You can use the tools in this section to centralize your Windows
Event Log from many servers or desktops. By properly administering your
logs, you can track the health of your systems while keeping your log
files secure, and filter their contents for finding the correct
information.
Centralizing your logs saves time and increases the reliability of your log data. When Windows log files are stored locally on each server, you have to individually log into each one to go through them and look for any errors or warnings. If the server is unresponsive you might be out of luck. If you aren’t sure which servers are affected, you have to hunt through each one, which could take a long time on larger networks. The log files are also safer in a centralized location because even when your instances are terminated or your files are deleted (intentionally or unintentionally), the centralized backup copies of your logs are unaffected.
It’s possible for a Windows server to forward its events to a “subscribing” server. In this scenario the collector server can become a central repository for Windows logs from other servers in the network.
We will now see how that’s done in seven steps described below. These steps work on both Windows Server 2008 R2 and Windows Server 2012.
Example System
First, let’s describe our example system. We are using two Active Directory Domain–joined Windows Server 2012 systems. The domain name is MYTESTDOMAIN.COM and as shown in the figure below, the machines are both registered with the domain.
One of the servers, called MYTESTSQL, hosts a SQL Server 2014 instance. The other machine, called MYTESTSERVER, will work as an event log subscriber. It will be used to centralize all SQL Server related logs from MYTESTSQL. We will call MYTESTSQL the “source” and MYTESTSERVER the “collector.”
Setup Steps
1. Enable the Windows Remote Management Service
To begin with, remotely log into the source computer (MYTESTSQL) as a local or domain administrator and open a command prompt. Execute the following command:
This enables Windows Remote Management service in the source server.
If it has already been running, you will receive a message like this:
2. Configure the Windows Event Collector Service
Next, remotely access the collector machine (the centralized log collector, MYTESTSERVER) as a local or domain administrator. Again, open a command prompt and execute the following command:wecutil qcIn the prompt that comes up, as shown below, press y:
3. Configure the Event Log Readers Group
Once the commands have been run successfully, go back to the event source computer and open the Computer Management applet from the Server Manager. Once that starts, expand the Local Users and Groups node from the navigation pane and select the Groups folder.Double click on the “Event Log Readers” group. Once the dialog box appears, click Add.
In the “Select Users, Computers, Service Accounts or Groups” dialog box, click on the “Object Type” button and select the checkbox for “Computers” and click OK (shown below):
Type “MYTESTSERVER” and click on the “Check Name” button. If the computer account is found, it will be confirmed with an underline. Click OK and then OK again. This will close the dialog box shown below:
4. Configure Windows Firewall
If the source computer is running Windows Firewall, make sure it’s allowing Remote Event Log Management and Remote Event Monitor traffic, as shown below:
5. Create a Subscription
Next, start the Event Viewer application in the collector server (MYTESTSERVER) and select the Subscription node. From the Action menu in the right pane, choose the “Create Subscription…” link.
The following images show the options to choose in the Subscription Properties dialog box that appears:
a. Provide a name and description for the subscription.
b. Leave the “Destination log” field set to default value of Forwarded Events.
c. Choose the first option (“Collector initiated”) for subscription type and then click on the “Select Computers…” button.
d. Click on the “Add Domain Computers…” button in the dialog box that pops up.
e. Type the name of the source server (MYTESTSQL) and verify the name. Click OK twice to come back to the Subscription Properties main dialog box.
f. In the Events to collect section, click on the “Select Events…” button to bring up the Query Filter window.
g. Select Last 24 hours from the “Logged” drop-down list.
h. Select all the types of events (Warning, Error, Critical, Information, and Verbose).
i. Choose the option “By log” and in the drop-down list, select the tick box beside Application.Basically we want the remote server to forward all application events that happened in the last 24 hours.
j. Click OK to come back to the Subscription Properties main dialog box again.
k. Click on the “Advanced…” button and then in the Advanced Subscription Settings dialog box select the option for “Machine Account” if it’s not already selected.
l. Change the “Event Delivery Optimization” option to “Minimize Latency.”
m. Leave the Protocol to default value of HTTP and the Port to 5985.
n. Click OK to go back to the Subscription Properties dialog box and then click OK to close it.
The Subscription node in the collector computer’s event viewer should now show the subscription we just created.
