When you open a Subscription’s viewer, Supercharger surfaces all attributes of the subscription in WEC as well as additional attributes Supercharger maintains about the subscription. You never need to resort to logging into the Collector and opening the subscription in Event Viewer. You can manage your entire Windows Event Collection environment from your PC or mobile device using Supercharger’s web interface. In fact, Supercharger exposes settings omitted from Event Viewer and only accessible via API or scripting.
That being said, Supercharger gracefully handles subscriptions created, modified or deleted outside of Supercharger. When you initially install the Supercharger Controller (aka agent) on a Windows event controller, the agent discovers any pre-existing subscriptions and creates their associated records in Supercharger. Thereafter, very 5 minutes or so Supercharger re-analyzes WEC and updates the manager with each subscription’s current state. This is all accomplished with the recurring CollectorAnalysisCommand command. If you wish Supercharger to re-analyze on demand just submit a ForwarderAnalysisCommand from the collector’s viewer dialog; the ForwarderAnalsyisCommand immediately triggers a CollectorAnalysisCommand.
When you modify a subscription in Supercharger, the change is submitted to the agent on that collector. After the agent updates WEC it immediately runs a CollectorAnalysisCommand and within seconds the changes are reflected in Supercharger. This cycle also ensures that Supercharger always reflects what’s the actual state of WEC with no danger of getting “out of synch”.
Subscription Viewer Dialog
When you click a Subscription's name on the dashboard Supercharger displays the viewer dialog for that subscription with the following tabs:
This tab displays description, status, status reasons, forwarder statistics and the subscription policy assigned. You can enable/disable the subscription, edit or delete it.
This tab displays the actual settings taken directly from the Windows Event Collection API for this subscription. Most of these settings controlled by Supercharger via the assigned subscription policy.
This tab displays all of the forwarders WEC reports as having ever forwarded events for this subscription. In addition, if the assigned subscription policy is Deterministic, Supercharger also includes an computer accounts from Active Directory that should be forwarding events but are not yet reported by WEC. See Forwarder Analysis to understand the status columns on this tab. Other columns:
- Computer: DNS name of the forwarder
- Health: See Forwarder Analysis
- WEC: See Forwarder Analysis
- Last Heartbeat: This is the last heartbeat reported by WEC which represents the last time the computer checked in with the collector to say "I'm here and I'm subscribed" whether it had any events to forward or not.
- AD: See Forwarder Analysis
- Last Logon: LastLogonTimeStamp from computer account in Active Directory
- AD Group: For Deterministic subscription policies, this shows the AD group assigned in Allowed Forwarders that indicates this computer should subscribe to this subscription
See the "Allowed Forwarders" heading below.
See the "Filters" heading below.
Edit/Create Subscription Wizard
When you edit or create a subscription, Supercharger presents a wizard with the following pages:
In addition to description you can disable the subscription on this page. The subscription remains in WEC but after disabling it, forwarders will stop sending events until it’s re-enabled. Supercharger will also stop analyzing the health of the subscription.
This is also where you configure which Event Log receives the events sent by forwarders as a result of this subscription. This is usually the Forwarded Events log.
Supercharger uses this page to display the subscription’s type which is normally source-initiated. Supercharger only allows you create source-initiated subscriptions but it gracefully handles any collector-initiated created outside of Supercharger. Protocol will normally be HTTP and port is normally blank unless explicitly configured with different settings outside of WEC.
See Subscription Policies
This is where you add groups from Active Directory to define which computers in the domain should forward events to this subscription. This dialog allows you to search for groups in the Collector’s domain. Supply any portion of the beginning of the group’s name.
Groups can be added as Included (Is Included checked) or Excluded (Is Included unchecked). This allows you to include large groups with many members but exclude a subset of the computers by adding another group as Excluded. If a computer is both Excluded and Included, Excluded takes precedence.
Windows Event Collection supports nested groups and so does Supercharger’s deterministic health analysis. While Windows Event Collection technically supports groups from other trusted domains we do not recommend it and Supercharger’s deterministic health does not attempt to analyze groups from other domains. To use only a subset of the forwarders, with deterministic policies you can also specify LDAP filters.
Note: If you are new to Windows Event Collection please note that adding a computer’s group here does not cause the computer to immediately begin sending events. You must also define this collector as a “target subscription manager” on the desired computers via group policy which is explained here.
This is where you define which Event Logs and which events within those logs should be forwarded by source computers. You can either enter an XPath query or select a Managed Filter. Discovered subscriptions display the XML XPath query previously defined on the subscription.
Optionally provide private feedback to help us improve this article...
Thank you for your feedback!