1

Hi, all.

I want to forward event log from win7(hostname is win7) to win2008(hostname is win2008).

So i used "Source Initiated" option on win7. Because "collector initiated" option can choice domain computer only.

And add hostname of win2008 and add certificate(verisign class 3 public primary ca).

And add account(administrator of win7) to event log reader group on win7.

And execute winrm command(winrm set winrm/config/client @{TrustedHosts="win7"}) on win2008.

Now subscription(name is test) on win7 status is below.

C:\Users\Administrator>wecutil rs test

C:\Users\Administrator>wecutil gr test

Subscription: test

RunTimeStatus: Active
LastError: 0

What is my fault?

Mr.kang
  • 109
  • Think about it. How is your Windows Server 2008 computer going to validate the identify of a computer named "WIN7"? – Greg Askew Jul 30 '16 at 16:07
  • I think so too. Forwarding event log feature in domain environments is very easy. But how is Wind2008 going to validate the identify of a computer named "WIN7" in workgroup environments? I think forwarding event log feature support domain environments only. Am i wrong? – Mr.kang Jul 30 '16 at 17:14
  • Try testing with * in the Trusted Hosts list and the IPV4 filter. If it still doesn't work, probably nothing to do with either of those settings. You may want to check the Windows Remote Management\Operational event log. If an error occurs, it should appear there. There are additional configuration for non-domain computers and https here: https://blogs.technet.microsoft.com/supportingwindows/2016/07/18/setting-up-a-source-initiated-subscription-on-an-event-collector-computer/ – Greg Askew Jul 30 '16 at 19:29
  • Thank you for your comment. But i still don't understand. According to the ms link, collector computer has a server authentication certificate and source computer has a client authentication certificate. And the subject of certificate has to match the FQDN of the collector and source computer. Domain computer has FQDN only. Am i wrong? – Mr.kang Jul 31 '16 at 06:40
  • Every certificate has a subject. The certificate subject you register in winrm must match the certificate subject. – Greg Askew Jul 31 '16 at 16:28
  • According to the ms link, create Source computer initiated on the Event Collector. Collector Initiated is pull mode. Source computer initiated is push mode. Am i wrong? And when create Source computer initiated, use the client certificates. it can create server certificates on IIS. Why need the server certificates on the Event Collector computer? I don't understand. I gave up. Good luck~~~ – Mr.kang Aug 02 '16 at 10:13

0 Answers0