panankx123
03-19-2011, 07:49 AM
Establishing a Collector Initiated Subscription:
one. Download and install WS-Management/WINRM on client and collector computers. Configure WINRM using command "winrm quickconfig". Event Viewer will be appended with a Microsoft-Windows-Forwarding/Operational log.
2. Configure WECUTIL on collector computer using command "WECutil QC".
3. Import subscription using command 'WECUTIL cs sub_CI_Pull0.xml' on the collector computer.
NOTE: Modify sub_CI_Pull0.xml before importing it. I used a domain account with administrative privilages. The Event Selection xpath syntax is sensitive. I was unable to create a query for the Security log. (Security Log Permissions)
4. Run eventvwr.msc on the collector computer. Right click on your subscription and view Runtime Status. Specified clients have to display a green,office Enterprise 2007 key (http://www.cheapwindows7key.net/office-2007-serial), Active status. You will see events appearing in the Windows LogsForwarded Events log shortly.
Creating a Source Initiated Subscription:
Source Initiated subscription is the preferred way of forwarding events as it is much easier deployed via Group Policy.
Repeat above steps one through 4,buy microsoft office 2007 Standard (http://www.cheapwindows7key.net/office-2007-serial), replacing sub_CI_Pull0.xml in step 3 with sub_SI0.xml.
The extra step to perform on XP/2003 clients is to tattoo the registry at:
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows EventLogEventForwardingSubscriptionManager
Type: REG_SZ
Name: 1
Data: Server=collector.domain.com (FQDN of your collector,microsoft office 2010 Professional product key (http://www.cheapwindows7key.net/office-2010-serial), HTTP transport only. A valid URI is required for HTTPS,microsoft office pro (http://www.cheapwindows7key.net/office-2010-serial), e.g. "Server=https://<FQDN>/wsman/SubscriptionManager/WEC")
and then restart the WINRM service on the client. These extra steps should produce event 104 in your client's Windows LogsForwarded Events log with the message: "The forwarder has successfully connected to the subscription manager at address <FQDN>.",cheap microsoft windows 7 64bit (http://www.cheapwindows7key.net/), followed by event 100 with the message: "The subscription <sub_name> is created successfully."
WINRM notes: WINRM configuration has not been altered from the default. It seems that setting TrustedHosts variable is not necessary (winrm set winrm/config/client @TrustedHosts="wildcard_machine_name_here")
EventCollector notes: The Create Subscription GUI did not work for me at creating a collector initiated subscription. For some reason I started getting an Access Denied error with this set up and I had to either: change the User Account in Advanced Subscription Settings from Machine Account to a Specific User account OR restart the WINRM service on the client.
Please post comments and ideas you have. I am interested in how far we can go with this XP<-->2008 collector setup.
Reference Links:
Reference Posts:
Attachments:
sub_CI_Pull0.xml (1.30 KB) sub_SI0.xml (one.46 KB)
one. Download and install WS-Management/WINRM on client and collector computers. Configure WINRM using command "winrm quickconfig". Event Viewer will be appended with a Microsoft-Windows-Forwarding/Operational log.
2. Configure WECUTIL on collector computer using command "WECutil QC".
3. Import subscription using command 'WECUTIL cs sub_CI_Pull0.xml' on the collector computer.
NOTE: Modify sub_CI_Pull0.xml before importing it. I used a domain account with administrative privilages. The Event Selection xpath syntax is sensitive. I was unable to create a query for the Security log. (Security Log Permissions)
4. Run eventvwr.msc on the collector computer. Right click on your subscription and view Runtime Status. Specified clients have to display a green,office Enterprise 2007 key (http://www.cheapwindows7key.net/office-2007-serial), Active status. You will see events appearing in the Windows LogsForwarded Events log shortly.
Creating a Source Initiated Subscription:
Source Initiated subscription is the preferred way of forwarding events as it is much easier deployed via Group Policy.
Repeat above steps one through 4,buy microsoft office 2007 Standard (http://www.cheapwindows7key.net/office-2007-serial), replacing sub_CI_Pull0.xml in step 3 with sub_SI0.xml.
The extra step to perform on XP/2003 clients is to tattoo the registry at:
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows EventLogEventForwardingSubscriptionManager
Type: REG_SZ
Name: 1
Data: Server=collector.domain.com (FQDN of your collector,microsoft office 2010 Professional product key (http://www.cheapwindows7key.net/office-2010-serial), HTTP transport only. A valid URI is required for HTTPS,microsoft office pro (http://www.cheapwindows7key.net/office-2010-serial), e.g. "Server=https://<FQDN>/wsman/SubscriptionManager/WEC")
and then restart the WINRM service on the client. These extra steps should produce event 104 in your client's Windows LogsForwarded Events log with the message: "The forwarder has successfully connected to the subscription manager at address <FQDN>.",cheap microsoft windows 7 64bit (http://www.cheapwindows7key.net/), followed by event 100 with the message: "The subscription <sub_name> is created successfully."
WINRM notes: WINRM configuration has not been altered from the default. It seems that setting TrustedHosts variable is not necessary (winrm set winrm/config/client @TrustedHosts="wildcard_machine_name_here")
EventCollector notes: The Create Subscription GUI did not work for me at creating a collector initiated subscription. For some reason I started getting an Access Denied error with this set up and I had to either: change the User Account in Advanced Subscription Settings from Machine Account to a Specific User account OR restart the WINRM service on the client.
Please post comments and ideas you have. I am interested in how far we can go with this XP<-->2008 collector setup.
Reference Links:
Reference Posts:
Attachments:
sub_CI_Pull0.xml (1.30 KB) sub_SI0.xml (one.46 KB)