Lesson 1: Monitoring Events in an Enterprise in .NET

Creation Code 39 in .NET Lesson 1: Monitoring Events in an Enterprise

1. Click Start, right-click Computer, and then click Manage. Respond to the UAC prompt that appears. 2. Under System Tools, expand Local Users And Groups. Then, select Groups. Doubleclick Event Log Readers. 3. In the Event Log Readers Properties dialog box, click Add. 4. In the Select Users, Computers, Or Groups dialog box, click the Object Types button. By default, it searches only Users and Groups. However, we need to add the collecting computer account. Select the Computers check box and clear the Groups and Users check boxes. Click OK. 5. In the Select Users, Computers, Or Groups dialog box, type the name of the collecting computer. Then, click OK. 6. Click OK again to close the Event Log Readers Properties dialog box. Alternatively, you could perform this step from an elevated command prompt or a batch file by running the following command:

For example, to add the computer VISTA1 in the nwtraders.msft domain, you would run the following command:

To configure a Windows Vista computer to collect events, follow these steps: 1. Open an elevated command prompt by clicking Start, typing cmd, and pressing Ctrl+Shift+Enter. Respond to the UAC prompt that appears. 2. At the command prompt, run the following command to configure the Windows Event Collector service:

Windows Server 2008 will include the ability to collect forwarded events also. However, versions of Windows released prior to Windows Vista do not support acting as a collecting computer or as a forwarding computer.

Subscriptions, as shown in Figure 6-2, are configured on a collecting computer and retrieve events from forwarding computers.

6

Figure 6-2

To create a subscription on a collecting computer, follow these steps: 1. In Event Viewer, right-click Subscriptions, and then click Create Subscription. 2. In the Event Viewer dialog box, click Yes to configure the Windows Event Collector service, as shown in Figure 6-3 (if prompted).

Figure 6-3

The Subscription Properties dialog box appears. 3. In the Subscription Name box, type a name for the subscription. Optionally, type a description. 4. Optionally, click the Destination Log list and select the log in which you want to store the forwarded events. 5. Click the Add button. In the Select Computer dialog box, type the name of the computer that will be forwarding events. Then, click OK.

6. In the Subscription Properties dialog box, click the forwarding computer in the Source Computers list. Then, click Test. Click OK when Event Viewer verifies connectivity.

The Subscription Properties dialog box will always show the message Error: Source status unavailable until you have saved the subscription.

7. Click the Select Events button and create the query filter. Click OK. 8. Click the Advanced button to open the Advanced Subscription Settings dialog box. You can configure three types of subscriptions: q Normal This option ensures reliable delivery of events and does not attempt to conserve bandwidth. It is the appropriate choice unless you need tighter control over bandwidth usage or need forwarded events delivered as quickly as possible. It uses pull delivery mode (where the collecting computer contacts the forwarding computer) and downloads five events at a time unless 15 minutes pass, in which case it downloads any events that are available. q Minimize Bandwidth This option reduces the network bandwidth consumed by event delivery and is a good choice if you are using event forwarding across a wide area network or on a large number of computers on a local area network. It uses push delivery mode (where the forwarding computer contacts the collecting computer) to forward events every six hours. q Minimize Latency This option ensures that events are delivered with minimal delay. It is an appropriate choice if you are collecting alerts or critical events. It uses push delivery mode and sets a batch timeout of 30 seconds. Additionally, you can use this dialog box to configure the user account the subscription uses. Whether you use the default Machine Account setting or you specify a user, you will need to ensure that the account is a member of the forwarding computer s Event Log Readers group. 9. Click OK. 10. In the Subscription Properties dialog box, click OK. By default, normal event subscriptions check for new events every 15 minutes. You can decrease this interval to reduce the delay in retrieving events. However, there is no graphical interface for configuring the delay; you must use the command-line Wecutil tool that you initially used to configure the collecting computer.