Welcome to Troubleshooting Tools

Subscriptions

In this Video:
• We will describe one of the new features in the Windows Event Viewer called
subscriptions.
• We will create and configure a subscription.
• At the completion of this lecture, you will gain valuable-work related
knowledge and experience by utilizing and implementing the tools discussed
in this lecture.
Prerequisites: It is recommended to have access to or have installed in
your lab the following:
• One Windows 2016 Server with Active Directory installed and promoted to a
domain controller (DNS installs automatically).
• One member server with Windows 2016 server and DNS installed. Join this
machine to the domain just like you would any other computer.
• One Windows client, preferably windows 10. This machine is not necessary
but I have included it. This machine will be joined to the domain.
• You could set this up this lab as all VM’s or separate machines.
• Appropriate permissions will be needed. It is recommended to create a
domain admin account on the domain controller and use this account to logon
to all the machines.
• Don’t forget to download the supplemental documentation that I have
included with this lecture.
Subscriptions - What is a subscription? - Simply put a subscription is the settings
used to transfer events. In the old day’s if you wanted to examine the event viewer
from another server you had to right click on event viewer then connect to the other
server. But what if you were managing eight servers. Wouldn’t it be great if you
could bring all the logs and events that you wanted to see into one location? That is
exactly what you can do with subscriptions.

1
 Before we setup subscriptions some terminology must be understood.
• Source computers (forwarding computers) Computers that are configured
to send these events.
• Collector computers – Computers that are configured to receive these
events.
• Events can be transferred from the source computer to the collecting
computer in one of two ways.

Collector initiated - The collector contacts the source and requests a

transfer of events, this is called collector initiated subscription (works well
with a few clients)

Source Initiated – Source transfers events as configured. Works with

many computers.
In this lecture, we will configure a collector initiated subscription. We will have
two source computers sending data to one collector computer. If you want to setup a
source initiated subscription, I have provided that documentation with this lecture.
Note: For the purpose of this lecture, it is recommended if you plan on
using a domain controller, to designate the DC as a collector because the
DC does not have local users and groups or the Event Log Readers group.
On a DC, all users and groups are part of the domain.

2
For subscriptions to work, the Source (forwarder) and the collector need to be
configured. There are two command line utilities needed for configuration.
• Collector – wecutil quick-config or wecutil qc (SVR-US)
• Source – Forwarding computers – winrm quickconfig (SVR-DNS1 and
Desktop-KRU1V4M)

Procedure #1 will be completed on the Source (forwarding) computers, which

in this case is SVR-DNS1 and DESKTOP-KRU1V4M. All these steps must be
performed on both computers.
• Open an admin level command prompt, type winrm quickconfig, press return.
Type y, then press return.
• The Collector computer account (SVR-US) must be added to the Event log
readers group on both source computers (SVR-DNS1, and DESKTOP-
KRU1V4M)
• Right click on the start icon, click computer management, double click local
users and groups, double click groups, double click Event Log Readers, click
add, from object types click computers, click ok, add collector computer
account. In this case, I add SVR-US, click ok.
Now we need to repeat procedure 1 on the second source computer,
DESKTOP-KRU1V4M.

Procedure #2 to be completed on the Collector computer, which in this case is

SVR-US
• From SVR-US, open admin command prompt type wecutil qc press enter,
press y then press return.
• Now we go back to the Collector computer and open event viewer, rt click on
subscriptions, and select create subscriptions
For the Name, I type Collected Events.
For Description: I type Events collected from SVR-DNS1 and DESKTOP-
KRU1V4M
Destination Log: Press the down arrow and select Forwarded events.
For Subscription type: Collector initiated,
select computers, here we add the Source computers (forwarder) SVR-DNS1
and, DESKTOP-KRU1V4M
Click advanced, click machine account, click ok.
Select Events: click edit

3
Logged: select Any Time,
Event level: Check critical, error
Choose by Log, click the down arrow.
Event logs: check windows logs and Application and Services Logs
ok, ok

4
This slide shows the data from the Forwarded Events Log coming in from both
source computers – SVR-DNS1 and DESKTOP-KRU1V4M coming into the collector,
which is SVR-US, proving that our subscription is working.

In this Video:
• We described one of the new features in the Windows Event Viewer called
subscriptions.
• We created and configured a subscription.
• You should have gained valuable-work related knowledge and experience by
utilizing and implementing the tools discussed in this lecture.