![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 0%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,564 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 91%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJZ%3C/text%3E%3C/svg%3E)
Hi @Parichay Saxena ,
Welcome to the Microsoft Q&A platform!
Based on your description, to effectively monitor the logs of different roles such as SCCM, SQL, MS Lync, MS Exchange 2016, and MS SharePoint Server 2016 using WinRM, you can follow some of the best practices and steps below:
- Verify that WinRM is properly configured and enabled on all servers. You can use the command winrm quickconfig to set the default configuration.
- Make sure the necessary firewall ports (TCP 5985 for HTTP and TCP 5986 for HTTPS) are open to allow incoming connections.
- The user account used for WinRM authentication must have the required permissions to access the logs. For example, to access the security log, the user account needs to be a member of the local administrators group or have the "Manage auditing and security log" user right.
- Use the wevtutil command to configure the security descriptor for each log you want to access. For example:
wevtutil sl Application /ca:existing-SDDL-string(A;;0x1;;;S-1-5-20)
wevtutil sl Security /ca:existing-SDDL-string(A;;0x1;;;S-1-5-20)
wevtutil sl System /ca:existing-SDDL-string(A;;0x1;;;S-1-5-20)
This will grant the local Network Service account read access to the log.
- After you configure the security descriptor, you can use the wevtutil command to retrieve log data. For example:
wevtutil qe Security /rd:true /f:text /q:"* [System [Provider [@Name='Microsoft-Windows-Security-Auditing']]]"
This command retrieves all events from the security log generated by the Microsoft-Windows-Security-Auditing provider.
- For enhanced security, configure WinRM to use HTTPS instead of HTTP. This ensures that data transmitted over the network is encrypted.
- Enable PowerShell logging to capture detailed information about activities performed through WinRM.
By following these steps, you should be able to effectively monitor logs for SCCM, SQL, MS Lync, MS Exchange 2016, and MS SharePoint Server 2016 using WinRM.
Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.
Best,
Jake Zhang