Creating and event viewer subscription

 

 

The server that you want to collect the event viewer entries on is the collector.

The server that you want to sent events to is the forwarder.

The first step is to open event viewer on the collector

1

from event viewer click on subscriptions.

2

You are prompted to start the event collector service click yes.

From a command or PowerShell prompt type:

 wecutil.exe qc

3

You will be prompted to proceed typeto proceed

4

Now on the forwarding computer you need to run winrm quickconfig

A quick way to do that is with PowerShell remoting. From the all servers section of Server Manager right click on the forwarding computer and select PowerShell.

5

6

Now you need to add the Collecting computer to the event log readers local security group on the forwarding computer. This can be done with PowerShell remoting again by entering the following command:

net localgroup “event log readers” dc01$ /add

7

Just to confirm and demonstrate the GUI of doing things I have opened computer manager on the forwarding machine and double clicked on event log readers DC01 is listed as a member. If you want to do this the other way click on the add button and search for the computer.

Now go back to the collecting computer right click on subscriptions and click Create Subscription.

9

10

I am doing collector initiated but you could choose Source computer initiated.

Add the computer or computers as your case may be and it is a good idea to click test just to see that it works

11

12

13

You should select which events that you want to collect.

14

Pick whatever you want to filter on I have chosen the application log.

click OK and OK and the subscription is created.