Logo
PREGNANCY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Vista

Event Viewer and Event Forwarding

3/15/2011 10:42:05 PM
Event Viewer is a tool used to monitor the health of the computer. Event Viewer has had a significant overhaul in Windows Vista and is now closely integrated with Task Scheduler and the Reliability and Performance Monitor. You can access Event Viewer in Administrative Tools and use it to perform the following functions:

  • View and filter events from a multitude of preconfigured logs.

  • Create and save custom event filters and views.

  • Configure tasks to run in response to specified events.

  • Configure and manage event subscriptions.

The preconfigured logs fall into two categories—Windows Logs and Applications and Services Logs—as shown in Figure 1.

Figure 1. The main window in Event Viewer shows the Windows Logs and Applications and Services Logs.

As you expand Applications and Services Logs > Microsoft > Windows, you discover dozens of additional, preconfigured event logs. These logs address specific services and features of the operating system and can be used to identify problems, before they start, as well as provide diagnostic and troubleshooting information after something unexpected has happened.

There are two more collections of logs available within Event Viewer:

  • Analytic Logs— Describe program operations and indicate problems that cannot be addressed with human intervention. Analytic logs generate a high volume of output.

  • Debug Logs— Used to help developers troubleshoot issues with their programs.

Exam Alert

These two logs are hidden by default due to their specialized nature and large volume of output. You can make them visible and functional by enabling them from the View > Show Analytic and Debug Logs menu item, as shown in Figure 2.

Figure 2. Showing the Analytic and Debug Logs in Event Viewer.

Event Forwarding

Event Forwarding is used to consolidate events from multiple computers, called Source computers, onto a single monitoring station, called the Collector computer. Event types include all the event categories in the Windows Logs and Applications and Services Logs. Both Source and Collector computers must be specially configured for Event Forwarding to be successful.

Tip

To configure Event Forwarding, you should log on to the Source and Collector computers using a domain administrator user account.
Source Computer Configuration

On the Source computers, you must configure the Windows Remote Management utility by executing the following command at an elevated privilege command prompt:

winrm quickconfig

This command makes some changes to your system, including setting the WinRM service to auto start; creates a WinRM Listener on HTTP to accept Web Services for Management (WS-Man) requests—a mini, nonuser-configurable web server); and opens the firewall for WinRM services.

You must also add the computer account of the Collector computer to the local Administrators group on each Source computer.

Note

Finding Computers You must enable the adding of computer accounts to the local Administrators group on each Source computer by selecting Object Type > Computers in the Select Users, Computers or Groups dialog box in the local Administrators group properties.
Collector Computer Configuration

On the Collector computer, you must configure the Windows Event Collector Utility by executing the following command at an elevated privilege command prompt:

wecutil qc

This command initializes the Windows Event Collector on the Collector computer. Now you are ready to create subscriptions on the Collector computer to Source computer events.

Note

Required Services The Windows Remote Management (WinRM) service and the Windows Event Collector Service must be started on the Source and Collector computers. By default, these services are set to start up manually. You should configure them for automatic startup to ensure proper functionality and future use of their services.

Alert

Here’s a quick review:

  • You must configure the Windows Remote Management utility by running winrm on the Source computers.

  • You must configure the Windows Event Collector Utility by running wecutil on the Collector computer.

  • You should familiarize yourself with the basic functions of these two commands by running the executables followed by the /? switch.

To configure subscriptions, in Event Viewer on the Collector computer, right-click Subscriptions in the left pane and select Create Subscription. The Subscriptions Properties page is shown in Figure 3.

Figure 3. Configuring an event subscription on the Collector computer.

Note

First Things First Subscriptions can be established only with properly configured Source computers.

By clicking Select Events, you see that events can be largely unfiltered to acquire large amounts of data or finely filtered to acquire only a very specific and smaller number of events. The Query Filter dialog box for the Subscription is shown in Figure 4.

Figure 4. Configuring a Query Filter to limit the types of events collected on the Collector computer.

The Advanced button on the Subscription Properties dialog box allows for the configuration of the account that will read the log files. This account must have permissions to access the log files and is the typically the computer account that you placed in the local Administrators group on the Source computers. You can also configure the forwarded event delivery for Bandwidth or Latency optimizations.

