Skip to main content

Event Subscription procedure that actually works.

I have been very frustrated with Microsoft’s Event Subscription procedure. First of all, it does not work. I have tried many times and cannot get past the part where you add the collector computer account to the local administrators group on the sender computer. I even watched a video from Microsoft that did everything but showed you that it worked. Below is my Event Subscription procedure.

Environment:

The test environment is in a Windows 2008 R2 Hyper-V environment.

Domain: Wilderness.com

MCT-DC1 : Windows Server 2008 R2 Domain controllers – Will be the collector.

MCT-Core-1 : Windows Server 2008 Core

MCT-SRV-1 : Windows Server 2008 member server


The prep work:

First off, we need to use a service account. When creating a service account, I recommend a long, complex password. We will be setting the password not to expire so having a long and complex password will help with security.

On MCT-DC1:

· Open Active Directory Users and Computers.

· Create a user account inside Managed Service Accounts.

o If you do not have this OU, create the user account where appropriate for your domin.

o Username: EventCollector

o Password: Pa$$w0rd (please use a very cryptic password in your environment.)

o Uncheck User must change password at next logon.

o Check Password never expires.

o Click Next.

o Click Finish.

Now we must prep the firewall on each computer that will be sending events. In this exercise, MCT-Core-1, and MCT-SRV-1 will be our senders. The winrm quickconfig command that we will be executing will create an WinRM listener on each client.

On all the computers:

· Click Start

· Type CMD

· Press Enter

· Type winrm quickconfig and press Enter.

· Press Y when prompted.

On the Server Core:

We also need to execute an additional command on the collector (MCT-DC1) to configure the Windows Event Collector Service.

· In the command prompt window, type wecutil qc.

· Press Y when prompted.

We now need to add the service account to the Event Log Readers group.

On your Windows Server 2008 member servers:

· Click Start.

· Right click Computer and click Manage.

· Server Manger will now open.

· Click Configuration Ă  Local Users and Groups Ă  Groups.

· Double click Event Log Readers

· Click Add.

· Enter the name of your service account.

· You may be asked for domain admin credentials.

· Click OK twice.

On server core:

· Type net LocalGroup “Event Log Readers” /add domain\service account

o Example: net LocalGroup “Event Log Readers” /add Wilderness\EventCollector

We can now ask for events to be forwarded to the collector.

On your collector (MCT-DC1)

· Click Start Ă  Administrative Tools Ă  Event Viewer.

· Click Subscriptions.

· If prompted about the Event Collector Service, click Yes.

· In the Action column, click Create Subscription.

· Provide a Name and a Description for this subscription.




We need to provide our credentials to the subscription:

· Click Advanced

· Select Specific User

· Click User and Password

· Enter in your service accounts credentials. The syntax is domain\user name.

· Click OK twice.

We are not going to select the computers that we want to receive events from:

· Click Select Computers

· Click Add Domain Computers.

· Add each computer that you want to receive events from. Remember, you need to complete the prep work at the beginning of this article for this to work. You can only enter one computer at a time. Click OK and the click Add Domain Computers to add more computers to the list. In our example, we will enter:

o MCT-SRV-1

o MCT-Core-1

· Click OK

You can test the connectivity to the each sender one at a time by clicking the name of the sender and then clicking Test

A popup box with “connectivity test succeeded” will let you know the connection has been made.

It is now time to select the events that we want to receive.

· In the Subscription Properties window, click Select Events.

· Select the Event Level that you are interested in. Your choices are:

o Critical

o Warning

o Error

o Information

o Verbose

· For this example, select Information.

· Click the drop down box next to Event Logs

· Expand Windows

· Check Application

· Click OK twice

We will now verify the subscription.

· In the subscription window, right click the subscription that you created and click Runtime Status.

· This image below shows two good connections.

· Click Close.





Next we will generate an event in the application log on the two senders.

· On your senders type: EventCreate /L application /T information /id 50 /d “This is a test of the event subscription.”

· On your collector in the Event Viewer click Windows Logs Ă  Forwarded Events.

· You should now see the two test messages.





Congratulations, you have now set up an Event Subscription.

The next question is what happened if the connection does not work? Try this commands:

To verify that the collector can talk with the source computer:

Winrm id /r: /a:none

To test the collectors credentials

Winrm id /r: /u: service account /p: password

Run this on the collector to see if the source computer has been registered.

Wecutil gr

Comments

Axel Doux said…
Hello, your post is very interresting, but I have a question : is it possible to use a custom destination log for the event forwarding ?

I tried to do it, by creating a custom event log with Powershell. This log is functionnal, I can add some events to it, but I can't select it in the destination log field of the subscription settings (it doesn't appear).
And when I use wecutil to assign my custom event log to my subscription, when i come back on the subscription settings (by GUI), an error message says that my destination log isn't a valid destination log.

What is a "valid" destination log compared with my custom event log ? (created with "New-Eventlog" Powershell command)
How can I create some ?

Thank you very much for your answer.
Axel Doux said…
Hello, your post is very helpful, but I have a question : is it possible to forward events to a different destination log ?

I tried to do that by creating a custom event log (with New-Eventlog on Powershell), but I couldn’t use this log under Windows Event Subscription GUI (didn’t appear). I tried to change the destination log with wecutil, but when i came back to Windows Event Subscription GUI, I had an error message which told me that the destination log wasn’t a valid event log…

Do you have an idea ? Is it possible to create valid custom event logs and to use it with Event Forwarding ?

Thank you !
Axel,

I want to applaud you for looking at PowerShell for a possible resolution. I did some quick research on this topic, but have yet to find a resolution. I'll post one if I find one. Thus far, I have not been able to get a custom event log to populate in the Destination log field of an event subscription. I will revisit this issue as time allows.

Popular posts from this blog

Adding a Comment to a GPO with PowerShell

As I'm writing this article, I'm also writing a customization for a PowerShell course I'm teaching next week in Phoenix.  This customization deals with Group Policy and PowerShell.  For those of you who attend my classes may already know this, but I sit their and try to ask the questions to myself that others may ask as I present the material.  I finished up my customization a few hours ago and then I realized that I did not add in how to put a comment on a GPO.  This is a feature that many Group Policy Administrators may not be aware of. This past summer I attended a presentation at TechEd on Group Policy.  One organization in the crowd had over 5,000 Group Policies.  In an environment like that, the comment section can be priceless.  I always like to write in the comment section why I created the policy so I know its purpose next week after I've completed 50 other tasks and can't remember what I did 5 minutes ago. In the Group Policy module for PowerShell V3, th

Return duplicate values from a collection with PowerShell

If you have a collection of objects and you want to remove any duplicate items, it is fairly simple. # Create a collection with duplicate values $Set1 = 1 , 1 , 2 , 2 , 3 , 4 , 5 , 6 , 7 , 1 , 2   # Remove the duplicate values. $Set1 | Select-Object -Unique 1 2 3 4 5 6 7 What if you want only the duplicate values and nothing else? # Create a collection with duplicate values $Set1 = 1 , 1 , 2 , 2 , 3 , 4 , 5 , 6 , 7 , 1 , 2   #Create a second collection with duplicate values removed. $Set2 = $Set1 | Select-Object -Unique   # Return only the duplicate values. ( Compare-Object -ReferenceObject $Set2 -DifferenceObject $Set1 ) . InputObject | Select-Object – Unique 1 2 This works with objects as well as numbers.  The first command creates a collection with 2 duplicates of both 1 and 2.   The second command creates another collection with the duplicates filtered out.  The Compare-Object cmdlet will first find items that are diffe

How to list all the AD LDS instances on a server

AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.