Logo
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
EPL Standings
 
 
Windows Vista

Collecting Vista Events

7/22/2013 5:55:23 PM

Windows Vista includes an updated implementation of Microsoft's remote management infrastructure: Windows Remote Management (WinRM). The Vista Event Log uses WinRM along with the Windows Event Collector service as the engines for collecting events from remote machines and sending them to a central event collector system. This feature makes it very easy to troubleshoot problems or otherwise be aware of the type of events that occur on multiple systems because you only need to look at the collector system to review all events.

WinRM relies on WS-Management or Web Services Management, which is a special protocol that integrates a series of operations within a Web services architecture. This architecture is an industry standard that allows organizations to perform management operations over commonly used TCP/IP protocols such as the HyperText Transfer Protocol (HTTP) or secure HTTP (HTTPS). The advantage of WS-Management is that the common protocols on which it relies are often open in firewalls for other purposes. Therefore, you can manage remote systems without turning your firewall into Swiss cheese. This Vista feature is very valuable.

Several tasks must be completed to prepare systems for event collection:

  • Each system that will forward events must be running one service: WinRM.

  • Each system that will receive events must be running two services: WinRM and the Windows Event Collector. These services are set to manual by default.

  • WinRM must be configured on both the forwarding computers and the collector computer.

  • The Windows Event Collector service must be configured on the collector system.

  • Access rights must be granted to the collector system on each of the forwarding computers.

  • Then, after each of the above steps is performed, you can move to the creation of an event subscription.

Of course, elevated rights are required to perform the operation. Remember that because of User Account Control (UAC), all users, even administrative users, run with a standard user token. Therefore, you must make sure you use elevated rights when running these commands.

If you are working with machines that are part of an Active Directory (AD), then use the following procedure:

  1. Log on to the source computer or the computer that will forward events.

  2. Right-click on the Command Prompt and select Run as Administrator. Provide appropriate credentials, usually domain credentials that have local administrative privileges.

  3. Using the newly elevated command prompt, type the following command:

    winrm quickconfig

  4. Then, press the Y key followed with Enter to make the changes.

This command sets up the source system to accept WS-Management requests from other computers. In fact, this will set the WinRM service to delayed autostart, start the service, create a WinRM listener on HTTP, and enable WinRM exceptions in the Windows Firewall as shown in Figure 1.

Figure 1. Using the WinRM Quick Configuration Command

Next, you need to add the collector computer's account to the local Administrator's group. There are two ways to do this. Either add the collector computer account by itself to the Administrator's group or create a new group in AD, add the computer account to this group, and then add this group to the local Administrator's account. The second method is the preferred method since it will allow you to add more collector systems in the long run simply by adding them to the group in AD. Here's how:

  1. Open AD Users & Computers with a Run as Administrator command and apply the appropriate credentials for administrative rights in AD.

  2. Locate the appropriate organizational unit (OU) and if one is not available, create one. This OU should be designed to contain computer groups.

  3. Create a new security group. Name it Event Collection Systems.

  4. Add the computer account of the collection system to this group.

  5. Use Computer Management, under Local Users & Groups to add the Event Collection Systems group to the local Administrator's group.

  6. Repeat Steps 1 to 4 on each source system.

  7. Move to the collection system. Repeat the WinRM command used in Step 3. Doing this allows you to control bandwidth usage or latency of the event forwarding process.

  8. Next, using the same elevated command prompt, run the following command:

    wecutil qc

  9. Press Y followed with Enter to make the changes. This configures the Windows Event Collector service to delayed autostart and start the service.

Now you're ready to prepare your first subscription.

  1. Open the Event Viewer by using Run as Administrator and provide the proper credentials.

  2. Go to the Subscriptions item in the Tree pane.

  3. Right-click on the Subscriptions item to choose Create Subscription You can also use the command in the Action pane.

  4. Name your collection and provide a description.

  5. Identify the destination log. By default, all collected events go to the ForwardedEvents log.

  6. Click the Add button to select computers from AD. Add all the computers you want to collect events from. You can also use the Test button to verify that communication works between the forwarders and the collector.

  7. Click Select Events to identify which events to collect. This step launches the Query Filter dialog box. Set the options to collect the events you need or use an existing filter.

  8. Click the Advanced button. This step opens the Advanced Subscriptions Settings dialog box. This dialog box allows you to control three settings:

    • The account used for collection: Leave this as is since the machine account is often best to use.

    • Event Delivery Optimization lets you either control bandwidth used or increase the bandwidth used to ensure prompt delivery of the events: The Normal mode is a pull mode — the collector pulls events from forwarders. The other two modes are push modes — the events are pushed from the forwarders or source systems to the collector. If latency is not an issue, then select Minimize Bandwidth.

    • The protocol to use — HTTP or HTTPS: If events are forwarded in your network, then HTTP is probably fine, but if events have to go over open connections or if they contain sensitive data, then use HTTPS. This will encrypt all data between forwarders and collectors, but additional configuration will be required.

