Having set up all remote hosts that you will be retrieving Events from, it is time to configure the Collecting workstation. The collecting computer would normally be an admin computer running Windows Vista, Windows 7 or Windows Server 2008. Assuming our collecting computer is named env1client01 then, from an elevated command prompt type:
This command will set Windows Event Collector service from Manual to Delay-Start.
Next, we need to create an Event Subscription as follows:
- Open Event Viewer on evn1client01 (Collecting computer), right click Subscriptions and select Create Subscription.
A Subscription Properties window should appear as shown below, type a name and a description:
There are two types of Subscriptions, you can use the default type:
- Collector initiated – where the collecting computer contacts the source computers to retrieve events. I suggest that you test the added computers by clicking the Test button from the Select Computers… option.
- Source computer initiated – where all forwarding computers send events to the Collecting computer. Non-domain computers need to have a certificate installed to be able to connect successfully, in fact, domain related issues will prevent proper flow of events!
- Next, click Select Events… button and define the error criteria such as, levels, log, source, etc. that will be used to match and collect events.
The Advanced… button loads optional settings which are:
- User Account – whether you want to use specific user or machine account. The account must be a member of the forwarding computer’s Event Log Readers group.
- Event Delivery Optimization – where you can save the bandwidth consumed (when monitoring over a WAN) or force a push delivery mode to get events faster (when monitoring critical services) or use the default normal behavior which ensures a reliable delivery of events.
- Protocol – allows you to specify HTTP or HTTPS (Https requires additional tasks)
- Click OK twice to close the Advance Subscription Settings and Subscription Properties window to create the subscription.
By default, Event Subscriptions checks are performed every 15 minutes and if you need to modify this behavior you have to use the command line tool wecutil.