Enabling the Source Computer with winrm
Event subscriptions are configured so that they travel from a source computer to a collector computer, as shown in Figure 1. The events are generated on the source computer(s) and can be viewed on the collector computer.
Tip
The source computer is also
called the forwarding computer. An event subscription can have a single
source computer or multiple source computers.
You enable the source computers with the following command:
After entering the command, you
are prompted to make changes to the firewall. If you confirm the
changes, it creates a WinRM listener on HTTP://* so that it can accept
Web Services Management (WS-MAN) requests, and it enables the WinRM
firewall exception.
The following listing shows exactly what you see. You first enter winrm quickconfig, and then press y to confirm the changes.
C:\>winrm quickconfig
WinRM is not set up to allow remote access to this machine
for management.
The following changes must be made:
Create a WinRM listener on HTTP://* to accept WS-Man requests to
any IP on this machine.
Enable the WinRM firewall exception.
Make these changes [y/n]? y
WinRM has been updated for remote management.
Created a WinRM listener on HTTP://* to accept WS-Man requests to
any IP on this machine.
WinRM firewall exception enabled.
Note
This must be entered on each computer that provides source events for the event subscription.
Tip
Although a WinRM listener is not required on both computers for an event subscription, it is required when using winrs commands.
Enabling the Collector Computer with wecutil
You can use the wecutil command to configure the collector computer. First enter wecutil qc and then, when you are prompted to change the startup mode of the service, click y for yes. The following listing shows the output.
C:\>wecutil qc
The service startup mode will be changed to Delay-Start.
Would you like to proceed ( Y- yes or N- no)?y
Windows Event Collector service was configured successfully.
Note
Services configured with a
startup mode of Delay-Start starts when the system boots, but only
after all the services set to Automatic start. This is slightly
different from the startup mode of Automatic because users can interact
with the system before Delay-Start services start. In contrast, users
cannot interact with the system until all services set to Automatic
start.