Skip to main content

Event Subscription procedure that actually works.

I have been very frustrated with Microsoft’s Event Subscription procedure. First of all, it does not work. I have tried many times and cannot get past the part where you add the collector computer account to the local administrators group on the sender computer. I even watched a video from Microsoft that did everything but showed you that it worked. Below is my Event Subscription procedure.

Environment:

The test environment is in a Windows 2008 R2 Hyper-V environment.

Domain: Wilderness.com

MCT-DC1 : Windows Server 2008 R2 Domain controllers – Will be the collector.

MCT-Core-1 : Windows Server 2008 Core

MCT-SRV-1 : Windows Server 2008 member server


The prep work:

First off, we need to use a service account. When creating a service account, I recommend a long, complex password. We will be setting the password not to expire so having a long and complex password will help with security.

On MCT-DC1:

· Open Active Directory Users and Computers.

· Create a user account inside Managed Service Accounts.

o If you do not have this OU, create the user account where appropriate for your domin.

o Username: EventCollector

o Password: Pa$$w0rd (please use a very cryptic password in your environment.)

o Uncheck User must change password at next logon.

o Check Password never expires.

o Click Next.

o Click Finish.

Now we must prep the firewall on each computer that will be sending events. In this exercise, MCT-Core-1, and MCT-SRV-1 will be our senders. The winrm quickconfig command that we will be executing will create an WinRM listener on each client.

On all the computers:

· Click Start

· Type CMD

· Press Enter

· Type winrm quickconfig and press Enter.

· Press Y when prompted.

On the Server Core:

We also need to execute an additional command on the collector (MCT-DC1) to configure the Windows Event Collector Service.

· In the command prompt window, type wecutil qc.

· Press Y when prompted.

We now need to add the service account to the Event Log Readers group.

On your Windows Server 2008 member servers:

· Click Start.

· Right click Computer and click Manage.

· Server Manger will now open.

· Click Configuration Ă  Local Users and Groups Ă  Groups.

· Double click Event Log Readers

· Click Add.

· Enter the name of your service account.

· You may be asked for domain admin credentials.

· Click OK twice.

On server core:

· Type net LocalGroup “Event Log Readers” /add domain\service account

o Example: net LocalGroup “Event Log Readers” /add Wilderness\EventCollector

We can now ask for events to be forwarded to the collector.

On your collector (MCT-DC1)

· Click Start Ă  Administrative Tools Ă  Event Viewer.

· Click Subscriptions.

· If prompted about the Event Collector Service, click Yes.

· In the Action column, click Create Subscription.

· Provide a Name and a Description for this subscription.




We need to provide our credentials to the subscription:

· Click Advanced

· Select Specific User

· Click User and Password

· Enter in your service accounts credentials. The syntax is domain\user name.

· Click OK twice.

We are not going to select the computers that we want to receive events from:

· Click Select Computers

· Click Add Domain Computers.

· Add each computer that you want to receive events from. Remember, you need to complete the prep work at the beginning of this article for this to work. You can only enter one computer at a time. Click OK and the click Add Domain Computers to add more computers to the list. In our example, we will enter:

o MCT-SRV-1

o MCT-Core-1

· Click OK

You can test the connectivity to the each sender one at a time by clicking the name of the sender and then clicking Test

A popup box with “connectivity test succeeded” will let you know the connection has been made.

It is now time to select the events that we want to receive.

· In the Subscription Properties window, click Select Events.

· Select the Event Level that you are interested in. Your choices are:

o Critical

o Warning

o Error

o Information

o Verbose

· For this example, select Information.

· Click the drop down box next to Event Logs

· Expand Windows

· Check Application

· Click OK twice

We will now verify the subscription.

· In the subscription window, right click the subscription that you created and click Runtime Status.

· This image below shows two good connections.

· Click Close.





Next we will generate an event in the application log on the two senders.

· On your senders type: EventCreate /L application /T information /id 50 /d “This is a test of the event subscription.”

· On your collector in the Event Viewer click Windows Logs Ă  Forwarded Events.

· You should now see the two test messages.





Congratulations, you have now set up an Event Subscription.

The next question is what happened if the connection does not work? Try this commands:

To verify that the collector can talk with the source computer:

Winrm id /r: /a:none

To test the collectors credentials

Winrm id /r: /u: service account /p: password

Run this on the collector to see if the source computer has been registered.

Wecutil gr

Comments

Axel Doux said…
Hello, your post is very interresting, but I have a question : is it possible to use a custom destination log for the event forwarding ?

I tried to do it, by creating a custom event log with Powershell. This log is functionnal, I can add some events to it, but I can't select it in the destination log field of the subscription settings (it doesn't appear).
And when I use wecutil to assign my custom event log to my subscription, when i come back on the subscription settings (by GUI), an error message says that my destination log isn't a valid destination log.

What is a "valid" destination log compared with my custom event log ? (created with "New-Eventlog" Powershell command)
How can I create some ?

Thank you very much for your answer.
Axel Doux said…
Hello, your post is very helpful, but I have a question : is it possible to forward events to a different destination log ?

I tried to do that by creating a custom event log (with New-Eventlog on Powershell), but I couldn’t use this log under Windows Event Subscription GUI (didn’t appear). I tried to change the destination log with wecutil, but when i came back to Windows Event Subscription GUI, I had an error message which told me that the destination log wasn’t a valid event log…

Do you have an idea ? Is it possible to create valid custom event logs and to use it with Event Forwarding ?

Thank you !
Axel,

I want to applaud you for looking at PowerShell for a possible resolution. I did some quick research on this topic, but have yet to find a resolution. I'll post one if I find one. Thus far, I have not been able to get a custom event log to populate in the Destination log field of an event subscription. I will revisit this issue as time allows.

Popular posts from this blog

How to list all the AD LDS instances on a server

AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.

How to run GPResult on a remote client with PowerShell

In the past, to run the GPResult command, you would need to either physically visit this client, have the user do it, or use and RDP connection.  In all cases, this will disrupt the user.  First, you need PowerShell remoting enabled on the target machine.  You can do this via Group Policy . Open PowerShell and type this command. Invoke-Command –ScriptBlock {GPResult /r} –ComputerName <ComputerName> Replace <ComputerName> with the name of the target.  Remember, the target needs to be online and accessible to you.

Error icon when creating a GPO Preference drive map

You may not have an error at all.  Take a look at the drive mapping below. The red triangle is what threw us off.  It is not an error.  It is simply a color representation of the Replace option of the Action field in the properties of the drive mappings. Create action This give you a green triangle. The Create action creates a new mapped drive for users. Replace Action The Replace action gives you a red triangle.  This action will delete and recreate mapped drives for users. The net result of the Replace action is to overwrite all existing settings associated with the mapped drive. If the drive mapping does not exist, then the Replace action creates a new drive mapping. Update Action The Update action will have a yellow triangle. Update will modify settings of an existing mapped drive for users. This action differs from Replace in that it only updates settings defined within the preference item. All other settings remain as configured on the ma...