How to configure Event Subscriptions

There are several steps that you must take to enable event forwarding from one machine to another. You will need to configure both the forwarder and the collector with the appropriate settings. Event forwarding uses the HTTP or HTTPS protocols so they are easily configured in terms of firewall protection. You will probably need to allow the HTTP flow between the forwarder and the collector. Another important aspect that you need to cover is to enable the Windows Event Collector and Windows Remote Management services on both machines. I will configure both machines from the beginning:
Forwarding machine
Open a command prompt with administrative credentials and type in the following:
winrm quickconfig
You will then need to add the computer account of the collector machine in the local Event Log Readers group. The group can be found in Computer Management:
Event Log Readers group
If you want to enable Event forwarding on multiple machines I recommend that you use GPO and run a local script on all machines. You can use the following command to add the computer account of the collector machine in the local group:
net localgroup “Event Log Readers” srv1$ /add where srv1$ is the collector’s name
The computer account as been added to the specified group:
Event Log Readers
Collector machine – open a command prompt with administrative credentials and type wecutil qc. When prompted, press Y to configure the Windows Event Collector service:
Configuring Windows Event Collector
Now we’ll need to create a subscription. Open Event Viewer console, navigate to the Subscription section and press the Create Subscription button from the right side of the window:
Create event subscription
There are two types of subscriptions collector initiated and source computer initiated, choose the one that suits your needs better. You’ll have to select what events are sent to the collector computer and if desired, you can customize advanced options (what protocol is used to sent events, who has read access and the overall bandwidth consumption:
Advanced Subscription Settings
If you’ve chosen to use HTTPS as the transport method for events, you will need to deploy computer certificates on the forwarding machine from the local CA. You would also need to create the appropriate firewall rules for the port 443 and configure Winrm for HTTPS transport (open a command prompt and type winrm quickconfig -transport:https). The collector computer must trust the enterprise CA and configure the subscription advanced options to accept HTTPS transport.
Event subscriptions are checked every 15 minutes, if you want to change this value you’ll need to type in wecutil ss “Subscription_name” /cm:custom and wecutil ss “Subscription_name” /hi:6000 from command prompt. The value 6000 is equivalent to 1 minute.
These are the steps that you need to take to enable event forwarding between two machines. Hope you’ve understood the principles behind this technology, if you have any misunderstandings leave a comment and I will try to respond as soon as possible. Wish you all the best and have a great day!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s