I'm trying to get the event collector to work on 2008 so that the source computers 2008/2003/Xp/Windows 7 can forward logs to it.
I've created a GPO with the following settings and linked it to the OU that contains the source computers.
Windows Components/Event Forwardings:
Configure the server address, refresh interval, and issuer certificate authority of a target Subscription Manager = Enabled
SubscriptionManagers = server=Entered the fqdn of the collector server
Windows Components/Windows Remote Management (WinRM)/WinRM Service
Allow automatic configuration of listeners = Enabled
IPv4 filter: *
IPv6 filter: *
And on the collector server, didn't apply the above GPO but configured the following:
1. winrm qc -q
2. wecutil qc /q and configured the settings with the source initiated option.
Subscription Name: Event test
Destination Log > Forwarded Events.
Source Computer Initiated > Select Computer Groups > Add Domain Computers > added the group “SourceComputers” that contains the source computers.
Events to Collect :
Logged: Any time
Event level > Critical, Error, and Warning.
By log> Event logs > Application,Security,System.
Rest, left at the default.
Advanced Subscription Settings > Normal > HTTP
However, I'm not seeing any forwarded events on the collector server although the subscription says it's active.
Is running "winrm qc -q" necessary on all the source computers as well?
Doesn't the GPO Windows Components/Windows Remote Management (WinRM)/WinRM Services do this?
And for 2003 and XP clients:
Install WS-Management v1.1 and use winrm quickconfig on the source 2003/XP computers? The GPO wouldn’t work on 2003/XP right?