1. | Configure
each of the source (or forwarder) computers for event subscriptions. At
a command prompt with administrative permissions, execute the following
command:
C:\>winrm quickconfig
When prompted, press Y to confirm the changes. |
2. | Add
the collector computer account to the Event Log Readers group on each
source computer. In this example, the collector computer’s name is DC1.
C:\>net localgroup “event log readers” dc1$ /add |
3. | Configure the collector computer for event subscriptions with the following command:
C:\>wecutil qc
When prompted, press Y to confirm the changes. |
4. | On the collector computer, launch Event Viewer from the Administrative Tools menu. |
5. | Right-click Subscriptions and select Create Subscription. |
6. | On the Subscription Properties page, enter AD Replication for the subscription name. Ensure that Forwarded Events is selected as the Destination Log. |
7. | Ensure that Collector Initiated is selected and click the Select Computers button. |
8. | Click Add Domain Computers. Type the name of a computer that will be a source computer. Click Check Names to verify that the computer is in the domain and click OK.
Note
You can add multiple computers here as long as they are configured with the winrm quickconfig command.
|
9. | Click Test to ensure that you can connect with the source computer. Your display should look similar to Figure 1. In the figure, DC2 is added as a source computer. |
10. | Click OK to dismiss the test dialog box. Click OK to dismiss the Computers dialog box. |
11. | On the Subscription Properties page, click Select Events. |
12. | Select the checkbox next to each of the event levels: Critical Warning, Verbose, Error, and Information. |
13. | On the Query Filter page, click the drop-down box next to Event Logs. Select the checkbox next to Windows Logs. This selects all of the Windows Logs (Application, Security, Setup, System, and Forwarded Events).
Note
You can select or deselect any logs that you want to forward here.
|
14. | Click the plus sign (+) to expand the Applications and Services Logs. Select the DFS Replication log. This logs replication events if the source computer is a domain controller. Your display should look similar to Figure 2. |
15. | Click OK to accept the query filter. |
16. | Click Advanced. You can change the User Account to use a Specific User account, or leave it as the Machine Account. Because the previous step added the DC2 machine account to the Event Log Readers group on each source computer, leave the Machine Account selected. Click Cancel. |
17. | Your display should look similar to Figure 3. Click OK. |