Establishing a Collector Initiated Subscription:
one. Download and install WS-Management/WINRM on client and collector computers. Configure WINRM using command "winrm quickconfig". Event Viewer will be appended with a Microsoft-Windows-Forwarding/Operational log.
2. Configure WECUTIL on collector computer using command "WECutil QC".
3. Import subscription using command 'WECUTIL cs sub_CI_Pull0.xml' on the collector computer.
NOTE: Modify sub_CI_Pull0.xml before importing it. I used a domain account with administrative privilages. The Event Selection xpath syntax is sensitive. I was unable to create a query for the Security log. (Security Log Permissions)
4. Run eventvwr.msc on the collector computer. Right click on your subscription and view Runtime Status. Specified clients have to display a green,
Windows 7 Home Premium, Active status. You will see events appearing in the Windows LogsForwarded Events log shortly.
Setting up a Source Initiated Subscription:
Source Initiated subscription is the preferred way of forwarding events as it is much easier deployed via Group Policy.
Repeat above steps 1 through 4,
Office Enterprise 2007 Activation Key, replacing sub_CI_Pull0.xml in step 3 with sub_SI0.xml.
The extra step to perform on XP/2003 clients is to tattoo the registry at:
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows EventLogEventForwardingSubscriptionManager
Type: REG_SZ
Name: one
Data: Server=collector.domain.com (FQDN of your collector,
Microsoft Office 2007 Pro Keygen, HTTP transport only. A valid URI is required for HTTPS,
Office Pro Plus 2007 Product Key, e.g. "Server=https://<FQDN>/wsman/SubscriptionManager/WEC")
and then restart the WINRM service on the client. These extra steps should produce event 104 in your client's Windows LogsForwarded Events log with the message: "The forwarder has successfully connected to the subscription manager at address <FQDN>.",
Office 2007 Standard Serial Key, followed by event 100 with the message: "The subscription <sub_name> is created successfully."
WINRM notes: WINRM configuration has not been altered from the default. It seems that setting TrustedHosts variable is not necessary (winrm set winrm/config/client @TrustedHosts="wildcard_machine_name_here")
EventCollector notes: The Create Subscription GUI did not work for me at creating a collector initiated subscription. For some reason I started getting an Access Denied error with this set up and I had to either: change the User Account in Advanced Subscription Settings from Machine Account to a Specific User account OR restart the WINRM service on the client.
Please post comments and ideas you have. I am interested in how far we can go with this XP<-->2008 collector setup.
Reference Links:
Reference Posts:
Attachments:
sub_CI_Pull0.xml (one.30 KB) sub_SI0.xml (1.46 KB)
Windows 7 Home Premium Syncio Blog - Server2008
Hybrid Mode
