Q: What are some simple tips for testing and troubleshooting Windows event forwarding and collection?Q: What are some simple tips for testing and troubleshooting Windows event forwarding and collection?
Use the Eventcreate utility and other command-line resources to verify that Windows event forwarding and collection is configured correction.
December 28, 2011
A:For testing Windows event forwarding and collection, you can use the Eventcreate command-line utility (eventcreate.exe). This tool lets anadministrator create a custom event in a specified event log. For example, to create an event with event ID 100 in the application log, you can typethe following command on the event source computer:
eventcreate /t error /id 100 /l application /d "Custom event in application log"
If all event forwarding and collection components are functioning properly and there's normal network latency, the test event you create on a sourcecomputer should arrive in the event collector's Forwarded Events log within one minute.
If the event doesn't appear on the event collector, you can consider the following simple troubleshooting steps:
Make sure you've applied the latest Group Policy Object (GPO) settings on the source computer. The configuration for event forwarding on thesource computer can be set using GPO settings. To make sure the latest GPO settings have been applied, you can force GPO application by typing thefollowing at the command line on the source computer:
gpupdate /force
Check the status of the Windows Remote Management (WinRM) service on the source computer. Make sure WinRM is running and set to startautomatically. On Windows clients, WinRM isn't enabled and configured by default, but you can easily do so from the command line using the winrmcommand and the quickconfig switch, as follows:
winrm quickconfig
This command sets the WinRM service to start automatically, creates a WinRM listener, and creates a Windows Firewall exception for WinRM.
Make sure that the event collector can reach the source computer using WinRM. To do so, run the following command on the event collector:
winrm id -remote: -auth:none
If you use collector-initiated event subscriptions, make sure the collector is using the right credentials for connecting to the sourcecomputer. To check the credentials against the source computer, run the following command on the collector machine:
winrm id -remote: -u: -p:
If you use collector-initiated event subscriptions, make sure that the username you use to connect to the source computer is a member of theEvent Log Readers group on the source computer. Event Log Readers is a predefined local group that controls access to the local event logs. Onlymembers of a computer's Event Log Readers group can read the events on that particular computer.
Check whether the source computer has registered with the event collector. To list all registered source computers for a given subscription,use the following Windows Event Collector Utility (wecutil.exe) command:
wecutil gr
Make sure that event forwarding isn't blocked on the event collector due to bad Windows Firewall configuration settings. Make sure that theWindows Firewall Inbound Rules are enabled for accepting incoming WinRM connections ("Windows Remote Management (HTTP-In)" and "Windows RemoteManagement (HTTP-In)-Compatibility Mode"). If you've configured a subscription to use the HTTPS protocol, you must also make sure that you create aWindows Firewall exception for HTTPS on port 443.
You can find more event forwarding and collection troubleshooting tips in the Microsoft TechNet article "Configure Computers to Forward and CollectEvents."
About the Author
You May Also Like