Home / Windows 10

Configure Event Subscriptions

You can configure Event Viewer to view other computers' event logs. Manually connecting to other computers on a regular basis can be cumbersome. You can automate the collection of event logs from other computers by creating event subscriptions.

All computers participating in a subscription must be configured to allow remote administration. This is achieved by enabling the Windows Remote Management service on the source computer. On the collector computer, start the Windows Event Collector service, which enables the computer to collect events from remote devices. To configure the computers to collect and send events, perform the following two short procedures.

View subscriptions

To enable the collector computer to view subscriptions:

  1. Open an elevated command prompt.
  2. Type wecutil qc and press Enter.
  3. Type Y and press Enter to start the service.
    Windows Event Collector service announces it was configured successfully.
  4. Close the command prompt window.

To enable remote collection of events on the source computer:

  1. Open an elevated command prompt.
  2. Type winrm quickconfig and press Enter.
  3. Type Y and press Enter; repeat when prompted.
    The WinRM firewall exception is now enabled.
  4. Close the command prompt window.
Tip:
The winrm quickconfig and wecutil qc commands are needed to create and allow subscriptions to be successfully collected. Make sure that you know which command is run on each participant.

You can create two kinds of subscriptions: collector initiated and source-computer initiated. The subscriptions are described in Table below, with some of the key terms related to event subscriptions.

Term		Description
Subscription	A group of events you configure based
		on specific criteria you create is
		called a subscription. Subscriptions
		enable you to receive events from other
		computers, called sources.

Source		The event source computer is the computer
		that provides you with events on your 
		network. The source computer can be a 
		PC or a server.

Collector	The event source computer is the computer
		that provides you with events on your
		network. The source computer can be a PC
		or a server.

Collector-	In a collector-initiated subscription,
initiated	the subscription must contain a list
subscription	of all the event sources that need
		to be added one at a time. This is
		used on small networks because each 
		must be configured manually.

Source 		The source computer transmits local
computer-	events to the collector computer. 
initiated	This is a push type of arrangement, 
subscription	often configured using Group Policy.

Create a subscription

To create a collector-initiated subscription, follow these steps.

  1. Open Event Viewer.
  2. Click the Subscriptions node.
  3. If the option to start the Windows Event Collection Service dialog box appears, click Yes.
  4. In the Action pane, click Create Subscription.
  5. Type a name and a description for the subscription.
  6. Under Subscription Type And Source Computers, click Collector Initiated and click Select Computers.
  7. In the Computers dialog box, click Add Domain Computers, select the computer to be polled for subscriptions, and click OK.
  8. Under Events To Collect, click Select Events and define the event criteria, such as event levels, log type, and event source, that will be used to match and collect events. Click OK.
  9. Click OK to save and make the subscription active.
    The new subscription is listed in the Subscriptions node main pane.

If you want to view events on other computers on your network, you can do so without creating a subscription. This is useful for ad hoc monitoring, for example, to see whether a particular event has occurred.

Access event logs remotely

To view event logs on a remote system, follow these steps.

  1. Open Event Viewer.
  2. Right-click Event Viewer (Local) in the left pane and choose Connect To Another Computer.
  3. When the Select Computer dialog box opens, click Another Computer and enter the name, type the domain name or IP address of the computer, or click Browse to search for the computer on your network.
  4. If you need to specify logon credentials, select the Connect As Another User check box. Click Set User and type the logon credentials for a local administrator or user on the remote device and then click OK.
Note: View Events on Remote Computers
You must have administrator privileges to view events on a remote computer. You must also configure Windows Firewall on all participants to allow traffic on TCP port 80 for HTTP or on TCP port 443 for HTTPS.