Using Event Forwarding
Event forwarding enables you to transfer events that match specific criteria to an administrative (or collector) computer. This enables you to manage events centrally. A single event log on the collector computer holds important events from computers anywhere in your organization. You do not need to connect to the local event logs on individual computers.
Event forwarding uses Hypertext Transfer Protocol (HTTP) or (if you need to provide an additional encryption and authentication layer for greater security) Hypertext Transfer Protocol Secure (HTTPS) to send events from a source computer to a collector computer. Because event forwarding uses the same protocols that you use to browse Web sites, it works through Internet Security and Acceleration (ISA) Server and most firewalls and proxy servers. Event forwarding traffic is encrypted whether it uses HTTP or HTTPS.
To use event forwarding, you must configure both the source and collector computers. On both computers, start the Windows Remote Management and the Windows Event Collector services. On the source computer, configure a Windows Firewall exception for the HTTP protocol. You might also need to create a Windows Firewall exception on the collector computer, depending on the delivery optimization technique you choose. This is described in detail later in this lesson.
You can configure collector-initiated or source-initiated subscriptions. In collector-initiated subscriptions, the collector computer retrieves events from the computer that generated the event. You would use a collector-initiated subscription when you have a limited number of source computers and these are already identified. In this type of subscription, you configure each computer manually.
In a source-initiated subscription (sometimes termed a source computer-initiated subscription), the computer on which an event is generated (the source or source computer) sends the event to the collector computer. You would use a source-initiated subscription when you have a large number of source computers and you configure these computers through Group Policy. In a source-initiated subscription, you can add additional source computers after the subscription is established and you do not need to know immediately which computers in your network are to be source computers. In collector-initiated subscriptions, the collector computer retrieves events from one or more source computers. Collector-initiated subscriptions are typically used in small networks. In source-initiated subscriptions, the source computers forward events to the collector computer. Enterprise networks use source-initiated subscriptions.
A collector computer needs to run Windows Server 2008, Windows Vista, or Windows Server 2003 R2. A source computer needs to run Windows XP with Service Pack 2, Windows Server 2003 with Service Pack 1 or 2, Windows Server 2003 R2, Windows Vista, or Windows Server 2008.
Average user rating: 5 stars out of 1 votes
Post a comment