Configure Subscriptions Events

Configure Subscriptions Events

Configure Subscriptions Events

Why set up a subscription ?

If you have computer in workgroup, it may be interesting to centralize events in the event logs. This allows to facilitate the analysis of different events log. The computer being in workgroup, we use authentication based on certificates. In order to secure exchange, we will proceed to the use of the HTTPS protocol.

How I can implement solution

It’s necessary at first to create winrm listeners. The steps have been detailed in previous posts.

Manage listener WinRM

After you configure the HTTPS listeners, it is necessary to configure the subscription. Initially, the KB968930 patch must be installed on the collector serving 2012 R2 server.


If the collector is in Windows Server 2008 R2, it is necessary to install the KB2884172.


This patch is useful to correct a problem when two or more computers/servers are connected to the same subscription. It is necessary on the server to change the DWORD ClientAuthTrustMode present in :

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ Schannel. 
DWORD ClientAuthTrustMode must be set to 2

The listener must be configured to support certificate-based authentication. For this run on the collector server:

WinRM set winrm/config/service/auth @{Certificate = "true"}

The mapping of certificate is a very important step, it allows the mapping of a login/password with a certificate. It is important that the operation is successful in order to continue.It is necessary to retrieve the thumbprint of the certificate of the root CA.Enter the username in UserName and the password in Password. In order to avoid certain error messages, it is best not perform copy and paste.

Configure Subscriptions Events Access to the certificate

Run command :

winrm create winrm/config/service/certmapping?Issuer=+Subject=*+URI=* @{UserName=”“;Password=”“}
Configure Subscriptions Events Create listener

The subscription can now be created on the collector server, go to the console computer management and event logs. Afterwards click on subscription. In the central panel, click Create a subscription.

Configure Subscriptions Events Create suscription

Enter the name of the subscription, and then check the radio button initialization by the source.

Properties of the subscription

Click on the add computer button. Off field and enter the name of the computer. The help of the button add certificates, select the certificate of the Root CA.

Add computer

In the subscription properties window, click the select events button and then configure the filter as desired.

Configure Subscriptions Events subscription has been configured

In the Properties window for the subscription, click on the button advanced and then selected the https protocol.

Configure Advanced option
Select HTTPS

The subscription is now created, but no computer is connected.

Subscriptions has been configured

Now, it is necessary to configure the workstations so that it is attached to the subscription. To do this edit the local group policy.
Go to settings configure the server address present in Computer Configuration / Administrative template / Windows components / event forwarding.

Configure GPO

Enable the setting, and then configure with the syntax below. Specify the FQDN of the collector server and refresh in second interval. Finally enter the value of the thumbprint of the digital certificate of the Root CA.
Server=HTTPS://>:5986/wsman/SubscriptionManager/WEC,Refresh= ,IssuerCA=< Thumbprint of the issuing CA certificate.

Server=HTTPS://FqdnOfTheServer:5986/wsman/SubscriptionManager/WEC,Refresh=10,IssuerCA=Thumbprint of the issuing CA certificate
Configure GPO

Click on OK twice, then access the Eventlog-ForwardingPlugin nEventlog. On the source computer, an event ID 104 must be present if the configuration of the source as well as the collector position was done correctly.

Events are present

The subscription has been updated and a computer has been attached.

Configure Subscriptions Events

Add the Network Service account in the event log readers group (on all source computer or server). For windows XP, it is necessary to run the service as a local system.

Add service account

The events are correctly transferred to the collector.

Configure Subscriptions Events

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.