This is a step-by-step article. For important background please review the Getting Started articles first – especially the overview of Windows Event Collection.
1. Choose your Windows Event Collector
Select a Windows server running Windows Server 2008 R2 or above to be your Windows Event Collector. Install the Supercharger Controller Service (aka Agent) on that server. Supercharger will enable Windows event collection automatically.
2. Target Computers at the Collector
Computers in your domain need to know about the new collector. Use group policy to accomplish this.
Select a group policy object that will be applied to all the computers that may potentially need to forward events to the collector. It’s OK to target more computers at a collector than will actually be sending events. Unless you have specific reasons to use a more narrow scope, edit your Default Domain Policy GPO so that all computers in the domain are targeted at your collector.
First though you need a specially formatted string for each collector. Supercharger will automatically build this string for you. Just open the Domain’s viewer dialog from the dashboard to access the Target Subscription Manager string for each Collector in your domain. If you have multiple collectors you will usually want to add each to the group policy setting.
The screen shot below shows the exact “Configure target Subscription Manager” setting in group policy where you should add the above collector strings. It can be found under Group Policy Management Editor\Default Domain Policy\Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding.
At this point, as computers apply group policy, and if WinRM is configured on them (see next step), they will begin to regularly check in with the specified collectors to find out if any subscriptions apply to them. Computers will check based on the Refresh interval specified in the controller string. By default Supercharger sets this to every 60 seconds but for production environments with thousands of computers you may wish to reduce this interval to manage the load on the collector.
3. Configure Computers for Event Forwarding
More recent versions of Windows are automatically configured to forward events once you complete the earlier steps. But be aware that that the WinRM service must be running and configured to automatically start. In addition depending on the version and flavor of Windows on a given forwarder (aka WEC source) it may be necessary to run “winrm qc” or accomplish the same via group policy (see http://www.grouppolicy.biz/2014/05/enable-winrm-via-group-policy/).
Security Log Specific Concerns
Is this subscription intended for collecting the Security Log? If so there is an additional configuration requirement on forwarder computers. The security log has more restrictive permissions than other event logs and by default the WinRM service cannot access it. See Granting Permissions for Security Log Forwarding
4. Select your Forwarders
Next you need to select an existing or create a new group in Active Directory whose members correspond to the computer accounts that should forward events. If you already have a group in AD with the right computer accounts, there’s nothing else to do in this step. You’ll use this group in the next step when you create the subscription.
Group Membership Doesn’t Take Effect Until Reboot
When you add a computer as a member of a group, the change does not take effect until you reboot the computer. A common problem with Windows Event Collection arises you make a computer of a group, configure the subscription with that group and then target it at the collector. The computer does not start sending events because it’s Kerberos ticket was built prior to the group membership change. You must either
Group Policy vs. Group Membership
It’s important to understand the relationship of this group to the scope of computers that apply the group policy you configured earlier. Only those computers that are targeted at the collector via the group policy object AND belong to the Active Directory group you select in this step will become forwarders on that subscription.
5. Create the Subscription
On the Dashboard in Supercharger, click the Add Subscription tile under that appropriate collector.
On the first page of the wizard you will need to select the destination event log. This is NOT the event log you are collecting events from on forwarders. It is the event log on the collector that will receive events. Out of the box, Windows only supports using the Forwarded Events log to receive events. In the future we plan to add this capability to Supercharger. If you need to create additional destination logs contact support.
Next select a Subscription Policy. Subscription Policy controls advanced WEC configuration settings for the subscription and how Supercharger will assess the health of the subscription. Read more here.
On the Allowed Forwarders dialog add the group you selected in the previous step. When computers targeted at this collector next check-in, Windows will see they are a member of this group and they will connect to this subscription.
On the Filters page you can either enter a raw XML log filter or select one of the managed filters. This defines which logs on source computers and which events within those logs will be forwarded.
Create the subscription. The web application submits the command to the collector and within a minute you should see the new subscription appear in the dashboard.
6. Look for Current Forwarders
At this point you will want to open the new subscription and select the Current Forwarders tab.
Many things influence how long it takes for forwarders to show up including
- How long ago you configured group policy to target computers at this collector
- How long ago you created the group and added the source computers as members
- How many domain controllers and sites exist in the domain as well as the replication schedule
- If computers have rebooted since you changed group membership
- If WinRM is started on the source computers
- But the biggest influencer is the Refresh interval specified in the collector string in step 2
Arbitrary and Empirical
If the subscription policy you selected is Arbitrary or Empirical you will see computers appear as they check in with the collector and see the new subscription. Such computers will immediately show up as Healthy.
If the subscription policy you selected is Deterministic, then as soon as the Forwarder Analysis command completes (automatically submitted when you create a subscription) you should see all the computers in the group you specified for this subscription. If Current Forwarders doesn’t populate yet after Forwarder Analysis completes it is likely because the domain you created the group on has not replicated to the domain controller queried by the collector. Time will resolve this.
Most if not all of these computers will initially show up as Problem status in the Health column and Absent in the WEC column. But as these computers individually check in with the collector and discover the new subscription to which they are assigned their health status will change to Healthy and their WEC status to Active. You may also see some computers as Ignore health status because of their computer account in Active Directory. For more information see Health Assessment Basis at Subscription Policies.
To diagnose forwarders that refuse to send events see Troubleshooting a Problem Forwarder.
Optionally provide private feedback to help us improve this article...
Thank you for your feedback!