How do I set up an event subscription

Open Event Viewer in the Event Collector and navigate to the Subscriptions node.Right-click Subscriptions and choose “Create Subscription…”Give a name and an optional description for the new Subscription.Select “Source computer initiated” option and click “Select Computer Groups…”.

What are subscriptions in Event Viewer?

Subscriptions are defined on the event collector through the new Event Viewer user interface by selecting the Create Subscription action, when the Subscriptions node is selected. The subscription may also be created via the WECUTIL command-line utility.

How do I set up WEF?

1. Configure the Event Source systems to forward events to the WEF Event Collector.
2. Install the Agent on the WEF Event Collector.
3. Add a single host, and for Host Name/IP, add the Event Collector IP address.
4. Create a Configuration. …
5. Select Forward Event in the Windows Event area.

What is Windows event subscription?

You can subscribe to receive and store events on a local computer (event collector) that are forwarded from a remote computer (event source). The Windows Event Collector functions support subscribing to events by using the WS-Management protocol.

How do I set up target subscription manager?

Select Computer Configuration > Administrative Templates > Windows Components > Event Forwarding, and then click Configure Target Subscription Manager. Click the Edit policy setting link. In the Configure Target Subscription Manager window, make sure that the subscription is marked as Enabled.

How do I enable Windows event collector?

1. Switch to the Start screen, type event and press ENTER to open Event Viewer.
2. In Event Viewer, click Subscriptions in the left pane.
3. Click Yes in the Event Viewer dialog to start the Windows Event Collector service, and set it to start up automatically.

How do I set up event log forwarding?

1. Enter a name and description for the subscription.
2. For Destination Log, confirm that Forwarded Events is selected. …
3. Select Source computer initiated and click Select Computers Groups. …
4. Click Select Events.

How do I troubleshoot Windows Event Forwarding?

1. Verify that you have waited long enough for the event to be forwarded. …
2. Check the Applications And Services Logs\Microsoft\Windows\Eventlog-ForwardPlugin\Operational event log and verify that the subscription was created successfully.

How do I use Windows Remote Management?

Use Remote Desktop to connect to the PC you set up: On your local Windows PC: In the search box on the taskbar, type Remote Desktop Connection, and then select Remote Desktop Connection. In Remote Desktop Connection, type the name of the PC you want to connect to (from Step 1), and then select Connect.

How do I send event viewer logs to syslog server?

1. Add Subscription. Select System in the Select Event Logs pane. …
2. Forward system log errors. …
3. Security log subscription priority. …
4. System log errors. …
5. Add Syslog Server. …
6. Server address options. …
7. Configure test. …
8. Event message test.

Article first time published on

How does Windows Event Collector work?

A collector is a service running on Windows server that collects all events sent to it from an event log forwarder. The “link” between the forwarding server and a collector is known as a subscription.

How do I turn off Windows event log?

1. Open the Windows Event Viewer: press Windows R , type eventvwr. msc and press Enter .
2. Scroll down to Application and Service Logs , Microsoft , Windows , WFP .
3. Right-click on a log process and select Disable Log .

What is a WEF Server?

Windows Event Forwarding (WEF) reads any operational or administrative event log on a device in your organization and forwards the events you choose to a Windows Event Collector (WEC) server.

What is Wecutil QC?

wecutil.exe Windows Event Collector Utility. Create and manage subscriptions to events forwarded from remote event sources that support WS-Management protocol.

What port does Windows Event Forwarding use?

Event forwarding (also called SUBSCRIPTIONS) is a mean to send Windows event log entries from source computers to a collector. A same computer can be a collector or a source. This technology uses WinRM (HTTP protocol on port TCP 5985 with WinRM 2.0) .

How do I open the Event Viewer in Windows Server 2016?

Start Event Viewer. To do so, open Control Panel, select System and Security, and then, in the Administrative Tools section, select View event logs. The Event Viewer window opens.

How do you set event log security locally or by using group policy?

In the Group Policy editor, expand Windows Setting, expand Security Settings, expand Local Policies, and then expand Security Options. Double-click Event log: Application log SDDL, type the SDDL string that you want for the log security, and then select OK.

How do I open Event Viewer in Windows Server 2012?

1. Hover mouse over bottom left corner of desktop to make the Start button appear.
2. Right click on the Start button and select Control Panel > System Security and double-click Administrative Tools.
3. Double-click Event Viewer.

What is the Network Service account?

The NetworkService account is a predefined local account used by the service control manager. … A service that runs in the context of the NetworkService account presents the computer’s credentials to remote servers. By default, the remote token contains SIDs for the Everyone and Authenticated Users groups.

Which command must be run on the collector system to enable event forwarding?

Configuring a Windows Collector To set up the collector, first, you must enable the Windows Event Collector Utility (wecutil). To do so, run Windows PowerShell as Administrator, and type the command wecutil qc. On the collector machine, you will create a subscription.

How do I start Windows Remote Management Service?

1. Click start>Run.
2. Enter gpedit. …
3. Click OK.
4. Double-click Computer Configuration>Administrative Templates>Network>Network Connections>Windows Firewall.
5. Double-click Domain Profile>Windows Firewall: Allow remote administration exception.

Should I disable WinRM?

Disabling WinRM Since there are known vulnerabilities in Windows Remote Management (WinRM), it is recommended and best practice to disable it if your environment does not utilize or need WinRM.

What command is used to configure a machine to receive remote administrative requests?

The Enable-PSRemoting cmdlet configures the computer to receive PowerShell remote commands that are sent by using the WS-Management technology.

What does Winrm Quickconfig do?

The winrm quickconfig command (or the abbreviated version winrm qc ) performs these operations. Starts the WinRM service, and sets the service startup type to auto-start. Configures a listener for the ports that send and receive WS-Management protocol messages using either HTTP or HTTPS on any IP address.

What is WSMan used for?

The WSMan provider for PowerShell lets you add, change, clear, and delete WS-Management configuration data on local or remote computers. The WSMan provider exposes a PowerShell drive with a directory structure that corresponds to a logical grouping of WS-Management configuration settings.

What is SolarWinds event log forwarder?

SolarWinds Event Log Forwarder for Windows (Log Forwarder) is a tool that runs on a Windows® operating system and automatically forwards event log records to a syslog server via User Datagram Protocols (UDP) or Transmission Control Protocols (TCP).

How do I send Windows logs?

1. Open Event Viewer. …
2. On the left side, navigate to Event Viewer > Windows Logs > Application.
3. Right-click on the Application and select Save All Events As.
4. Name the file and click Save.
5. Select Display information for these languages and then English.
6. Click OK.

How do I send Windows logs to GrayLog?

1. Step 1: Download the agent. Download the NXlog agent for windows from
2. Step 2: Install the NXlog agent. Run the agent install file and follow the on screen steps.
3. Step 3: Edit the NXlog Conf. …
4. Step 5: Start the agent.

How do I view the saved event log?

To open a saved event log, start Event Viewer. Now, in the Actions menu, click Open Saved Log and navigate to and select the Saved Log from its location. You can delete the Saved Logs from the Actions Box.

Why do we need Windows events?

The Windows Event Viewer shows a log of application and system messages, including errors, information messages, and warnings. It’s a useful tool for troubleshooting all kinds of different Windows problems.

How do I start an event logging service?

Click Start/Administrative Tools/Services. Locate the Windows Event Log service, right click on the service name and select Start. Once the service starts you can close the services window.