Syncio Blog - Server2008

EventCollector: Intercepting the Forwarded Events log with System.Diagnostics.Eventlog class (Post 2) by Chris

Otto's recent post on event log triggers explains how to: start a program, send an email or show a message on the occurence of an event in the Event Log. This is a great step forward, however, some might feel that it is not enough to deploy a large scale logging and notification environment with a focus on autonomy.

The alternative is to develop a piece of code that will subscribe to the __InstanceCreationEvent of the Forwarded Events log. The obstacle to using the existing System.Diagnostics.Eventlog class is that the class does not interface with the channeled structure of the new Event Log in Vista/2008. (The Forwarded Event log is not visible to Eventlog.GetEventLogs() because it is a channel.)

The following steps rectify this shortcoming:

1. Create an overlapping ForwardedEvents classic log.

EventLog.CreateEventSource("ForwardedEvents", "ForwardedEvents")

2. Export and Remove ForwardedEvents channel from registry.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ForwardedEvents

3. Recreate the Source Initiated subscription on the server.

4. Restart the Windows Event Collector service on the server.

5. Restart the WINRM service on the client.

If everything worked, you should see incoming events in the ForwardedEvents log. Notice that the log name does not contain a space anymore. This was done to match the full name of our new event log to that of the removed channel.

ForwardedEvents log will now be part of the Eventlog.GetEventLogs() array. You can deploy a ManagementEventWatcher to successfully intercept, parse and take action on incoming events.

Wednesday, July 16, 2008 3:21:58 PM (GMT Standard Time, UTC+00:00)

Comments [0] Logging | Server2008 | VB.NET |

EventCollector: Subscribing HTTP XP/2003 clients (Post 1) by Chris

Setting up a Collector Initiated Subscription:

1. Download and install WS-Management/WINRM on client and collector computers. Configure WINRM using command "winrm quickconfig". Event Viewer will be appended with a Microsoft-Windows-Forwarding/Operational log.

2. Configure WECUTIL on collector computer using command "WECutil QC".

3. Import subscription using command 'WECUTIL cs sub_CI_Pull0.xml' on the collector computer.

NOTE: Modify sub_CI_Pull0.xml before importing it. I used a domain account with administrative privilages. The Event Selection xpath syntax is sensitive. I was unable to create a query for the Security log. (Security Log Permissions)

4. Run eventvwr.msc on the collector computer. Right click on your subscription and view Runtime Status. Specified clients have to display a green, Active status. You will see events appearing in the Windows Logs\Forwarded Events log shortly.

Setting up a Source Initiated Subscription:

Source Initiated subscription is the preferred way of forwarding events as it is much easier deployed via Group Policy.

Repeat above steps 1 through 4, replacing sub_CI_Pull0.xml in step 3 with sub_SI0.xml.

The extra step to perform on XP/2003 clients is to tattoo the registry at:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager

Type: REG_SZ

Name: 1

Data: Server=collector.domain.com (FQDN of your collector, HTTP transport only. A valid URI is required for HTTPS, e.g. "Server=https://<FQDN>/wsman/SubscriptionManager/WEC")

and then restart the WINRM service on the client. These extra steps should produce event 104 in your client's Windows Logs\Forwarded Events log with the message: "The forwarder has successfully connected to the subscription manager at address <FQDN>.", followed by event 100 with the message: "The subscription <sub_name> is created successfully."

WINRM notes:

WINRM configuration has not been altered from the default. It seems that setting TrustedHosts variable is not necessary (winrm set winrm/config/client @{TrustedHosts="wildcard_machine_name_here"})

EventCollector notes:

The Create Subscription GUI did not work for me at creating a collector initiated subscription.
For some reason I started getting an Access Denied error with this set up and I had to either: change the User Account in Advanced Subscription Settings from Machine Account to a Specific User account OR restart the WINRM service on the client.

Please post comments and ideas you have. I am interested in how far we can go with this XP<-->2008 collector setup.

Reference Links:

http://blogs.technet.com/otto/default.aspx

http://support.microsoft.com/kb/936059

http://msdn.microsoft.com/en-us/library/aa384291%28VS.85%29.aspx

http://certcities.com/editorial/columns/story.asp?EditorialsID=292

http://technet2.microsoft.com/windowsserver/en/library/30757b93-7291-4254-b15e-f0aa5f45ac541033.mspx?mfr=true

http://technet.microsoft.com/en-us/magazine/cc137748.aspx

http://support.microsoft.com/kb/912309

http://openwsman.org/book/export/html/17

http://blogs.technet.com/otto/archive/2007/02/09/sample-vista-ws-man-winrm-commands.aspx

http://msdn.microsoft.com/en-us/library/bb870973%28VS.85%29.aspx