Centralized Logging via Windows Event Forwarding.RSS

5 replies

Last post Jan 24, 2018 09:49 AM by Yuk Ding

  • Centralized Logging via Windows Event Forwarding.

    Jan 23, 2018 04:32 AM|aunraza|LINK

    Hello, I understand that with Windows Server 2016, and possibly earlier, it is possible to send IIS logs to the event viewer, as well as the file. I was able to get the logs to the Event Viewer on the local machine running IIS, however, when I try to use Windows Event Forwarding to retrieve the logs from a Collector, I am unable to do so. The collector doesn't show the option for IIS-Logging when selecting events. It only shows the option if IIS is installed, and even then it is unable to retrieve the logs. The standard Windows logs (Application, System, Security, etc.) show up just fine. 

    The purpose of this is to setup a Centralized Logging server, and then use an application such as NXLog to forward to a syslog server. Any help would be appreciated!

  • Re: Centralized Logging via Windows Event Forwarding.

    Jan 23, 2018 06:38 AM|Yuk Ding|LINK

    Hi aunraza,

    If you need to set the windows event forwarding, please ensure the IIS manager->site level->logging->Both log file and ETW event has been selected.

    Secondly, please go to event viewer->application and service logs\Microsoft\Windows\IIS-logging\->right click logs->Enable.

    Then you could create the subscription for application and service logs\Microsoft\Windows\IIS-logging\

    Best Regards,

    Yuk Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.
  • Re: Centralized Logging via Windows Event Forwarding.

    Jan 23, 2018 06:43 AM|aunraza|LINK

    Hello Yuk,

    This works fine on the local machine and I see the logs there, but when using Windows Event Forwarding, where I want to be able to see these events on a central server, I am unable to do so. This works fine for the standard Windows logs.

    Thanks.

  • Re: Centralized Logging via Windows Event Forwarding.

    Jan 23, 2018 08:19 AM|Yuk Ding|LINK

    Hi anraza,

    You also need to ensure the  machines are in the same domain. Secondly, remember to run cmd as administrator then run

    winrm quickconfig 

    to enable the centralize subscription on the target server.

    If it failed, please try to disable the firewall.

    Of course ,you need to enable the group policy

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v=ws.11)

    Best Regards,

    Yuk Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.
  • Re: Centralized Logging via Windows Event Forwarding.

    Jan 23, 2018 10:29 AM|aunraza|LINK

    Hi Yuk,

    Centralized logging is working for Windows Logs (Application, System, Security, etc.), but is not working for IIS Logging as I mentioned earlier. The machines are in the same domain. I've already run that command you mentioned as part of the initial steps to enable centralized logging, but I understand that as part of Windows 2012 and higher, winrm is enabled by default. 

    Any other suggestions?

    Thanks.

  • Re: Centralized Logging via Windows Event Forwarding.

    Jan 24, 2018 09:49 AM|Yuk Ding|LINK

    Hi aunraza,

    What's the status when you right click the subscription->status? And could you pass the test when you add the computer to collected initalted I think the problem must be the user account don't have permission to access the forwarding event log. So please ensure you have added the domain account to active directory user and computer\domain.com\builtin\event viewer log user.

    Just remember to reboot both two servers.

    If it is still not working ,please try this:

    https://rockyprogress.wordpress.com/2011/12/04/security-event-log-collection-from-a-domain-controller/

    In addition, remember to disable the firewall.

    Best Regards,

    Yuk Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.