Syncio Blog - EventCollector: Subscribing HTTP XP/2003 clients (Post 1)

EventCollector: Subscribing HTTP XP/2003 clients (Post 1) by Chris

Setting up a Collector Initiated Subscription:

1. Download and install WS-Management/WINRM on client and collector computers. Configure WINRM using command "winrm quickconfig". Event Viewer will be appended with a Microsoft-Windows-Forwarding/Operational log.

2. Configure WECUTIL on collector computer using command "WECutil QC".

3. Import subscription using command 'WECUTIL cs sub_CI_Pull0.xml' on the collector computer.

NOTE: Modify sub_CI_Pull0.xml before importing it. I used a domain account with administrative privilages. The Event Selection xpath syntax is sensitive. I was unable to create a query for the Security log. (Security Log Permissions)

4. Run eventvwr.msc on the collector computer. Right click on your subscription and view Runtime Status. Specified clients have to display a green, Active status. You will see events appearing in the Windows Logs\Forwarded Events log shortly.

Setting up a Source Initiated Subscription:

Source Initiated subscription is the preferred way of forwarding events as it is much easier deployed via Group Policy.

Repeat above steps 1 through 4, replacing sub_CI_Pull0.xml in step 3 with sub_SI0.xml.

The extra step to perform on XP/2003 clients is to tattoo the registry at:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager

Type: REG_SZ

Name: 1

Data: Server=collector.domain.com (FQDN of your collector, HTTP transport only. A valid URI is required for HTTPS, e.g. "Server=https://<FQDN>/wsman/SubscriptionManager/WEC")

and then restart the WINRM service on the client. These extra steps should produce event 104 in your client's Windows Logs\Forwarded Events log with the message: "The forwarder has successfully connected to the subscription manager at address <FQDN>.", followed by event 100 with the message: "The subscription <sub_name> is created successfully."

WINRM notes:

WINRM configuration has not been altered from the default. It seems that setting TrustedHosts variable is not necessary (winrm set winrm/config/client @{TrustedHosts="wildcard_machine_name_here"})

EventCollector notes:

The Create Subscription GUI did not work for me at creating a collector initiated subscription.
For some reason I started getting an Access Denied error with this set up and I had to either: change the User Account in Advanced Subscription Settings from Machine Account to a Specific User account OR restart the WINRM service on the client.

Please post comments and ideas you have. I am interested in how far we can go with this XP<-->2008 collector setup.

Reference Links:

http://blogs.technet.com/otto/default.aspx

http://support.microsoft.com/kb/936059

http://msdn.microsoft.com/en-us/library/aa384291%28VS.85%29.aspx

http://certcities.com/editorial/columns/story.asp?EditorialsID=292

http://technet2.microsoft.com/windowsserver/en/library/30757b93-7291-4254-b15e-f0aa5f45ac541033.mspx?mfr=true

http://technet.microsoft.com/en-us/magazine/cc137748.aspx

http://support.microsoft.com/kb/912309

http://openwsman.org/book/export/html/17

http://blogs.technet.com/otto/archive/2007/02/09/sample-vista-ws-man-winrm-commands.aspx

http://msdn.microsoft.com/en-us/library/bb870973%28VS.85%29.aspx