In this Video: 

• We will describe one of the new features in the Windows Event Viewer called subscriptions.
• We will create and configure a subscription.
• At the completion of this lecture, you will gain valuable-work related knowledge and experience by utilizing and implementing the tools discussed in this lecture.

Prerequisites: It is recommended to have access to or have installed in your lab the following: 

• One Windows 2016 Server with Active Directory installed and promoted to a domain controller (DNS installs automatically).
• One member server with Windows 2016 server and DNS installed. Join this machine to the domain just like you would any other computer. 
• One Windows client, preferably windows 10. This machine is not necessary but I have included it. This machine will be joined to the domain. 
• You could set this up this lab as all VM’s or separate machines. 
• Appropriate permissions will be needed. It is recommended to create a domain admin account on the domain controller and use this account to logon to all the machines.
• Don’t forget to download the supplemental documentation that I have included with this lecture.
   

Subscriptions - What is a subscription? -  Simply put a subscription is the settings used to transfer events.  In the old day’s if you wanted to examine the event viewer from another server you had to right click on event viewer then connect to the other server. But what if you were managing eight servers. Wouldn’t it be great if you could bring all the logs and events that you wanted to see into one location? That is exactly what you can do with subscriptions.

Before we setup subscriptions some terminology must be understood.

• Source computers (forwarding computers) Computers that are configured to send these events.
• Collector computers – Computers that are configured to receive these events.
• Events can be transferred from the source computer to the collecting computer in one of two ways.

Collector initiated - The collector contacts the source and requests a transfer of events, this is called collector initiated subscription (works well with a few clients)

Source Initiated – Source transfers events as configured. Works with many computers.

In this lecture, we will configure a collector initiated subscription. We will have two source computers sending data to one collector computer. If you want to setup a source initiated subscription, I have provided that documentation with this lecture.

Note: For the purpose of this lecture, it is recommended if you plan on using a domain controller, to designate the DC as a collector because the DC does not have local users and groups or the Event Log Readers group. On a DC, all users and groups are part of the domain.   

For subscriptions to work, the Source (forwarder) and the collector need to be configured. There are two command line utilities needed for configuration.  

• Collector – wecutil quick-config or wecutil qc (SVR-US)
• Source – Forwarding computers – winrm quickconfig (SVR-DNS1 and

Desktop-KRU1V4M)

Procedure #1 will be completed on the Source (forwarding) computers, which in this case is SVR-DNS1 and DESKTOP-KRU1V4M. All these steps must be performed on both computers.

• Open an admin level command prompt, type winrm quickconfig, press return. Type y, then press return.
• The Collector computer account (SVR-US) must be added to the Event log readers group on both source computers (SVR-DNS1, and DESKTOPKRU1V4M)
• Right click on the start icon, click computer management, double click  local users and groups, double click groups, double click Event Log Readers, click add, from object types click computers, click ok, add collector computer account. In this case, I add SVR-US, click ok. 
  

Sign up to access the rest of this lesson

You must either log in or sign up to access this lesson.

Sign In Sign Up