Configuring Event Forwarding Source Computer initiated Subscription

Hello Guys,

Bellow a blog article contributed by Carmina Dumitrescu, Support Engineer, Microsoft Windows Platforms Core Support Team Germany:

Let’s say you have a 2012R2 Domain Controller and a 2012R2 Event Collector Server - on which you would like to receive Events from all other devices in your organization, by using a Source Computer initiated Subscription.

Here are my guidelines, hope they will help you:

1. Reconfigure WinRM on all systems: Admin CMD „winrm invoke Restore winrm/Config @{}“

2. On the Event Collector Server: Admin CMD „winrm qc“

3. Please check if the Event Collector Server is being recognized from the DC and Subscription Systems: „winrs –r:<Servername.domain.com> ipconfig“. Should look as below:

4. Create the subscription on the Event Collector Server.

       Add your Domain Computers.

      Choose desired events.

      Under Advanced Settings select: Normal and HTTP

5. Create a new GPO on the DC.

6. Configure the new created „Event Forwarding“ GPO

7. Enable the Configure Target Subscription Manager. You have to add the Event collector. Therefore:

        Show: Add Event collector: Server=https://<eventcollector FQDN>:5985/wsman/SubscriptionManager/WEC,Refresh=10

8. Gpupdate

9. Forwarded Events should now be visible on the Event Collector Server.

Happy Troubleshooting.

Thanks,

Carmina

Comments

• Anonymous
  October 14, 2016
  how to validate if source is actually properly configured and try send something to collector?
• Anonymous
  January 05, 2017
  7th point really helped. I was struggling since morning for this.