TechNet
Products
IT Resources
Downloads
Training
Support
Products
Windows
Windows Server
System Center
Microsoft Edge
Office
Office 365
Exchange Server
SQL Server
SharePoint Products
Skype for Business
See all products »
Resources
Channel 9 Video
Evaluation Center
Learning Resources
Microsoft Tech Companion App
Microsoft Technical Communities
Microsoft Virtual Academy
Script Center
Server and Tools Blogs
TechNet Blogs
TechNet Flash Newsletter
TechNet Gallery
TechNet Library
TechNet Magazine
TechNet Wiki
Windows Sysinternals
Virtual Labs
Solutions
Networking
Cloud and Datacenter
Security
Virtualization
Updates
Service Packs
Security Bulletins
Windows Update
Trials
Windows Server 2016
System Center 2016
Windows 10 Enterprise
SQL Server 2016
See all trials »
Related Sites
Microsoft Download Center
Microsoft Evaluation Center
Drivers
Windows Sysinternals
TechNet Gallery
Training
Expert-led, virtual classes
Training Catalog
Class Locator
Microsoft Virtual Academy
Free Windows Server 2012 courses
Free Windows 8 courses
SQL Server training
Microsoft Official Courses On-Demand
Certifications
Certification overview
Special offers
MCSE Cloud Platform and Infrastructure
MCSE: Mobility
MCSE: Data Management and Analytics
MCSE Productivity
Other resources
Microsoft Events
Exam Replay
Born To Learn blog
Find technical communities in your area
Azure training
Official Practice Tests
Support options
For business
For developers
For IT professionals
For technical support
Support offerings
More support
Microsoft Premier Online
TechNet Forums
MSDN Forums
Security Bulletins & Advisories
Not an IT pro?
Microsoft Customer Support
Microsoft Community Forums
Sign in
Home
Library
Wiki
Learn
Gallery
Downloads
Support
Forums
Blogs
Resources For IT Professionals
United States (English)
Россия (Pусский)
中国(简体中文)
Brasil (Português)
Skip to locale bar
Editing: Forwarding Events from Windows Server 2008 Server Core DC
Wiki
>
TechNet Articles
>
Forwarding Events from Windows Server 2008 Server Core DC
Article
History
Title
<html> <body> <p>There were some changes between Windows Server 2008 and Windows Server 2008 R2, the one I am interested in is WinRM. The default HTTP port on Windows Server 2008 is TCP 80, but on Windows Server 2008 R2 the default HTTP port is TCP 5985. There are a couple of ways to get around this: either change the listener port on the Windows Server 2008 machine, or use a Collector Initiated subscription and change the port on the Advanced tab. In my example these computers are both Domain joined. Setting this up in a Workgroup environment is a little different and I may write up something for that later. </p> <p><strong>Configuring the Source (Windows Server 2008 Core)</strong> </p> <p>Verify that the WinRM is either on or off </p> <blockquote> <p>winrm e winrm/config/listener </p> </blockquote> <p><a title="Here you can see that WinRM is not configured." href="http://lh6.ggpht.com/-cbIvqPtyHiE/T986AnI8q2I/AAAAAAAABt8/F74uiTRrnec/s1600-h/20100922-SourceWinRMDisabled%25255B2%25255D.png" rel="lightbox[winrm]"><img title="Source-WinRM-Disabled" alt="Source-WinRM-Disabled" src="http://lh4.ggpht.com/-20UxCCZEtYc/T986AkNGVqI/AAAAAAAABuE/6Zd_c4h1NY4/20100922-SourceWinRMDisabled_thumb.png" style="border-width:0px; border-style:solid; width:244px; height:201px; display:inline"> </a></p> <p>Here you can see that WinRM is not configured. So now we