Windows Event Collector Configuration - Source-initiated subscription -

calendar Apr 8, 2022 · 3 min read · Windows EventCollector  ·
Share on: linkedin copy

Overview


Windows has a remote computer logging feature called the Event Collector. The Event Collector uses WS-Management (Web Services-Management). It is possible to set up a subscription on the collector computer and transfer event logs from the source computer to the collector computer.

There are two event collection methods: Collector-initiated subscription and Source-initiated subscription. This article describes the setup of Source-initiated subscription.

Diagram



Prerequisite

This article assumes that both the collector and source computers are participating in the same domain.

Source Computer Configuration

WinRM Configuration

Run the following command with administrative privileges on the source computer.

1winrm qc -q

The above command performs the following operations.

  1. Start Windows Remote Management (WS-Management) service.
  2. Windows Remote Management (WS-Management) service type set to auto start.
  3. Create a listener to accept requests for any IP address.
  4. Enable firewall exception for WS-Management traffic (HTTP only).

Specify Subscription Manager

Open the Local Group Policy Editor and specify the Subscription Manager(the collector computer).

Select Configure target Subscription Manager from Computer Configuration\Administrative Templates\Windows Compornents\Event Forwarding.Select Enabled and Show.
Enter the Value in the following format.
Server=http://<FQDN of the Event Collector server>:5986/wsman/SubscriptionManager/WEC,Refresh=<Refresh interval in seconds>

Example:
Server=http://collector.example.com:5985/wsman/SubscriptionManager/WEC,Refresh=600
Refresh is the time interval at which the source computer confirms the subscription settings to the collector computer(see below).


Security Log Forwarding

To forward security logs, the NETWORK SERVICE account must be added to the Event Log Readers group. Run the following command with administrator privileges.

1net localgroup "Event Log Readers" "Network Service" /add

Source Computer Configuration(GPO)

If there are multiple source computers, GPO configuration is effective.

WinRM Configuration

Select Allow remote server management through WinRM from Computer Configuration\Policies\Administrative Templates\Windows Compornents\Windows Remote Management(WinRM)\WinRM Service.Select Enabled.
Enter proper values for the IPv4 filter IPv6 filter using the example as a guide. To allow access from all IP addresses, enter * (asterisk).

WinRM service startup Configuration

Create a new service from Computer Configuration\Preferences\Control Panel Settings\Service.

  • Startup: Automatic (Delayed Start)
  • Service name: Windows Remote Management(WS-Management)/WinRM
  • Service action: Start service
  • Wait timeout if service is locked: 30 seconds
  • Log on as: No change

Firewall Configuration

Create a new rule from the Computer Configuration\Policies\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security\Inbound Rules.

  • Rule Type: Predefined - Windows Remote Management
  • Predefined Rules: Select any rule.
  • Action: Allow the connection

Specify Subscription Manager

Select Configure target Subscription Manager from Computer Configuration\Policies\Administrative Templates\Windows Compornents\Event Forwarding.Select Enabled and Show.
Enter the Value in the following format.
Server=http://<FQDN of the Event Collector server>:5986/wsman/SubscriptionManager/WEC,Refresh=<Refresh interval in seconds>

Example:
Server=http://collector.example.com:5985/wsman/SubscriptionManager/WEC,Refresh=600
Refresh is the time interval at which the source computer confirms the subscription settings to the collector computer(see below).

Security Log Forwarding

Select New and Local Groups from Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups.

  • Action: Update
  • Group name: Event Log Readers

Select Add.

  • Add NETWORK SERVICE.

Collector Computer Configuration

WinRM Configuration

Run the following command with administrative privileges on the source computer as well as the collector computer.

1winrm qc -q

Windows Event Collector service startup Configuration

Then, run the following commands with administrative privileges.

1wecutil qc /q

The above command performs the following operations.

  1. Enable ForwardedEvents channel if disabled.
  2. Configure delayed start of Windows Event Collector service (Vista and later versions only).
  3. Start Windows Event Collector service.

Creating Subscriptions

Open the Event Viewer and create a subscription. Right-click on Subscriptions and click Create Subscription....

  • Subscription name: Enter any value.
  • Description: Enter any value.
  • Destination log: Select Forwarded Events
  • Subscription type and source computers: Source computer initiated
  • Select Computer Groups...: Select any computer/group.
  • Events to collect: Specify the conditions of the events you want to collect.

Operation Confirmation

Events that match the conditions specified in the subscription are logged in the Forwarded Events of the collector computer.

Forwarded Events


Translations: