In this second part of my series around consolidated logging we’ll be looking at how to consolidate all your windows logs to one single event viewer. I have mentioned in many previous articles and talks that I’m a big fan of creating a management server in your IT environment. Basically this is your one stop shop for managing any and all of your infrastructure. A key benefit can be to consolidate all your events into this server giving you a single view on events throughout your environment.
This is achieved through a mechanism called Event Forwarding or Windows Eventing 6.0 and is nothing new. It’s been with us since the release of Vista and Windows 2008 but is heavily under used in IT infrastructures today. The nice thing about this technology is MS opened it up for backwards compatibility with down-level OS’s like windows XP SP2 and Windows 2003 SP1.
Getting this feature to work is simple and here are the steps.
1. The first thing you need to understand is there are two components to this story and both require setup:
- Forwarding Server => are all servers that forward their event viewer information to a central collector server.
- Collector Server => is the server receiving the events from downstream servers.
- Subscription => is the link between the two systems, what events will be transferred and where will they be stored.
* diagram for Collector initiated Subscription
2. The second thing you need to understand is that windows event forwarding can be configured in two modes:
- Collector Initiated Subscription => The collector will request events to sent from the forwarding computers. This is a typical setup for a small environment with only a few servers.
- Source initiated Subscription => The source computer determines when to send the events. This setup leverages Group Policies for large scale deployment..
For this post we’ll focus on the Collector Initiated Subscription and move to the source subscription in a next post. As there are two components in this setup you are required to execute two commands, one on each computer.
3. Configure the Collector Server >
execute the command wecutil quick-config
4. Configure the Forwarding Server
execute the command winrm quickconfig
Running this command will start the Windows Remote management service setting the WinRM to delayed start.
Additionally the windows firewall will be reconfigured to allow remote computers to connect to the WinRM service.
Add the collector computer account to the event log readers group on the forwarding computer.
5. Manually configure the event forwarding on the collector server. To do this open the event viewer on you collector.
Right click Subscription > Create Subscription
Enter a name and Subscription. Ensure the name makes logical sense to you as this will be displayed later on in the Subscription tree.
Choose what destination you want the log’s to arrive into. The default value Forwarded Events is usually the best idea.
The radio buttons gives you the option to choose the subscription type. We are using the collector initiated setup.
To add a computer to this collector and test
The final step is to configure what events will be forwarded. Here you can really determine the depth of your central collector. Often it’s enough to only collect critical and error’s from the different event log but this is of course entirely up to you.
When you are done the subscription should be active.
The forwarded events should appear in your Forwarded Events container or what ever container you specified.
6. Once you are done you will want to test your setup
You can force the creation of an event using the command
eventcreate /id 100 /t information /l application /d "Event forwarding Test"
7. From the advanced menu you can manage the amount of bandwidth usage during event collection.
This option ensures reliable delivery of events and does not attempt to conserve bandwidth. It is the appropriate choice unless you need tighter control over bandwidth usage or need forwarded events delivered as quickly as possible. It uses pull delivery mode, batches 5 items at a time and sets a batch timeout of 15 minutes.
This option ensures that the use of network bandwidth for event delivery is strictly controlled. It is an appropriate choice if you want to limit the frequency of network connections made to deliver events. It uses push delivery mode and sets a batch timeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours.
This option ensures that events are delivered with minimal delay. It is an appropriate choice if you are collecting alerts or critical events. It uses push delivery mode and sets a batch timeout of 30 seconds.
In the next post we’ll be looking at the more robust setup using GPO for Source initiated Subscription scenarios.