Good evening at all,
today I will give you an introducing in a nice feature of windows 7, the event forwarding and collecting.
Every windows 7 computer in your enterprise have a own event log. So it's pretty costly if you want to monitor them to know when errors are occured.
In windows 7 you have two modes for this problem:
Mode 1:
Collector initiated
Mode 2:
Source computer initiated
I would like to show you my favourite: the source computer initiated subscription
1. Start a cmd shell with administrative privileges on a computer which should forward defined events
2. run this command and accept this with yes (type in: y for yes)
winrm qc
3. After this the computer will be configures for forwarding the events to a specific computer (a service will be started, a HTTP-Listener will be created and a firewall rule will be configured)
4. Add the collector computer account to the local group "Event Log Readers) of the
forwarding computer with this command:
net localgroup "Event Log Readers" computer$@DOMAIN.INT /add"
These are the steps for the computer which will forward the events.
Then you have to do run the winrm qc command on the collector computer on the same way as above.
Then we have to create the event subscription on the collector computer:
5. Open in the computer management console the System Tools - Event Viewer - Subscriptions
6. Right click on "Subscriptions" and click on "create Subscription"
(if there's a popup with the Event view you have to accept this with yes for configuring the necessary service)
7. Then choose "source computer initiated" and add the computer group with the clients which should send the log informations to the collector computer
8. At least you should set the events which will be forwarded from the source computers.
Maybe you only want to get error events in the system protocoll so you can configure this by clicking on “select events”.
Then you can see on the ”Runtime status” if this subscriptions works correctly.
Of course there are a lot of preferences but this would burst the frame of this post ;-).
So long and good night
Thanks for the information. Is there an email address for you. I'm in the U.S. and i'd like to offer to edit your blog for the english. no charge, i'll do it in exchange for the stuff i'm learning here.
AntwortenLöschenthanks
art
Hi art,
AntwortenLöschenyou can contact me with gmail id manuel.grad :-)
I've been peeling Google for a while: couldn't figure how to forward "Security" events.
AntwortenLöschenStep 4 was the solution -> you need to add the collector computer to the "Event log Readers" group on the forwarder . many thanks