Event Log Subscriptions in Windows Server 2008 (and Vista)
I've always had this love/hate affair with the Windows Event Log. Now long ago, I posted my own little list of gripes (about the old Event Log) and things I adore (about the new version).
One particular new feature about the new Event Log in Server 2008 (and also in Vista) is the ability to forward eventing information -- ol' school Syslog style -- to other computers. Why do this?
From my Windows Insider column this month in Redmond Magazine:
The idea is that some problems occur on multiple machines, so you may need to analyze log data from more than one computer for troubleshooting. If you consolidate events from each machine into a single log and sort it by time stamp, you'll get a better idea of what's going on. This type of analysis helps when you can't track down the precise nature of the problem.
For example, let's say you're having a problem between a Vista client and a machine running Windows Server 2008. Both systems are pumping data to their respective System Event logs, but you're having trouble aligning what's happening on each machine. In this case, you'll need to create a subscription on the server to inject system log data from the client into the server's system log.
The article goes on to discuss the specific steps necessary to set up forwarding between two W2008/Vista machines. The process isn't hard, but its not trivial either. It relies on the new WinRM (Windows Remote Management) service that's also new with Vista and W2008 -- and which may grace a future Windows Insider column if you keep your eyes open (hint, hint).
If you've always wanted your own little Syslog capabilities, check out the article at:
http://redmondmag.com/columns/article.asp?editorialsid=1868
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
You can also use Splunk to collect and search Windows Event Logs across many windows machines on your network.
Posted by: Ledio Ago | September 19, 2008 6:06 PM