Check out / itfreetraining or itfreetraining.com for more of our always free training videos.
This video looks at forwarding events from one computer to another using source initiated subscription. Source initiated subscription is when the computer that has events to transfer determines when to transfer these events to the collecting computer. The previous video looked at collector initiated subscription, which is when the collecting computer contacts the forwarding computer at regular intervals to see if it has events that it needs to transfer.
Previous Video on event forwarding using collector initiated subscriptions • MCTS 70-680: Windows 7...
Demo configuring the forwarding computer 01:56
Demo configuring the collector 05:24
Configuring the collector computer
To configure the collector computer to receive events from the forwarding computer, run the following two commands:
WinRM QuickConfig
WECUtil QC
Answer y to all the questions. WinRM will configure the WinRM service and the firewall. WECUtil will configure the service that is used to collect events sent from the forwarder.
The next step is to configure a subscription on the collector computer. This is done inside the event viewer on the collector computer. Right click on subscriptions in the event viewer and select create subscription. Make sure that source computer initiated is selected. The rest of the options determine which events will be transferred from the forwarding computer. The subscription in this case acts like a filter determining which events to collect and which events to ignore.
Configuring the forwarding computer
Run the following command on the forwarding computer:
WinRm QuickConfig
Answer y to both questions. This will configure the service and also the firewall settings.
Group Policy
The forwarding computer needs to be configured with the address of the server to which the events are forwarded. This can be done with the following group policy setting:
Computer configuration-Administrative templates-Windows components-Event forwarding-Configure the server address, refresh interval, and issue certificate authority of a target subscription manager.
The syntax is as follows when using the default protocol HTTP and default port:
Server=HTTP://FQDN
Use the full URL when using HTTPS or different ports:
Server=HTTPS://FQDN:5986/wsman/SubscriptionManager/WEC
FQDN is the fully qualified domain name, for example, ITFreeTraining.com
WECUtil command line
WECutil supports a number of different command line options which are listed below.
WECUtil ES
Lists the subscriptions. The name of the subscription can be used in later commands.
WECUtil GS (Subscription name) /f:XML
This outputs the subscription configuration. If you want XML format add /f:XML. (Greater than sign) filename can also be added to direct the output to a file.
WECUtil CS (Filename)
This will create a new subscription using the configuration in the filename.
4 окт 2024
