Windows Event Forwarding via https without Windows domain - no event 104
Following the suggestion in this answer, I'm trying to set up Windows Event Forwarding by following this Microsoft's guide:
Setting up a source initiated subscription where the event sources are not in the same domain as the event collector computer.
I'm stuck on it for days, and I've been reading this guide dozens of times, every once in a while overcoming another small obstacle. I got pretty far, but now I feel really stuck.
I'm stuck at point 7 of Event Source computer Configuration:
- These steps should produce event 104 in your source computer Event Viewer Applications and Services Logs\Microsoft\Windows\Eventlog-ForwardingPlugin\Operational log with the following message:
"The forwarder has successfully connected to the subscription manager at address followed by event 100 with the message: "The subscription <sub_name> is created successfully."- On the Event Collector, the Subscription Runtime Status will show now 1 Active computer.
I'm also not sure what point 8 means. For the Subscription Runtime Status command (wecutil gr SubscriptionId
), I need a subscription ID, but the guide didn't tell to create one.
I'm confused. Can you please point me at the right direction? Thanks.
You need to create a subscription first, otherwise the event ID 100 will not show up. This step is the last chapter in the documentation (Event subscription configuration)
[...]Right-click Subscriptions and choose “Create Subscription…”
Give a name and an optional description for the new Subscription.
Select “Source computer initiated” option and click “Select Computer Groups…”.
In Computer Groups click on “Add Non-Domain Computers…” and type the event source hostname.[...]
Once the subscription is created on the server, computers will be able to subscribe to it (after the refresh interval you set in the GPO if they already downloaded the GPO before the subscription was created)
Step 8 in the documentation just tells you that after creating the subscription you'll be able to list active computers directly in the collectors' event viewer, however I recommend using the command line tool because the GUI will not behave well when you have several thousand connected computers: wecutil es
to list existing subscriptions and wecutil gs <subscriptionName>
to show details about the subscription,