MCTS 70-680: Windows 7 events forwarding
Uploaded by itfreetraining on 09.02.2012
Transcript:
Notes .Net is said as dot net.
Welcome back to another free Windows 7 video. In this video I will look at event forwarding.
This process allows one or more computers to send events from their local events logs
to another computer. Without event forwarding, the events from each computer will only be
available locally on the computer on which they were generated. When you start managing
a lot of computers, especially servers, you may want to have all of the events from many
different computers available in one place. This is essentially what event forwarding
does. Before we get started, let’s look at some terminology.
The computer or computers that are configured to forward events are called the forwarding
computers or source computers. The computer that is configured to receive these events
is called the collector. The collector can be a Windows 7 computer; however, on a lot
of networks you will find that a Windows Server has been configured for this role.
Events can be transferred from the forwarding computer to the collector computer in one
of two ways. In the first method, the collector will contact the source computer and ask it
to transfer events. This is called collector initiated subscription. This works well with
only a few clients but does not scale well. If you are managing a lot of computers, you
will want to use the second method called source initiated subscription. This is when
the client or source computer transfers events to the collector as required. The collector
does not query the client to see if any events need to be transferred. In this video, I will
look at collector initiated events. In the next video, I will look at source initiated
events.
One last piece of terminology used with event forwarding is the term subscription. In order
for events to be transferred a subscription needs to be created. Think of a subscription
as the settings that are used to transfer events. Subscriptions define which type of
events will be transferred and where these events will be stored.
In order to start using collector initiated subscription, the forwarder and the collector
need to be configured. Luckily Microsoft provides us with only one command each for the forwarder
computer and the collector computer. This will configure the service required as well
as configure other required options like the Windows firewall.
On the collector computer you need to run WECUtil QuickConfig. This will configure the
computer to start collecting forwarded events from other computers.
On the source or forwarding computer (that’s the computer that will send events to the
collector) you need to run the command WinRM QuickConfig. This will configure the computer
to start sending events. However, the collector computer will still need access to the forwarding
computer.
You could give the collector computer administrative access to the domain to ensure that it has
access, but a better way is to add the collector computer’s account to the local “event
log readers” group on the forwarding computer. Since the collector computer only needs read
access, adding it to the local “event log readers” group on the forwarding computer
will ensure that it only has the minimum rights required. I will now change to my Windows
7 computer to demonstrate how to configure a computer to forward events to a collecting
computer.
First of all, open a command prompt from the start menu making sure you right click the
shortcut and select the option run as administrator. From the command prompt, run the command WinRM
QuickConfig. This command will configure this computer to forward events to the collector
computer.
The first question that you will get asked is to configure the Windows Remote Management
service. The Windows Remote Management service, besides allowing the computer to forward events
to the collector, also allows other remote features to be used in Remote Administration.
For example, it allows the ability to execute commands on this computer from a remote computer.
Once I press Y, the service will be configured to delayed start. This simply means that the
other services on the computer will be started first. Once these services have had time to
start, this service will be started. Delayed start delays the start up of less critical
services, giving more CPU to other services when the computer first boots. This should
give the user a better experience when they first start up their computer.
In order for another computer to connect to this computer, changes to the firewall must
be made. Once I enter Y for the next question, this will make changes to the firewall. This
will essentially allow the collector computer to communicate with this computer using the
HTTP or HTTPS protocols.
The next step is to allow access for the collector computer to the local event logs on this computer.
To do this, open edit local users and groups from the start menu. To allow access to the
local computer, open groups and then open the properties for the group “event log
readers.”
To add the collector computer account, select the option at the bottom, “add.” If I
enter in the computer name here, Windows will not be able to find the computer account.
To fix this, press the button object types.
Object types will show you which objects Windows will search for. “Computers” by default
is switched off and thus computer accounts will not appear in the search results. Once
“computers” is ticked I can go back to the properties and enter in the computer name
of the collector computer, in this case, collector one, and Windows will find the computer account.
Adding the collector computer account to the local group “event log readers” will ensure
the collector computer can read the log files on the forwarding computer and will ensure
that it does not have more permissions than what is needed.
Now that the forwarding computer is configured, I will now change to my Windows Server to
configure the collecting computer.
In this case I will use a Windows Server 2008 R2 computer, but I could perform the same
steps on a Windows 7 computer. In most cases you will use a server to perform these steps
rather than a client operating system like Windows 7.
Once again open a command prompt from the start menu. From the command prompt, run the
command WECUtil with the parameter QC for quick config.
This command will only ask you one question and that is to configure the Windows Event
Collector service to delayed start. Once I press Y I am ready to start reading events
from the forwarding computer.
To do this, I first need to open the Event Viewer from the start menu. Next I need to
right click subscriptions at the bottom of the Event Viewer and select the option create
subscription.
The window that opens will allow the properties to be entered for the new subscription. A
subscription simply defines the settings that will be used when transferring the events
from the forwarding computer to the collecting computer.
First of all, I need to enter in a name and description for the subscription. Once this
is done, select the option destination log to determine where the forwarder events will
be stored.
