administration, security,

Centralized Windows Event Log

agowa338 agowa338 Jun 05, 2016 · 2 mins read
Share this

Another feature many administrators don't know about, is the centralization of Windows Event Logs.
This allows you as administrator to view all related Event Log information on your Admin PC.
This is based on a documentation from Microsoft.

  1. Create a new Security Group (Domain Local) with the name "IT-RemoteManagement" and join all computer accounts that should be allowed to read the eventlog (not user accounts).
  2. Create a new GPO named "CentralizedEventLogClients" and bind it to all your clients (e. g. your domain)
    • Enable "Allow remote server management through WinRM" (Computer, Policies, Administrative Templates, Windows Components Windows Remote Management (WinRM), WinRM Service) and enter a "*" into the IPv4 and IPv6 filters.
    • Change the parameters of the "Windows Remote Management (WS-Management)" service to start automatically (Computer, Policies, Windows Settings, Security Settings, System Services)
    • Enable the Incoming Firewall Rule (Computer, Policies, Windows Settings, Security Settings, Windows Firewall with Advanced Security, Windows Firewall with Advanced Security - LDAP*, Inbound Rule, Right-click and select "New Rule...", Predefined: "Windows Remote Management", the one where Profile equals "Domain, Private", Allow the connection, Finish, Right-click the created rule and go to the "Advanced" tab in the Settings to remove the selection of "Private")
    • Add "C:\Windows\System32\cmd.exe" with the Parameter "winrm quickconfig -q" as Startup script if the above didn't work (sometimes the listener is not created...)
    • Add the IT-RemoteManagement Group to the local group "Event Log Readers Group" (Computer, Preferences, Control Panel Settings, Local Users and Groups, Right-click, New, Local Group, Groupname: "Event Log...", check both check boxes to remove all existing members, add the Group "IT-Remote...", in the other tab select "remove element if...", select yes and close the dialog with OK)
  3. Create another Policy named "CentralizedEventLogIT" and assign it to the computers of your supporters
    • Startup script: "C:\Windows\System32\cmd.exe", argument: "wecutil qc -q:True"
    • Set the Eventlog collection service to start automatically
  4. Now your supporters can create there subscriptions (watched events) by clicking on "Subscriptions" in there local Event Log viewer.
Written by agowa338