Configure Subscriptions Events
Why set up a subscription ?
If you have computer in workgroup, it may be interesting to centralize events in the event logs. This allows to facilitate the analysis of different events log. The computer being in workgroup, we use authentication based on certificates. In order to secure exchange, we will proceed to the use of the HTTPS protocol.
How I can implement solution
It’s necessary at first to create winrm listeners. The steps have been detailed in previous posts.
After you configure the HTTPS listeners, it is necessary to configure the subscription. Initially, the KB968930 patch must be installed on the collector serving 2012 R2 server.
If the collector is in Windows Server 2008 R2, it is necessary to install the KB2884172.
This patch is useful to correct a problem when two or more computers/servers are connected to the same subscription. It is necessary on the server to change the DWORD ClientAuthTrustMode present in :
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ Schannel.
DWORD ClientAuthTrustMode must be set to 2
The listener must be configured to support certificate-based authentication. For this run on the collector server:
WinRM set winrm/config/service/auth @{Certificate = "true"}
The mapping of certificate is a very important step, it allows the mapping of a login/password with a certificate. It is important that the operation is successful in order to continue.It is necessary to retrieve the thumbprint of the certificate of the root CA.Enter the username in UserName and the password in Password. In order to avoid certain error messages, it is best not perform copy and paste.
Run command :
winrm create winrm/config/service/certmapping?Issuer=+Subject=*+URI=* @{UserName=”“;Password=”“}
The subscription can now be created on the collector server, go to the console computer management and event logs. Afterwards click on subscription. In the central panel, click Create a subscription.
Enter the name of the subscription, and then check the radio button initialization by the source.
Click on the add computer button. Off field and enter the name of the computer. The help of the button add certificates, select the certificate of the Root CA.
In the subscription properties window, click the select events button and then configure the filter as desired.
In the Properties window for the subscription, click on the button advanced and then selected the https protocol.
The subscription is now created, but no computer is connected.
Now, it is necessary to configure the workstations so that it is attached to the subscription. To do this edit the local group policy.
Go to settings configure the server address present in Computer Configuration / Administrative template / Windows components / event forwarding.
Enable the setting, and then configure with the syntax below. Specify the FQDN of the collector server and refresh in second interval. Finally enter the value of the thumbprint of the digital certificate of the Root CA.
Server=HTTPS://>:5986/wsman/SubscriptionManager/WEC,Refresh= ,IssuerCA=< Thumbprint of the issuing CA certificate.
Server=HTTPS://FqdnOfTheServer:5986/wsman/SubscriptionManager/WEC,Refresh=10,IssuerCA=Thumbprint of the issuing CA certificate
Click on OK twice, then access the Eventlog-ForwardingPlugin nEventlog. On the source computer, an event ID 104 must be present if the configuration of the source as well as the collector position was done correctly.
The subscription has been updated and a computer has been attached.
Add the Network Service account in the event log readers group (on all source computer or server). For windows XP, it is necessary to run the service as a local system.
The events are correctly transferred to the collector.