By default the events will be stored in the log forwarded events. You can change this
to store the events in any log file on the computer. I would recommend leaving the option
on forwarded events as changing it to another log file will mean that events from this computer
and the remote computer will be mixed together. Keeping forwarded events in their own log
helps to reduce any confusion about where the event came from.
The next two options determine if the subscription will be collector or source initiated. The
default, collector initiated, means the collector will contact the forwarding computer periodically
and ask it if it has any new events. This is the easiest to setup but does not scale
as well as the next option, source computer initiated. In the next video I will look at
how to configure source initiated events. In order to setup collector initiated events,
I first need to tell this computer, the collecting computer, which computer to poll for new events.
To do this, press the button select computers. From here I enter in the computer account
name, in this case, forwarder one. Once the computer account name has been added, you
should press the button “test” to ensure the collector can communicate with the forwarding
computer. Now that the forwarding computer has been added to the subscription, I will
go back to the properties for the subscription.
From here I next want to determine which events will be copied to the collector computer from
the forwarding computer. To do this, select the option select events and select edit.
You can choose as many or as few events as you like as well as choose the type of events
that you want. Remember, the more events that you choose, the more events you are going
to have to go through to find what you are looking for. Choosing too many can be like
trying to find a needle in a hay stack, so to speak.
In this case I will choose critical and error events only. Once this is done I need to select
which event logs I want to transfer events from. In this case I will choose all of them,
but I could also just select the system log or application log if I wanted to.
You also have the option to choose the events based on the source. For example, you could
choose only .Net Run time events or events relating to a particular hardware device.
If you want to get even more specific you can choose a category at the bottom or even
choose a keyword. Windows will give you a list of keywords but you can also choose your
own. For example you could choose the disk keyword to choose events relating to hard
disks. Now that all the properties have been configured, I can exit out of here and go
back to the event viewer.
You can see the subscription has been created. To access the events that have been forwarded,
I need to open the windows log forwarded events. In this case no events are shown because only
new events will be transferred. So that we have something to look at, I will pause the
video and generate an event on the other computer.
Now that an event has been generated, notice at the top of the screen the exclamation mark
showing that a new event is available. To show this new event, right click the screen
and press refresh.
I can now see an event that was generated from the other computer. If I go to the general
information at the bottom of the screen you will notice that the computer that the event
came from is listed. When you are collecting events from multiple computers, you can filter
the logs to show a certain computer if you need to.
That’s it for collector initiated subscription. In the next video I will look at source initiated
event subscription. This is when the forwarding computer contacts the collector computer when
it is ready to transfer events. Thanks for watching another free video from IT Free Training.
Welcome back to another free Windows 7 video. In this video I will look at event forwarding.
This process allows one or more computers to send events from their local events logs
to another computer. Without event forwarding, the events from each computer will only be
available locally on the computer on which they were generated. When you start managing
a lot of computers, especially servers, you may want to have all of the events from many
different computers available in one place. This is essentially what event forwarding
does. Before we get started, let’s look at some terminology.
The computer or computers that are configured to forward events are called the forwarding
computers or source computers. The computer that is configured to receive these events
is called the collector. The collector can be a Windows 7 computer; however, on a lot
of networks you will find that a Windows Server has been configured for this role.
Events can be transferred from the forwarding computer to the collector computer in one
of two ways. In the first method, the collector will contact the source computer and ask it
to transfer events. This is called collector initiated subscription. This works well with
only a few clients but does not scale well. If you are managing a lot of computers, you
will want to use the second method called source initiated subscription. This is when
the client or source computer transfers events to the collector as required. The collector
does not query the client to see if any events need to be transferred. In this video, I will
look at collector initiated events. In the next video, I will look at source initiated
events.
One last piece of terminology used with event forwarding is the term subscription. In order
for events to be transferred a subscription needs to be created. Think of a subscription
as the settings that are used to transfer events. Subscriptions define which type of
events will be transferred and where these events will be stored.
In order to start using collector initiated subscription, the forwarder and the collector
need to be configured. Luckily Microsoft provides us with only one command each for the forwarder
computer and the collector computer. This will configure the service required as well
as configure other required options like the Windows firewall.
On the collector computer you need to run WECUtil QuickConfig. This will configure the
computer to start collecting forwarded events from other computers.
On the source or forwarding computer (that’s the computer that will send events to the
collector) you need to run the command WinRM QuickConfig. This will configure the computer
to start sending events. However, the collector computer will still need access to the forwarding
computer.
You could give the collector computer administrative access to the domain to ensure that it has
access, but a better way is to add the collector computer’s account to the local “event
log readers” group on the forwarding computer. Since the collector computer only needs read
access, adding it to the local “event log readers” group on the forwarding computer
will ensure that it only has the minimum rights required. I will now change to my Windows
7 computer to demonstrate how to configure a computer to forward events to a collecting
computer.
First of all, open a command prompt from the start menu making sure you right click the
shortcut and select the option run as administrator. From the command prompt, run the command WinRM
QuickConfig. This command will configure this computer to forward events to the collector
computer.
