Windows Event Collector Load Balancing to multiple Collectors
My scenario:
I want several Windows servers to forward Events either to Collector A or to Collector B and so on.
What I tried:
Set the GPO: Computer Settings - Policies- Administrative Templates - Windows Components - Event Forwarding - Configure target Subscription Manager
Server=http://Collectors.contoso.com:5985/wsman/SubscriptionManager/WEC
where Collectors is the name of the Cluster (set up via NLB), where Collector A and B are members of.
The Problem: no events have been forwarded.
How does the Event-Forwaring actually work? Is it possible and useful to use Network Load Balancing (NLB)?
Notes: Im using WinServ 2012R2 and all Firewalls have been disabled.
My Subscription von Collector A and B:
<?xml version="1.0" encoding="UTF-8"?>
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
<SubscriptionId>pull1</SubscriptionId>
<SubscriptionType>SourceInitiated</SubscriptionType>
<Description></Description>
<Enabled>true</Enabled>
<Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
<ConfigurationMode>Normal</ConfigurationMode>
<Delivery Mode="Push">
<Batching>
<MaxLatencyTime>900000</MaxLatencyTime>
</Batching>
<PushSettings>
<Heartbeat Interval="900000"/>
</PushSettings>
</Delivery>
<Query>
<![CDATA[
<QueryList><Query Id="0"><Select Path="Application">*</Select><Select Path="Security">*</Select><Select Path="Setup">*</Select><Select Path="System">*</Select><Select Path="ForwardedEvents">*</Select></Query></QueryList>
]]>
</Query>
<ReadExistingEvents>false</ReadExistingEvents>
<TransportName>HTTP</TransportName>
<ContentFormat>RenderedText</ContentFormat>
<Locale Language="en-US"/>
<LogFile>ForwardedEvents</LogFile>
<PublisherName>Microsoft-Windows-EventCollector</PublisherName>
<AllowedSourceNonDomainComputers>
<AllowedIssuerCAList>
</AllowedIssuerCAList>
</AllowedSourceNonDomainComputers>
<AllowedSourceDomainComputers>O:NSG:BAD:P(A;;GA;;;DC)S:</AllowedSourceDomainComputers>
</Subscription>
Thanks
Solution 1:
How does the Event-Forwaring actually work? Is it possible and useful to use Network Load Balancing (NLB)?
Event forwarding depends on WSMan/WinRM (windows remote management service). For domain joined scenarios, this uses Kerberos as a default for authentication and encryption, which requires a service principal name (SPN). SPNs are meant to be unique. Therefore, no two domain joined computers should be permitted to register the same SPN for their computer accounts/identity, which makes load balancing with default setup unworkable. While there are some guides on configuring IIS to use a specific service domain account (instead of computer account), and letting a pool of IIS web servers share that service account, WSMan/WinRM is more of core OS service. It seems to be heavily tied into running as the Network Service account of a machine, which in turn depends on the computer's built-in machine account and SPN. Hence, it's non-trivial to load balance windows event forwarding.
Most references I've seen on the topic suggest a number of work-arrounds, such as:
- Directly use GPO subscription settings to switch/load balance which specific event collector servers are used based on site topology, etc.
- Split subscriptions settings into different roles, e.g. one for System and Application logs, the other for Security, and via GPO, configure clients (log sources) to get subscriptions from both servers.
Neither of the above provide HA, just splitting load. For HA, I've seen a recommendation to set 2 servers with the same subscriptions, but this duplicates the events sent (and wastes bandwidth, etc).