need to enable WinRM </p> <blockquote> <p>winrm qc </p> </blockquote> <p><a title="The quickconfig (qc) option does the initial configuration of WinRM." href="http://lh3.ggpht.com/-Ekr-VjfnuOM/T986A2PYLfI/AAAAAAAABuM/O7jlzpzZam4/s1600-h/20100922-SourceWinRMEnabled%25255B2%25255D.png" rel="lightbox[winrm]"><img title="Source-WinRM-Enabled" alt="Source-WinRM-Enabled" src="http://lh3.ggpht.com/-H39AGkxjlqg/T986BZE-gFI/AAAAAAAABuU/3OjoLF6cEYo/20100922-SourceWinRMEnabled_thumb.png" style="border-width:0px; border-style:solid; width:244px; height:201px; display:inline"> </a></p> <p>The quickconfig (qc) option does the initial configuration of WinRM. It creates an HTTP listener on port 80, and enables firewall exceptions. In order to connect from the Collector and start getting events we also need to allow the remote administration service through the firewall. </p> <blockquote> <p>netsh firewall set service type=remoteadmin mode=enable </p> </blockquote> <p><a title="The remote admin exceptions are now enabled." href="http://lh5.ggpht.com/-hlVBK1-qwHA/T986BcYADEI/AAAAAAAABuc/XFhRsD1GV2Q/s1600-h/20100922-SourceFirewallExceptionsOn%25255B2%25255D.png" rel="lightbox[winrm]"><img title="Source-Firewall-Exceptions-On" alt="Source-Firewall-Exceptions-On" src="http://lh6.ggpht.com/-_8jo11J-tDw/T986BhyIWBI/AAAAAAAABuk/rVrYi5aqUOg/20100922-SourceFirewallExceptionsOn_thumb.png" style="border:0px solid currentcolor; width:244px; height:201px; display:inline"> </a></p> <p>The configuration of the source server is done. </p> <p><strong>Configuring the Collector (Windows Server 2008 R2) </strong></p> <p>In order for this server to pull information from the Source you will need to setup a subscription </p> <blockquote> <p>Start > Administrator Tools > Server Manager > Diagnostics > Event Viewer > Subscriptions </p> </blockquote> <p><a title="Before you can setup a Subscription you need to enable the Windows Event Collector Service." href="http://lh5.ggpht.com/-Nl19tIxtl5w/T986ByoqlVI/AAAAAAAABus/tzwbu6EwUbY/s1600-h/20100922-CollectorEnableWCESVC%25255B2%25255D.png" rel="lightbox[winrm]"><img title="Collector-Enable-WCESVC" alt="Collector-Enable-WCESVC" src="http://lh6.ggpht.com/-LvtMAb_eBdA/T986CEZKGtI/AAAAAAAABuw/yMtCvT4IJ-0/20100922-CollectorEnableWCESVC_thumb.png" style="border:0px solid currentcolor; width:244px; height:201px; display:inline"> </a></p> <p>You will notice that before you can setup a Subscription you need to enable the Windows Event Collector Service, click Yes. Now you can click Create Subscription from the Action pane on the right. At the very least you will need a Subscription name. </p> <p><a title="We are going to configure a Collector initiated subscription." href="http://lh4.ggpht.com/-z07Df4DDMrI/T986ComOYiI/AAAAAAAABu8/4WvLge_FItE/s1600-h/20100922-CollectorSubscriptionProperties%25255B2%25255D.png" rel="lightbox[winrm]"><img title="Collector-Subscription-Properties" alt="Collector-Subscription-Properties" src="http://lh4.ggpht.com/-2L_LRb-vGEs/T986C3d1fUI/AAAAAAAABvE/2yIK7cbLzpY/20100922-CollectorSubscriptionProperties_thumb.png" style="border:0px solid currentcolor; width:244px; height:201px; display:inline"> </a></p> <p>We are going to configure a Collector initiated subscription, so browse the Directory and find your Source server. If you click the Test button, you may receive an error message that lets you know the