  9. Click OK when done to finish the preparation of the collection. If they exist on the source computers, selected events will begin accumulating almost immediately.

If you choose to configure HTTPS as the transport protocol, you will need to enable port 443 in the Windows Firewall. Pull or Normal subscriptions only need this setting on the source computers. Push subscriptions need this port enabled on both forwarders and collectors.

If you do not have an Active Directory and are working in a workgroup, you need to be aware of some limitations and special configuration requirements.

  • Workgroup subscriptions only work in pull or normal mode.

  • Windows Firewall exceptions for Remote Event Log Management must be enabled on each system.

  • Because computer accounts do not trust each other in workgroups, you must create a special account on each system. Use the same account name and password on each system.

  • You must also tell the collector system to trust each source computer. Once again, this is done through the WinRM command.

There you have it. Central event management through Windows Vista. You can now track the changes you manage through Group Policy.

Other -----------------
- Automating Vista Events
- Exploring the Vista Task Scheduler
- Tracking Change in Vista : Turning on the audit policy, Exploring the Vista Event Log
- Managing Change through Group Policy (part 4) - Assigning PC-Related GPOs, Troubleshooting and monitoring Group Policy
- Managing Change through Group Policy (part 3) - Working with GPO tools
- Managing Change through Group Policy (part 2) - Working with central policies
- Managing Change through Group Policy (part 1) - Working with Local Policies
- Securing the Workstation : Applying the Castle Defense System (part 7) - Working with external access - Working with Public Key Infrastructures, Working with Virtual Private Network connections
- Securing the Workstation : Applying the Castle Defense System (part 6) - Working with external access - Working with the Windows Firewall with Advanced Security
- Securing the Workstation : Applying the Castle Defense System (part 5) - Managing information access
- Securing the Workstation : Applying the Castle Defense System (part 4) - Hardening the system - USB Device Control, Windows Defender
- Securing the Workstation : Applying the Castle Defense System (part 3) - Hardening the system - User Account Control
- Securing the Workstation : Applying the Castle Defense System (part 2) - Hardening the system - Local Security Policy and security configurations
- Securing the Workstation : Applying the Castle Defense System (part 1) - Protecting information, Working with protection
- Participating in Internet Newsgroups : Setting News Options - Options for Newsgroups and Messages, Options for Individual Newsgroups
- Participating in Internet Newsgroups : Filtering Newsgroup Messages, Rating Posts
- Participating in Internet Newsgroups : Notes on Working with Newsgroup Messages, Following Up a Message, Posting a New Message
- Participating in Internet Newsgroups : Downloading Messages
- Configuring Startup and Troubleshooting Startup Issues : Understanding the Startup Process (part 3) - Kernel Loading Phase
- Configuring Startup and Troubleshooting Startup Issues : Understanding the Startup Process (part 2) - Windows Boot Manager Phase
 
 
Most view of day
- How to Troubleshoot Disk Problems (part 1) - How to Prepare for Disk Failures, How to Use Chkdsk
- System Center Configuration Manager 2007 : Configuring Desired Configuration Management
- Microsoft Exchange Server 2007 : Understanding the Client Access Server (part 3) - ActiveSync Remote Wipe, Outlook Anywhere
- SharePoint 2010 : Farm Governance - Installing a feature and activating it
- System Center Configuration Manager 2007 : Available Reports and Use Cases (part 1) - Reporting on Inventory and Discovery Data
- Evaluating Applications for Windows 7 Compatibility : The Application Compatibility Toolkit (part 3) - Using the Application Compatibility Manager
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2007 : Understanding DNS Requirements for Exchange Server 2007
- Configuring Startup and Troubleshooting Startup Issues : Understanding the Startup Process (part 1) - Power-on Self Test Phase, Initial Startup Phase
- Windows Server 2012 Administration : Examining Active Directory Site Administration
- Windows Server 2003 : Protecting Hosts with Windows Host Firewalls - Protocol Filters
Top 10
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 3) - Creating IPv4 DHCP Scopes
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 2) - Installing DHCP Server and Server Tools
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 1)
- Windows Server 2012 : DHCP,IPv6 and IPAM - Understanding the Components of an Enterprise Network
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 3) - Translating Text with the Mini Translator
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 2) - Translating a Word or Phrase with the Research Pane
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 1) - Setting Options for the Research Task Pane, Searching with the Research Task Pane
- Microsoft OneNote 2010 : Doing Research with Linked Notes (part 2) - Ending a Linked Notes Session, Viewing Linked Notes
- Microsoft OneNote 2010 : Doing Research with Linked Notes (part 1) - Beginning a Linked Notes Session
- Microsoft OneNote 2010 : Doing Research with Side Notes (part 3) - Moving Side Notes to Your Existing Notes
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro