Windows 7 / Getting Started

Configuring Event Subscriptions

Using Event Viewer, you can view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers.

Windows Vista and later versions include the ability to collect and forward event information from multiple remote computers and store them centrally on the local computer. To specify which events you want to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be collected and in which log they will be stored locally. When a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events.

To use subscriptions, you must first configure the forwarding computers and the collector computer. Event collecting functionality relies upon the Windows Remote Management (WinRM) and Windows Event Collector (Wecsvc) services. The WinRM service must be running on both the remote and local computers participating in the forwarding and collecting process. The Wecsvc service needs to be running only on the collector computer because the source computer has a forwarding plug-in that runs in-process to WinRM.

To define a subscription, you must be an administrator on the collector computer. As part of the subscription definition, you define what security context should be used when accessing the logs on the source computers. This can be either a specific user account or the collector computer account. The specified account must have Read access to the logs on the source computers that are participating in the subscription. One way to set this up is to use a new built-in group called Event Log Readers to which you can add any accounts you want to give access to reading logs.

To configure computers to forward and collect events, follow these steps:

  1. Log on to all collector and source computers, which must be running Windows Vista or later versions. If the computers are members of a domain, it is best to use a domain account with administrative privileges.
  2. On each source computer, type winrm quickconfig at an elevated command prompt. When prompted, confirm that the changes should be made. To skip the prompt (for example, if you are using this command in a script), add the -q parameter.
  3. On the collector computer, type wecutil qc at an elevated command prompt. (If you use Event Viewer, this will be done automatically for you on the collector.) When prompted, confirm that the changes should be made. To skip the prompt, add the /q:true parameter.
  4. Add the computer account of the collector computer to the Event Log Readers group on each of the source computers if you will be using the computer account as the account to be used when collecting events. The advantage of using the collector computer account is that you don't need to deal with expiring passwords. However, if you do use a specific user account, you will need to add that account to the Event Log Readers instead of the collector computer account.

The computers are now configured to forward and collect events. Follow the steps described in the section titled "Creating a New Subscription" later in this tutorial to specify the events you want to have forwarded to the collector.

Note By default, the Local Users And Groups MMC snap-in does not allow you to add computer accounts. In the Select Users, Computers, Or Groups dialog box, click Object Types and then select the Computers check box. You will now be able to add computer accounts.

Note Beginning in Windows 7, you can now use the Set-WsManQuickConfig Windows PowerShell cmdlet to configure WinRM on the local computer. For more information, see http://technet.microsoft.com/en-us/library/dd819520.aspx.

[Previous] [Contents] [Next]

In this tutorial:

  1. Windows 7 Desktop Maintenance
  2. Performance Monitoring
  3. Improvements to Performance Monitoring in Windows 7
  4. Using Performance Monitor
  5. Real-Time Performance Monitoring
  6. Performance Monitor Logging
  7. Creating a Data Collector Set
  8. Configuring a Data Collector Set
  9. Using Data Manager to View Performance Data
  10. Starting and Stopping Data Logging
  11. Viewing Performance Data
  12. Comparing Performance Monitor Logs
  13. Performance Monitor User Rights
  14. Remote Data Collection
  15. Using Windows PowerShell for Performance Monitoring
  16. Resource Monitor
  17. Overview Tab
  18. CPU Tab
  19. Memory Tab
  20. Disk Tab
  21. Network Tab
  22. Reliability Monitor
  23. How Reliability Monitor Works
  24. Windows Performance Tools Kit
  25. Event Monitoring
  26. Understanding the Windows Event Architecture
  27. Channels
  28. Improvements to Event Monitoring in Windows 7
  29. Using Event Viewer
  30. Understanding Views
  31. Viewing Event Logs
  32. Saving Event Logs
  33. Configuring Event Subscriptions
  34. Considerations for Workgroup Environments
  35. Creating a New Subscription
  36. Using the Windows Events Command-Line Utility for Event Monitoring
  37. Using Windows PowerShell for Event Monitoring
  38. Using Task Scheduler
  39. Improvements to Task Scheduler in Windows 7
  40. Understanding Tasks
  41. Understanding the Task Scheduler Architecture
  42. Understanding Task Scheduler Security
  43. Credentials Management
  44. Securing Running Tasks
  45. Understanding AT and Task Scheduler v1.0 Compatibility Modes
  46. Understanding the Task Scheduler Snap-in
  47. Understanding Default Tasks
  48. Creating Tasks
  49. Defining Triggers
  50. At Startup Trigger
  51. On Connection To AND Disconnect From User Session Triggers
  52. On Workstation Lock AND Unlock Triggers
  53. Defining Actions
  54. Defining Conditions
  55. Defining Settings
  56. Managing Tasks
  57. Viewing History
  58. Using SchTasks.exe for Creating and Managing Tasks
  59. Task Scheduler Events
  60. Troubleshooting Task Scheduler
  61. Tasks Won't Run If the Service Is Not Started
  62. The Task Will Run Only When a Certain User Is Logged On
  63. The Task Action Failed to Execute
  64. Interpreting Result and Return Codes
  65. Understanding the Windows System Assessment Tool
  66. Understanding WinSAT Assessment Tests
  67. Examining the WinSAT Features Assessment
  68. Running WinSAT from the Command Line
  69. Understanding WinSAT Command Exit Values
  70. Running WinSAT Using Performance Information and Tools
  71. System Capabilities Section
  72. OEM Upsell And Help Section
  73. Understanding Windows Error Reporting
  74. Overview of Windows Error Reporting
  75. How WER Works
  76. Store Management System
  77. ReportArchive Folder
  78. WER Service
  79. Understanding the Error Reporting Cycle
  80. Understanding WER Data
  81. Configuring WER Using Group Policy
  82. Configuring WER Using the Action Center