To receive forwarded events on a computer, you must set up one or more event subscriptions. Before setting up a subscription, you must configure both the computer that will receive the forwarded events, and the computer or computers that will forward the events. To learn how to configure the computers, see Configure Computers to Forward and Collect Events.
Once you have configured the computers, you create a subscription to specify which events to collect.
|To create a new subscription|
On the collector computer, run Event Viewer as an administrator.
Click Subscriptions in the console tree.
If the Windows Event Collector service is not started, you will be prompted to confirm that you want to start it. This service must be started to create subscriptions and collect events. You must be a member of the Administrators group to start this service.
On the Actions menu, click Create Subscription.
In the Subscription Name box, type a name for the subscription.
In the Description box, enter an optional description.
In the Destination Log box, select the log file where collected events are to be stored. By default, collected events are stored in the ForwardedEvents log.
Click Add and select the computers from which events are to be collected.
After adding a computer, you can test connectivity between it and the local computer by selecting the computer and clicking Test.
Click Select Events to display the Query Filter dialog box. Use the controls in the Query Filter dialog box to specify the criteria that events must meet to be collected.
Click OK on the Subscription Properties dialog box. The subscription will be added to the Subscriptions pane and, if the operation was successful, the Status of the subscription will be Active.
Events raised on the forwarder computers that meet the criteria of the subscription will be copied to the collector computer log specified in step 6.
- You cannot use Event Viewer to create a
subscription while it is connected to a remote computer.
- You can use the filter from a previously
defined Custom View by choosing Copy from existing Custom
View. Additionally, you can paste an XPATH query into the text
box on the XML tab of the Query Filter dialog box.
- If a newly created subscription does not
activate, you can open the Subscription Properties dialog
box and select individual source computers to view the status for
each of them.