6. Verify Events on Collector Computer
If we now select the Forwarded Events node, we will see this:
The column “Computer” now shows the events are from the remote computer MYTESTSQL.MYTESTDOMAIN.COM.You can enable or disable the collector subscription by right-clicking on the subscription and choosing “Disable” from the pop-up menu. When disabled, the status of the subscription is shown as disabled in the main window.An active collector subscription doesn’t mean it’s succeeding. To see if the collector can connect to the source, right click on the subscription and choose “Runtime Status” from the pop-up menu. In the image below, we can see the collector can’t connect to the source. By default it retries every five minutes:
If all is OK, subscription run-time status shows a green tick with an active status:
Centralizing your logs saves time and increases the reliability of your log data. When Windows log files are stored locally on each server, you have to individually log into each one to go through them and look for any errors or warnings. If the server is unresponsive you might be out of luck. If you aren’t sure which servers are affected, you have to hunt through each one, which could take a long time on larger networks. The log files are also safer in a centralized location because even when your instances are terminated or your files are deleted (intentionally or unintentionally), the centralized backup copies of your logs are unaffected.
It’s possible for a Windows server to forward its events to a “subscribing” server. In this scenario the collector server can become a central repository for Windows logs from other servers in the network.
We will now see how that’s done in seven steps described below. These steps work on both Windows Server 2008 R2 and Windows Server 2012.
Example System
First, let’s describe our example system. We are using two Active Directory Domain–joined Windows Server 2012 systems. The domain name is MYTESTDOMAIN.COM and as shown in the figure below, the machines are both registered with the domain.
One of the servers, called MYTESTSQL, hosts a SQL Server 2014 instance. The other machine, called MYTESTSERVER, will work as an event log subscriber. It will be used to centralize all SQL Server related logs from MYTESTSQL. We will call MYTESTSQL the “source” and MYTESTSERVER the “collector.”
Setup Steps
1. Enable the Windows Remote Management Service
To begin with, remotely log into the source computer (MYTESTSQL) as a local or domain administrator and open a command prompt. Execute the following command:
2. Configure the Windows Event Collector Service
Next, remotely access the collector machine (the centralized log collector, MYTESTSERVER) as a local or domain administrator. Again, open a command prompt and execute the following command:wecutil qcIn the prompt that comes up, as shown below, press y:
3. Configure the Event Log Readers Group
Once the commands have been run successfully, go back to the event source computer and open the Computer Management applet from the Server Manager. Once that starts, expand the Local Users and Groups node from the navigation pane and select the Groups folder.Double click on the “Event Log Readers” group. Once the dialog box appears, click Add.
In the “Select Users, Computers, Service Accounts or Groups” dialog box, click on the “Object Type” button and select the checkbox for “Computers” and click OK (shown below):
Type “MYTESTSERVER” and click on the “Check Name” button. If the computer account is found, it will be confirmed with an underline. Click OK and then OK again. This will close the dialog box shown below:
4. Configure Windows Firewall
If the source computer is running Windows Firewall, make sure it’s allowing Remote Event Log Management and Remote Event Monitor traffic, as shown below:
5. Create a Subscription
Next, start the Event Viewer application in the collector server (MYTESTSERVER) and select the Subscription node. From the Action menu in the right pane, choose the “Create Subscription…” link.
The following images show the options to choose in the Subscription Properties dialog box that appears:
a. Provide a name and description for the subscription.
b. Leave the “Destination log” field set to default value of Forwarded Events.
c. Choose the first option (“Collector initiated”) for subscription type and then click on the “Select Computers…” button.
d. Click on the “Add Domain Computers…” button in the dialog box that pops up.
e. Type the name of the source server (MYTESTSQL) and verify the name. Click OK twice to come back to the Subscription Properties main dialog box.
f. In the Events to collect section, click on the “Select Events…” button to bring up the Query Filter window.
g. Select Last 24 hours from the “Logged” drop-down list.
h. Select all the types of events (Warning, Error, Critical, Information, and Verbose).
i. Choose the option “By log” and in the drop-down list, select the tick box beside Application.Basically we want the remote server to forward all application events that happened in the last 24 hours.
j. Click OK to come back to the Subscription Properties main dialog box again.
k. Click on the “Advanced…” button and then in the Advanced Subscription Settings dialog box select the option for “Machine Account” if it’s not already selected.
l. Change the “Event Delivery Optimization” option to “Minimize Latency.”
m. Leave the Protocol to default value of HTTP and the Port to 5985.
n. Click OK to go back to the Subscription Properties dialog box and then click OK to close it.
The Subscription node in the collector computer’s event viewer should now show the subscription we just created.
6. Verify Events on Collector Computer
If we now select the Forwarded Events node, we will see this:
The column “Computer” now shows the events are from the remote computer MYTESTSQL.MYTESTDOMAIN.COM.You can enable or disable the collector subscription by right-clicking on the subscription and choosing “Disable” from the pop-up menu. When disabled, the status of the subscription is shown as disabled in the main window.An active collector subscription doesn’t mean it’s succeeding. To see if the collector can connect to the source, right click on the subscription and choose “Runtime Status” from the pop-up menu. In the image below, we can see the collector can’t connect to the source. By default it retries every five minutes:
If all is OK, subscription run-time status shows a green tick with an active status:
