locked
Source-Initiated (Push mode) in WorkGroup RRS feed

  • Question

  • Hi everyone

    Can we create "Event Forwarding" in WorkGroup using Source-Initiated (Push mode) Subscription?

    Especially I want to know the following part on this page is feasible or not?

    "Setting up a source initiated subscription where the event sources are not in the same domain as the event collector computer"

    Thanks


    New Ideas, Superior Solutions SalamGroup.Ir


    Tuesday, July 23, 2013 10:15 AM

Answers

  • In a workgroup environment, you can follow the same basic procedure described above to configure computers to forward and collect events. However, there are some additional steps and considerations for workgroups:

    • You can only use Normal mode (Pull) subscriptions.
    • You must add a Windows Firewall exception for Remote Event Log Management on each source computer.
    • You must add an account with administrator privileges to the Event Log Readers group on each source computer. You must specify this account in the Configure Advanced Subscription Settings dialog when creating a subscription on the collector computer.
    • Type winrm set winrm/config/client @{TrustedHosts="<sources>"} at a command prompt on the collector computer to allow all of the source computers to use NTLM authentication when communicating with WinRM on the collector computer. Run this command only once. Where <sources> appears in the command, substitute a list of the names of all of the participating source computers in the workgroup. Separate the names by commas. Alternatively, you can use wildcards to match the names of all the source computers. For example, if you want to configure a set of source computers, each with a name that begins with "msft", you could type this command winrm set winrm/config/client @{TrustedHosts="msft*"} on the collector computer. To learn more about this command, type winrm help config.
  • If you configure a subscription to use the HTTPS protocol by using the      HTTPS   option in      Advanced Subscription Settings  , you must also set corresponding Windows Firewall exceptions for port 443. For a subscription that uses      Normal   (PULL mode) delivery optimization, you must set the exception only on the source computers. For a subscription that uses either      Minimize Bandwidth   or      Minimize Latency   (PUSH mode) delivery optimizations, you must set the exception on both the source and collector computers.
  • If you intend to specify a user account by using the      Specific User   option in      Advanced Subscription Settings   when creating the subscription, you must ensure that account is a member of the local Administrators group on each of the source computers in step 4 instead of adding the machine account of the collector computer. Alternatively, you can use the Windows Event Log command-line utility to grant an account access to individual logs. To learn more about this command-line utility, type wevtutil sl -? at a command prompt.
  • Please refer: http://technet.microsoft.com/en-us/library/cc748890.aspx

    TechNet Subscriber Support |If you have any feedback on Technet forum, please contact tnmff@microsoft.com.

    Wednesday, July 24, 2013 2:47 AM

All replies

  • In a workgroup environment, you can follow the same basic procedure described above to configure computers to forward and collect events. However, there are some additional steps and considerations for workgroups:

    • You can only use Normal mode (Pull) subscriptions.
    • You must add a Windows Firewall exception for Remote Event Log Management on each source computer.
    • You must add an account with administrator privileges to the Event Log Readers group on each source computer. You must specify this account in the Configure Advanced Subscription Settings dialog when creating a subscription on the collector computer.
    • Type winrm set winrm/config/client @{TrustedHosts="<sources>"} at a command prompt on the collector computer to allow all of the source computers to use NTLM authentication when communicating with WinRM on the collector computer. Run this command only once. Where <sources> appears in the command, substitute a list of the names of all of the participating source computers in the workgroup. Separate the names by commas. Alternatively, you can use wildcards to match the names of all the source computers. For example, if you want to configure a set of source computers, each with a name that begins with "msft", you could type this command winrm set winrm/config/client @{TrustedHosts="msft*"} on the collector computer. To learn more about this command, type winrm help config.
  • If you configure a subscription to use the HTTPS protocol by using the      HTTPS   option in      Advanced Subscription Settings  , you must also set corresponding Windows Firewall exceptions for port 443. For a subscription that uses      Normal   (PULL mode) delivery optimization, you must set the exception only on the source computers. For a subscription that uses either      Minimize Bandwidth   or      Minimize Latency   (PUSH mode) delivery optimizations, you must set the exception on both the source and collector computers.
  • If you intend to specify a user account by using the      Specific User   option in      Advanced Subscription Settings   when creating the subscription, you must ensure that account is a member of the local Administrators group on each of the source computers in step 4 instead of adding the machine account of the collector computer. Alternatively, you can use the Windows Event Log command-line utility to grant an account access to individual logs. To learn more about this command-line utility, type wevtutil sl -? at a command prompt.
  • Please refer: http://technet.microsoft.com/en-us/library/cc748890.aspx

    TechNet Subscriber Support |If you have any feedback on Technet forum, please contact tnmff@microsoft.com.

    Wednesday, July 24, 2013 2:47 AM
  • So this is a contradiction in technet documents, isn't this?


    New Ideas, Superior Solutions SalamGroup.Ir

    Wednesday, July 24, 2013 8:04 AM