials.

· Click OK twice.

On server core:

· Type net LocalGroup “Event Log Readers” /add domain\service account

o Example: net LocalGroup “Event Log Readers” /add Wilderness\EventCollector

We can now ask for events to be forwarded to the collector.

On your collector (MCT-DC1)

· Click Start à Administrative Tools à Event Viewer.

· Click Subscriptions.

· If prompted about the Event Collector Service, click Yes.

· In the Action column, click Create Subscription.

· Provide a Name and a Description for this subscription.

We need to provide our credentials to the subscription:

· Click Advanced

· Select Specific User

· Click User and Password

· Enter in your service accounts credentials. The syntax is domain\user name.

· Click OK twice.

We are not going to select the computers that we want to receive events from:

· Click Select Computers

· Click Add Domain Computers.

· Add each computer that you want to receive events from. Remember, you need to complete the prep work at the beginning of this article for this to work. You can only enter one computer at a time. Click OK and the click Add Domain Computers to add more computers to the list. In our example, we will enter:


o MCT-Core-1

· Click OK

You can test the connectivity to the each sender one at a time by clicking the name of the sender and then clicking Test

A popup box with “connectivity test succeeded” will let you know the connection has been made.

It is now time to select the events that we want to receive.

· In the Subscription Properties window, click Select Events.

· Select the Event Level that you are interested in. Your choices are:

o Critical

o Warning

o Error

o Information

o Verbose

· For this example, select Information.

· Click the drop down box next to Event Logs

· Expand Windows

· Check Application

· Click OK twice

We will now verify the subscription.

· In the subscription window, right click the subscription that you created and click Runtime Status.

· This image below shows two good connections.

· Click Close.

Next we will generate an event in the application log on the two senders.

· On your senders type: EventCreate /L application /T information /id 50 /d “This is a test of the event subscription.”

· On your collector in the Event Viewer click Windows Logs à Forwarded Events.

· You should now see the two test messages.

Congratulations, you have now set up an Event Subscription.

The next question is what happened if the connection does not work? Try this commands:

To verify that the collector can talk with the source computer:

Winrm id /r: /a:none

To test the collectors credentials

Winrm id /r: /u: service account /p: password

Run this on the collector to see if the source computer has been registered.

Wecutil gr


Axel Doux said...

Hello, your post is very interresting, but I have a question : is it possible to use a custom destination log for the event forwarding ?

I tried to do it, by creating a custom event log with Powershell. This log is functionnal, I can add some events to it, but I can't select it in the destination log field of the subscription settings (it doesn't appear).
And when I use wecutil to assign my custom event log to my subscription, when i come back on the subscription settings (by GUI), an error message says that my destination log isn't a valid destination log.

What is a "valid" destination log compared with my custom event log ? (created with "New-Eventlog" Powershell command)
How can I create some ?

Thank you very much for your answer.

Axel Doux said...

Hello, your post is very helpful, but I have a question : is it possible to forward events to a different destination log ?

I tried to do that by creating a custom event log (with New-Eventlog on Powershell), but I couldn’t use this log under Windows Event Subscription GUI (didn’t appear). I tried to change the destination log with wecutil, but when i came back to Windows Event Subscription GUI, I had an error message which told me that the destination log wasn’t a valid event log…

Do you have an idea ? Is it possible to create valid custom event logs and to use it with Event Forwarding ?

Thank you !

Jason Yoder, MCT said...


I want to applaud you for looking at PowerShell for a possible resolution. I did some quick research on this topic, but have yet to find a resolution. I'll post one if I find one. Thus far, I have not been able to get a custom event log to populate in the Destination log field of an event subscription. I will revisit this issue as time allows.