To set up a source initiated subscription that requires minimal intervention and no thought every time a new server is built, follow these easy steps.

Source computers

If you want to configure this as a one off, to test do the following:

On your source computer, using an elevated command prompt, enter the following:

winrm qc -q

Or if you are running in a domain environment, and want to set and forget:

1. Open up your Group Policy Editor, and browse to (or create a new) GPO that will contain your settings (best bet here is to use a GPO already in place for your servers so that you don’t create load for each machine processing a million GPO’s!).
2. Under the Computer Configuration node, expand the Administrative Templates node, then expand the Windows Components node, and then select the Event Forwarding node.
3. Right-click the Subscription Manager setting, and select Properties. Enable the Subscription Manager setting, and click the Show button to add a server address to the setting. Add at least one setting that specifies the event collector computer. The Subscription Manager Properties window contains an Explain tab that describes the syntax for the setting.
4. Now browse down the list a little way, and find the Windows Remote Management (WinRM) node, select the WinRM Service node, and find the “Allow Automatic Configuration of Listners” setting.
5. Enable the setting, and then enter in an IP, IP range, or enter * into each of the IPv4 and IPv6 fields. Just use * if you aren’t concerned about security, or drill down to specifics if you are doing things by the book as you should be!
6. Close out of the GP editor, and then just refresh the settings tab to make sure that everything is the way that you want it to be.

At this stage you can run gpupdate /force on your source servers, or just allow for the natural flow and wait for the next automatic refresh.

Collector Computer

Run the following command from an elevated privilege command prompt to configure Windows Remote Management:

winrm qc -q

Run the following command to configure the Event Collector service:

wecutil qc /q

You now have 2 options about how you create the subscription. You can either do this through the event viewer, or by using a script.

Via the Event viewer:

1. Open up the event viewer, and select the subscriptions node. Right click, and select “Create Subscription”
2. Give the subscription a name, and select “Source computer initiated”
3. Select “Select Computer Groups” and enter it in domain computers, as per the example below.

 

4. If you are using certificates, select the one for your system, and select OK.

5.  Hit “Select events” and chose the event types and ID’s that you want to monitor, select OK, and if you are happy with your settings, select OK again.

Via a script

Copy the following code into your favourite text editor, and save it as configurationfile.xml

<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription"><br /> <SubscriptionId>SampleSISubscription</SubscriptionId><br /> <SubscriptionType>SourceInitiated</SubscriptionType><br /> <Description>Source Initiated Subscription Sample</Description><br /> <Enabled>true</Enabled><br /> <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri></p> <p> <!-- Use Normal (default), Custom, MinLatency, MinBandwidth --><br /> <ConfigurationMode>Custom</ConfigurationMode></p> <p> <Delivery Mode="Push"><br /> <Batching><br /> <MaxItems>1</MaxItems><br /> <MaxLatencyTime>1000</MaxLatencyTime><br /> </Batching><br /> <PushSettings><br /> <Heartbeat Interval="60000"/><br /> </PushSettings><br /> </Delivery></p> <p> <Expires>2018-01-01T00:00:00.000Z</Expires></p> <p> <Query><br /> <![CDATA[ <QueryList> <Query Path="Application"> <Select>Event[System/EventID=’999′]</Select> </Query> </QueryList> ]]><br /> </Query></p> <p> <ReadExistingEvents>true</ReadExistingEvents><br /> <TransportName>http</TransportName><br /> <ContentFormat>RenderedText</ContentFormat><br /> <Locale Language="en-US"/><br /> <LogFile>ForwardedEvents</LogFile><br /> <AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers><br /> <AllowedSourceDomainComputers>O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)</AllowedSourceDomainComputers><br /> </Subscription>

From the command line browse to the folder that you saved the above file in, and run:

wecutil cs configurationFile.xml

 

Tags: Events

• Next
• Prev