Set up a Windows LogServer

on DC:

New-ADGroup -name “Event Collector” -GroupScope Global
Add-ADGroupMember -Identity “Event Collector” -Members <Servername>$

New-GPO -name “Event Collector”
New-GPLink -name “Event Collector” -target “DC=test,DC=com”
Set-GPPermission -name “Event Collector” -TargetName “Event Collector” -TargetType Group -PermissionLevel GpoApply
Set-GPPermission -name “Event Collector” -TargetName “Authenticated Users” -TargetType Group -PermissionLevel None

Set-GPRegistryValue -name “Event Collector” -key $winRMKey -ValueName “AllowAutoConfig” -Type DWord -Value 1
Set-GPRegistryValue -name “Event Collector” -key $winRMKey -ValueName “IPv4Filter” -Type String -Value “*”
Set-GPRegistryValue -name “Event Collector” -key $winRMKey -ValueName “IPv6” -Type String -Value “*”

new-adgroup -name “Event Source” -groupscope global
add-adgroupmember -identity “Event Source” -members <servername>$ (only 1 server for the testing phase)

new-gpo -name “Event Source”
New-GPLink -name “Event Source” -Target “DC=test,Dc=com”
Set-GPPermissions -Name “Event Source” -TargetName “Event Source” -TargetType Group -PermissionLevel GpoApply
Set-GPPermissions -Name “Event Source” -TargetName “Authenticated Users” -TargetType Group -PermissionLevel None

Set-GPRegistryValue -name “Event Source” -key $eventkey -ValueName “1” -Type String -Value $targetaddress

something extra to check on the machines you want to configure in “Event Source” group:

-Check if remote management is enabled:
PS c:\>configure-smremoting.exe -get

We should also make a new subscription on the logserver and choose what events do we want to get.

more on Event forwarding:



Leave a Reply

Your email address will not be published.