Event Log Management is a very important routine task in server maintenance. It is also a laborious and physical task, especially when there are many application servers in the LAN. A good management solution is to deploy a central server dedicated to Event Log Management, and then forward logs from other servers to the central server for centralized management. However, this requires third-party software. Windows Server 2008 provides a new feature that enables you to forward and subscribe to Server Event Logs and manage specific Server Event Logs. The following is an example of the deployment environment.
Environment Description:
This article uses the domain environment as an example to demonstrate that there are two servers: one is server1, which serves as the source server to forward logs to the log server; the other is server2, which serves as the log server, to subscribe to the logs forwarded on the source server.
Task objectives:
Server 1 forwards the error system logs with the ID 100 in the past 24 hours to server 2 in real time, the Administrator is notified in the form of a message box on Server 2.
Implementation process:
1. Create a custom View
Log on to the server as an administrator, click Start> run, and enter eventvwr. msc to open the Event Viewer window. In the left pane, select "Custom View" and click "create custom View" in the "operations" menu. On the "filter" tab page in the "create custom View" Wizard window, set "record time" to "past 24 hours" and "event level" to "error ", "Event Log" is "system ". Click OK to exit. In the displayed "Save filter to custom View" dialog box, we name the view "Error Events (24 hours )", then click OK to exit. In this way, you can see the created view named "Error Events (24 hours)" under "Custom View. (Figure 1)
2. Add custom events to system logs
In fact, this step is not required in practice. The reason why I add this step is to test the effect of the custom view we created, that is, to create a custom specific event, then, check whether the custom view is displayed. Run the command prompt as an administrator on the server1 server, and then run the command "Eventcreate/t error/ID 100/l system/D" Application Error #1 "/SO MyApp ", we can see that the command is successfully executed. Through this command, we have customized an event. The Eventcreate command is used to create Event Logs. The parameter "/T" is used to specify the event level as "ERROR", and the parameter "/ID" is used to specify the event ID as "100 ", the parameter "/L" is used to specify the event type as "SYSTEM", and the parameter "/D" is the event description "Application Error #1 ", the parameter "/SO" is the source of the event, that is, "MyApp ". After the custom log is created, open "Event Viewer" and set it to "Error Events (24 hours)" in "Custom View, expand the "operation" menu and select the "refresh" command. After the refresh, you can see the custom event we just created, because it meets the filtering conditions of the custom view we just created, it also verifies that the custom view we created is correct. (Figure 2)
3. Create an event subscription
Log on to the server 2 server as an administrator and go to its "Event Viewer" Console window. Click "subscribe" at the bottom of the menu. A dialog box is displayed asking if we want to start the "Windows Event Collector service". Click "yes" to start the service. Right-click "subscription" and choose "create subscription" from the context menu to bring up the "subscription attributes" dialog box. In this dialog box, set the subscription name to "MyApp Errors on server1", which is a system error event from Server 1; click the "add" button under "source computer" to bring up the "select computer" dialog box. Enter server1 to add the server that needs to subscribe to Event Logs, click OK to return to the subscription Attributes dialog box. Here, we can add multiple servers according to the above method. After adding the server, click the "test" button on the right to verify the validity of the server you just added. If an error dialog box is displayed, click OK. The error dialog box is displayed because WimRM on server1 is not started and configured. We can configure it later. (Figure 3)
Return to the subscription Attributes dialog box, and click "select event" to go to the "query filter" dialog box. In this dialog box, set "record time" to "past 24 hours", event level to "error", and Event Log to "Windows log \ System ", the event ID is "100". After the settings are complete, exit the "select event" dialog box. In the subscription Properties dialog box, click "advanced" to go to the "advanced subscription Settings" dialog box. In this dialog box, set "User Account" to "specific user", and click "user and password" on the right to bring up the "credential of the subscription source" dialog box. The default user name is administrator. Enter the administrator password below. Set the "event transfer optimization" method to "minimize latency", and keep the default protocol and port. Finally, click "OK" to exit the "subscription attributes" dialog box. The "event view" Escalation dialog box will pop up to show us the next step. Click "yes" to exit. At this time, we can see the subscription we just created in the "subscription" section of the "Event Viewer" console, but it is displayed as a red exclamation point, this is because WimRM of server1 is not started and configured. (Figure 4)