Collector can’t talk to the Source. That’s ok, we’re going to fix that in a minute. </p> <p><a title="You may receive an error message that lets you know the Collector can’t talk to the Source." href="http://lh4.ggpht.com/-e3LlY3hMhN8/T986CzaNOCI/AAAAAAAABvM/SnpYUs_GBf8/s1600-h/20100922-CollectorSubscriptionError%25255B2%25255D.png" rel="lightbox[winrm]"><img title="Collector-Subscription-Error" alt="Collector-Subscription-Error" src="http://lh5.ggpht.com/-x759jWq6q_U/T986DB1tX5I/AAAAAAAABvU/9FjjlZ_2_RQ/20100922-CollectorSubscriptionError_thumb.png" style="border:0px solid currentcolor; width:244px; height:201px; display:inline"> </a></p> <p>Now we need to configure the list of Events that we are interested in. These are the default events available on any 2008 computer, you can write an XML query that you can paste into the XML tab. </p> <p><a href="http://lh4.ggpht.com/-aE1hhMZppkU/T986Dr_aDsI/AAAAAAAABvc/2EQrea8QNdk/s1600-h/20100922-CollectorSubscriptionEvents%25255B2%25255D.png" rel="lightbox[winrm] title="><img title="Collector-Subscription-Events" alt="Collector-Subscription-Events" src="http://lh5.ggpht.com/-PTEn3TRNxa0/T986DziWgkI/AAAAAAAABvg/ga0o5l7rO0c/20100922-CollectorSubscriptionEvents_thumb.png" style="border:0px solid currentcolor; width:244px; height:201px; display:inline"> </a></p> <p>The last thing we need to configure is the Protocol settings and Delivery Optimizations. If your Source server is not a Domain Controller then you can add the computer account of the Collector to the Local Administrators group on the Source. If your Source server is a Domain Controller, you may want to use a Service Account. </p> <p>I set my Event Delivery Optimization to Minimize Latency, this ensures that events are delivered with minimal delay. If you are collecting events from the Security log, this may not be a setting you want to enable. </p> <p>Finally the Protocol section, here you can change the HTTP port to 80. </p> <p><a title="The last thing we need to configure is the Protocol settings and Delivery Optimizations." href="http://lh3.ggpht.com/-nSGJfhkKehM/T986EEdvUQI/AAAAAAAABvs/OqpGrSwfa1E/s1600-h/20100922-CollectorSubscriptionAdvancedProperties%25255B2%25255D.png" rel="lightbox[winrm]"><img title="Collector-Subscription-Advanced-Properties" alt="Collector-Subscription-Advanced-Properties" src="http://lh3.ggpht.com/-4FVddy__CI8/T986EYyWz6I/AAAAAAAABvw/r80vOPl-r_0/20100922-CollectorSubscriptionAdvancedProperties_thumb.png" style="border:0px solid currentcolor; width:244px; height:201px; display:inline"> </a></p> <p>After a few minutes you should start to see events showing up under Forwarded Events. </p> <p><a title="After a few minutes you should start to see events showing up under Forwarded Events." href="http://lh4.ggpht.com/-NPisIXq5YAo/T986EooqXtI/AAAAAAAABv8/ACMx18mDWJw/s1600-h/20100922-CollectorForwardedEvents%25255B2%25255D.png" rel="lightbox[winrm]"><img title="Collector-Forwarded-Events" alt="Collector-Forwarded-Events" src="http://lh4.ggpht.com/-4PhITKx8Ebg/T986Feqn19I/AAAAAAAABwE/Jk8Mi_H4SYo/20100922-CollectorForwardedEvents_thumb.png" style="border:0px solid currentcolor; width:244px; height:201px; display:inline"> </a></p> <p><a href="http://www.patton-tech.com/2010/09/forwarding-events-from-ws08-core-dc.html">Original Content</a></p> </body> </html>
Comment
Tags
Please add 4 and 2 and type the answer here: