Windows Server Customer Engineering (Customer Advisory Team) : Quick and Dirty Large Scale Eventing for Windows

 

Quick and Dirty Large Scale Eventing for Windows

Published 11 August 08 02:34 PM | ottoh

One of the least known yet most powerful management features to ship with Windows Vista and Windows Server 2008 is built-in Event Forwarding which enables large scale health and state monitoring of a Windows environment (assuming health and state can be determined from Windows Events - which they usually can). Not only is this feature built into the latest versions of Windows, but it's also available for down-level OSs like Windows XP SP2+ and Windows Server 2003 SP1+ (here).

Note: True enterprise class Windows eventing is included with enterprise monitoring solutions like System Center Operations Manager.

This new Windows Event Forwarding (also known as Windows Eventing 6.0) is exceptional for the following reasons:

1. Standards Based: No really! It leverages the DMTF WS-Eventing standard which allows it to interoperate with other WS-Man implementations (see OpenWSMAN at SourceForge).
2. Agentless: Event Forwarding and Event Collection are included in the OS by default
3. Down-Level Support: Event Forwarding is available for Windows XP SP2+ and Windows Server 2003 SP1+
4. Multi-Tier: Forwarding architecture is very scalable where a "Source Computer" may forward to a large number of collectors and collectors may forward to collectors
5. Scalable: Event Collection is very scalable (available in Windows Vista as well) where the collector can maintain subscriptions with a large number of "Source Computers" as well as process a large number of events per second
6. Group Policy Aware: The entire model is configurable by Group Policy
7. Schematized Events: Windows Events are now schematized and rendered in XML which enables many scripting and export scenarios
8. Pre-Rendering: Forwarded Windows Events can now be pre-rendered on the Source Computer negating the need for local applications to render Windows Events
9. Resiliency: Designed to enable mobile scenarios where laptops may be disconnected from the collector for extended periods of time without event loss (except when logs wrap) as well as leveraging TCP for guaranteed delivery
10. Security: Certificate based encryption via Kerberos or HTTPS

This implementation will walk through the following example design where via Group Policy a domain computer group will be configured to forwared Windows Events to a single collector:

...

Follow link to full article for configuration and testing details.

...

Windows Server Customer Engineering (Customer Advisory Team) : Quick and Dirty Large Scale Eventing for Windows