question

WinTechie-3187 avatar image
0 Votes"
WinTechie-3187 asked md5hash commented

Event forwarding

Hi,

I have a wincollecter server which stores relevant events defined in the subscription (as per event Id) from all my domain controllers in the forwarded logs section.

I want to create a new subscription on same server (with certain netlogon events ids) and would like to fetch them from all domain controllers.

the problem is, If I set destination log as "forwarded logs" then netlogon logs are merged with other logs which are defined in other subscription and i want to keep events which are defined in new subscription separately, How do i achieve this?

Is it possible to create a new custom log section category in event viewer in order to save these logs separately

windows-serverwindows-server-2012
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JennyYan-MSFT avatar image
0 Votes"
JennyYan-MSFT answered

Hi,
Thanks for the update and workaround.
Please help to "accept answer" to close this question.

Thanks,
Jenny

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JennyYan-MSFT avatar image
0 Votes"
JennyYan-MSFT answered

Hi,
the problem is, If I set destination log as "forwarded logs" then netlogon logs are merged with other logs which are defined in other subscription and i want to keep events which are defined in new subscription separately, How do i achieve this?

Even after creating log category in event viewer, it won't appear under list of destination log when making a subscription for event forwarding.
However, per further checking, someone shared one method to build an Instrumentation Manifest and then use some of the Windows SDK tools and the C# compiler to put it all together.
Reference link:
https://social.technet.microsoft.com/Forums/lync/en-US/f16be533-4f4a-469e-bc17-7591eb46461b/event-subscriptions-custom-destination-log?forum=winserverManagement

But if above method did not meet your request, you could consider to add one more step that customized the event log filter to separate the newly created logs from previous ones.
Advanced XML filtering in the Windows Event Viewer
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/advanced-xml-filtering-in-the-windows-event-viewer/ba-p/399761


Hope this helps and please help to accept as Answer if the response is useful.

Thanks,
Jenny


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeonLaude avatar image
0 Votes"
LeonLaude answered md5hash commented

Hi @WinTechie-3187,

It should be possible to create custom separate event forwarding logs, but it'll require some configuration.
Have a look here:

Creating Custom Windows Event Forwarding Logs
https://docs.microsoft.com/en-us/archive/blogs/russellt/creating-custom-windows-event-forwarding-logs


(If the reply was helpful please don't forget to upvote or accept as answer, thank you)


Best regards,
Leon

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Leon

Thanks for providing this solution. However after executing "wevtutil im c:\Windows\system32\CustomEventChannels.man" I dont see new container appearing in event viewer

Although i did notice below message while building dll on my test server (after executing last command)

C:\ECMan>"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /win32res:C:\
ECMan\CustomEventChannels.res /unsafe /target:library /out:C:\ECMan\CustomEventC
hannels.dll C:\ECMan\CustomEventChannels.cs
Microsoft (R) Visual C# Compiler version 4.7.2053.0
for C# 5
Copyright (C) Microsoft Corporation. All rights reserved.

This compiler is provided as part of the Microsoft (R) .NET Framework, but only
supports language versions up to C# 5, which is no longer the latest version. Fo
r compilers that support newer versions of the C# programming language, see http
://go.microsoft.com/fwlink/?LinkID=533240

0 Votes 0 ·

For the complier related message, you could post seperate thread in below forum and consult the experts there for more information.

https://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=csharpgeneral&filter=alltypes&sort=firstpostdesc

Best Regards,
Jenny

0 Votes 0 ·

Hi,

I have configured subscription to capture logs in "desired configuration state" log container as a workaround since creation of new container did not work.. thanks for all the inputs!

0 Votes 0 ·

Hello Leon. Would you consider please having Microsoft employees fix that page you linked to, so that the pictures work again? The text on the page references the pictures several times, and it would be useful to have those to consult. Thank you.

0 Votes 0 ·