The first question that you will get asked is to configure the Windows Remote Management
service. The Windows Remote Management service, besides allowing the computer to forward events
to the collector, also allows other remote features to be used in Remote Administration.
For example, it allows the ability to execute commands on this computer from a remote computer.
Once I press Y, the service will be configured to delayed start. This simply means that the
other services on the computer will be started first. Once these services have had time to
start, this service will be started. Delayed start delays the start up of less critical
services, giving more CPU to other services when the computer first boots. This should
give the user a better experience when they first start up their computer.
In order for another computer to connect to this computer, changes to the firewall must
be made. Once I enter Y for the next question, this will make changes to the firewall. This
will essentially allow the collector computer to communicate with this computer using the
HTTP or HTTPS protocols.
The next step is to allow access for the collector computer to the local event logs on this computer.
To do this, open edit local users and groups from the start menu. To allow access to the
local computer, open groups and then open the properties for the group “event log
readers.”
To add the collector computer account, select the option at the bottom, “add.” If I
enter in the computer name here, Windows will not be able to find the computer account.
To fix this, press the button object types.
Object types will show you which objects Windows will search for. “Computers” by default
is switched off and thus computer accounts will not appear in the search results. Once
“computers” is ticked I can go back to the properties and enter in the computer name
of the collector computer, in this case, collector one, and Windows will find the computer account.
Adding the collector computer account to the local group “event log readers” will ensure
the collector computer can read the log files on the forwarding computer and will ensure
that it does not have more permissions than what is needed.
Now that the forwarding computer is configured, I will now change to my Windows Server to
configure the collecting computer.
In this case I will use a Windows Server 2008 R2 computer, but I could perform the same
steps on a Windows 7 computer. In most cases you will use a server to perform these steps
rather than a client operating system like Windows 7.
Once again open a command prompt from the start menu. From the command prompt, run the
command WECUtil with the parameter QC for quick config.
This command will only ask you one question and that is to configure the Windows Event
Collector service to delayed start. Once I press Y I am ready to start reading events
from the forwarding computer.
To do this, I first need to open the Event Viewer from the start menu. Next I need to
right click subscriptions at the bottom of the Event Viewer and select the option create
subscription.
The window that opens will allow the properties to be entered for the new subscription. A
subscription simply defines the settings that will be used when transferring the events
from the forwarding computer to the collecting computer.
First of all, I need to enter in a name and description for the subscription. Once this
is done, select the option destination log to determine where the forwarder events will
be stored.
By default the events will be stored in the log forwarded events. You can change this
to store the events in any log file on the computer. I would recommend leaving the option
on forwarded events as changing it to another log file will mean that events from this computer
and the remote computer will be mixed together. Keeping forwarded events in their own log
helps to reduce any confusion about where the event came from.
The next two options determine if the subscription will be collector or source initiated. The
default, collector initiated, means the collector will contact the forwarding computer periodically
and ask it if it has any new events. This is the easiest to setup but does not scale
as well as the next option, source computer initiated. In the next video I will look at
how to configure source initiated events. In order to setup collector initiated events,
I first need to tell this computer, the collecting computer, which computer to poll for new events.
To do this, press the button select computers. From here I enter in the computer account
name, in this case, forwarder one. Once the computer account name has been added, you
should press the button “test” to ensure the collector can communicate with the forwarding
computer. Now that the forwarding computer has been added to the subscription, I will
go back to the properties for the subscription.
From here I next want to determine which events will be copied to the collector computer from
the forwarding computer. To do this, select the option select events and select edit.
You can choose as many or as few events as you like as well as choose the type of events
that you want. Remember, the more events that you choose, the more events you are going
to have to go through to find what you are looking for. Choosing too many can be like
trying to find a needle in a hay stack, so to speak.
In this case I will choose critical and error events only. Once this is done I need to select
which event logs I want to transfer events from. In this case I will choose all of them,
but I could also just select the system log or application log if I wanted to.
You also have the option to choose the events based on the source. For example, you could
choose only .Net Run time events or events relating to a particular hardware device.
If you want to get even more specific you can choose a category at the bottom or even
choose a keyword. Windows will give you a list of keywords but you can also choose your
own. For example you could choose the disk keyword to choose events relating to hard
disks. Now that all the properties have been configured, I can exit out of here and go
back to the event viewer.
You can see the subscription has been created. To access the events that have been forwarded,
I need to open the windows log forwarded events. In this case no events are shown because only
new events will be transferred. So that we have something to look at, I will pause the
video and generate an event on the other computer.
Now that an event has been generated, notice at the top of the screen the exclamation mark
showing that a new event is available. To show this new event, right click the screen
and press refresh.
I can now see an event that was generated from the other computer. If I go to the general
information at the bottom of the screen you will notice that the computer that the event
came from is listed. When you are collecting events from multiple computers, you can filter
the logs to show a certain computer if you need to.
That’s it for collector initiated subscription. In the next video I will look at source initiated
event subscription. This is when the forwarding computer contacts the collector computer when
it is ready to transfer events. Thanks for watching another free video from IT Free Training.