Alert

Also on the Advanced Subscription Settings dialog box, you can configure events to be forwarded using the HTTP protocol over port 80 (the default), or they can be transmitted securely using HTTPS, which is the HTTP protocol over a Secure Sockets Layer (SSL) tunnel. The HTTPS protocol runs over port 443 and requires a computer certificate to authenticate the Source computer to the Collector computer and to establish the encrypted SSL tunnel. Any firewalls between Source computers and the Collector computer require the appropriate port (80 or 443) to be opened. The User Account, Event Delivery Optimization, and transmission Protocol configuration settings are shown in Figure 5.

Figure 5. Advanced Subscription Settings provides access to the User Account, Event Delivery Optimization, and transmission Protocol configuration settings.
Other -----------------
- Scheduling Tasks
- Troubleshooting Policy Settings
- Group Policy Settings (part 5) - Point and Print Restrictions & Digital Certificates and Authenticode
- Group Policy Settings (part 4) - The Audit Policy
- Group Policy Settings (part 3) - Managing Device Installation
- Group Policy Settings (part 2) - Software Restrictions
- Group Policy Settings (part 1) - Desktop Settings & Software Deployment by GPO
- Group Policy Object Overview (part 2) - Applying GPOs to a Computer and User in an AD Environment
- Group Policy Object Overview (part 1) - Building a Local Computer Policy & The Domain Member Computer
- User Account Control (UAC)
- Troubleshoot Authentication Issues - SmartCards
- Configure and Troubleshoot Access to Resources (part 4) - Securing Network Traffic for Remote Desktop Protocol (RDP) Access
- Configure and Troubleshoot Access to Resources (part 3) - IPSec for Securing Network Traffic on the Local LAN
- Configure and Troubleshoot Access to Resources (part 2) - Printer Sharing
- Configure and Troubleshoot Access to Resources (part 1) - Permissions
- Windows Update (part 4) - Troubleshooting Updates
- Windows Update (part 3) - Windows Server Update Services Server (WSUS)
- Windows Update (part 2) - Automatic Updates
- Windows Update (part 1) - Manual Updates
- Windows Defender and Other Defenses Against Malware
 
 
Most view of day
- Windows Server 2012 : Installing roles and features (part 1) - Installing roles and features using Server Manager
- Multi-Tenancy in SharePoint 2013 (part 1) - Managing Service Application Groups, Creating a Site Subscription
- Microsoft Visio 2010 : Modifying a Graphic (part 3) - Changing a Graphic’s Position
- Microsoft Word 2010 : Working with Outlines - Creating a Multilevel List
- Windows Phone 8 : Configuring Basic Device Settings - Battery Saver
- Windows Phone 8 : Working with the Windows Phone Software (part 7) - Removing Multimedia Content - Removing a Video from Your Phone
- Microsoft Exchange Server 2007 : Upgrading Separate AD Forests to a Single Forest Using Mixed-Mode Domain Redirect (part 2)
- Microsoft Visio 2010 : Organizing and Annotating Diagrams - Markup & Review
- Microsoft Excel 2010 : Protecting and Securing a Workbook - Setting Macro Security Options
- Monitoring Windows Small Business Server 2011 : Using Performance Monitor
Top 10
- Sharepoint 2013 : Working with the CSOM (part 6) - Working with the JavaScript client object model - Creating, reading, updating, and deleting in the JavaScript client object model
- Sharepoint 2013 : Working with the CSOM (part 5) - Working with the JavaScript client object model - Handling errors
- Sharepoint 2013 : Working with the CSOM (part 4) - Working with the JavaScript client object model - Returning collections
- Sharepoint 2013 : Working with the CSOM (part 3) - Working with the managed client object model - Creating, reading, updating, and deleting
- Sharepoint 2013 : Working with the CSOM (part 2) - Working with the managed client object model - Handling errors
- Sharepoint 2013 : Working with the CSOM (part 1) - Understanding client object model fundamentals
- Windows Phone 8 : Configuring Mailbox Settings (part 5) - Configuring Automatic Replies
- Windows Phone 8 : Configuring Mailbox Settings (part 4) - Lightening the Display,Changing the Mailbox Sync Settings
- Windows Phone 8 : Configuring Mailbox Settings (part 3) - Message Signatures, Blind CCing Yourself
- Windows Phone 8 : Configuring Mailbox Settings (part 2) - Unlinking Mailboxes, Conversation View
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro