Consider account logon events. Any domain controller (DC) in your organization can authenticate a particular user’s logon. To determine which DC authenticated a logon, you check the security logs of each DC in your domain, though the DC that authenticates a logon is almost always located at the same site as the client logging on.
With event forwarding, you can forward all events, or just specific events, which you can define using a collection filter, to a central computer called a collector. Rather than having to check each DC in the domain, you just check the collector computer that has copies of the account logon events from all DCs in the domain. Server 2008 lets you configure two types of event log subscriptions:
Collector-Initiated Subscription. With this subscription type, a central computer polls a set of source computers to retrieve event log data. Collector-initiated subscriptions require manual configuration on each source computer as well as the collector computer.
This involves running winrm quickconfig from an elevated command prompt at each source computer, which allows remote management and configures a firewall exception. You also need to add the computer account of the collector computer to the local Administrators group on each source computer. I cover configuring a collector computer later in this section.
Source Initiated Subscription. When you configure a source-initiated subscription, each computer forwards events to a collector computer. You can configure source-initiated subscriptions using Group Policy. You do this by editing the “Configure the Server Address, Refresh Interval, And Issuer Certificate” policy located under the Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding node.
Configuring the collector computer is similar for both the collector-initiated subscription and source-initiated subscription methods. To do this, perform the following steps:
1. Open an elevated command prompt and type
winrm qc –q
and then
wecutil qc /q
This configures Windows Remote Management and the Event Collector service.
2. Open Event Viewer, right-click the Subscriptions node, and click Create Subscription to open the Subscription Properties dialog box, shown in Figure 4.
3. Choose between a collector-initiated and source-initiated subscription. If you choose collector initiated, you must select individual computer accounts. If you choose source initiated, you must select computer groups that you have configured using Group Policy.
4. Use the Select Events button and perform a process identical to creating a custom view to select the types of events the collector computer gathers or forwards. The default settings are for the collector computer to place forwarded events into the Forwarded Events log, though you can configure a different destination instead. You can apply custom views, filters, or scan the Forwarded Events log using Log Parser or the Get-EventLog function of PowerShell.
Getting Alerted
Event viewer tasks lets you start a program or send a message or an email whenever a particular event occurs, and that event is logged to the Server 2008 event logs, including an event written to the Forwarded Events log on a collector computer. Configuring such a task ensures that you are made aware of the event at the time it occurs, not when you get a chance to review the event logs later. Event viewer tasks are similar to the alert triggers that are available in Windows 2003 but simpler to configure, because in Windows 2003 you had to configure triggers from the command line using the eventtriggers utility.
In Server 2008 you can create an event trigger directly from event viewer by right-clicking an event and selecting Attach Task To This Event. This launches the Create A Basic Task Wizard where you specify what action you want Windows to take when a new event that has this event ID is logged. You can also create an event viewer task using the Task Scheduler console:
1. Open the Task Scheduler from the Administrative Tools Menu. Expand the Task Scheduler Library node.
2. Right-click the Event Viewer Tasks node, then click Create Task. The Event Viewer Tasks node is created when you create a task triggered by an event in Event Viewer. This launches the Create Task dialog box. Enter a name for the task. Also ensure that you enable the Run Whether User Is Logged On Or Not option as otherwise the event viewer task will not be triggered after you log off.
3. On the Triggers tab, click New to configure a new trigger. On the Begin The Task drop-down menu, select On An Event. Then select the Event ID and the log that you want to trigger the task.
4. On the Actions tab, select what type of action should occur when the specified event is detected. You can configure the event viewer task to run a script or program, send an email, or send a message. You should only use the message option if you want a logged-on user to be notified directly.
Event viewer tasks can be imported and exported, so you can deploy them easily on multiple servers throughout your organization. You remove event viewer tasks through the Task Scheduler console and not through event viewer.
You should be careful in selecting which event viewer tasks you set up. If you configure too many event viewer tasks to alert you, you will be deluged with notifications and will most likely begin to ignore them. You should choose events such as event ID 4780 (see Table 1), which happen rarely but are important enough to demand your attention.
Limiting Data
The key to dealing with event logs is being able to zero in directly on the data that is of interest to you. I discussed how you can view only interesting events using filters and custom views, how you can search logs using Log Parser and PowerShell, how you can centrally collect logs using event log forwarding, and how you can be notified as soon as an interesting event occurs by using event viewer tasks. In combination, all of these techniques can reduce the area of haystack that you have to deal with, making it a lot simpler to locate relevant needles.