Reviewing events

Event Viewer can simply be open by running eventvwr.msc. The same MMC can also be used to connect to a remote computer using the Connect to Another Computer... option, as highlighted in the following screenshot:

We can simplify this by creating server groups in Server Manager. Server groups allow us to group systems running similar server roles or acting as part of a distributed system.

Before we go ahead and create server groups, we need to take care of the following points:

  1. We need an account that has administrator privileges for all the server group members to create server groups and use server groups.
  2. We must enable Windows Remote Management (WinRM); after Windows Server 2012, WinRM is enabled by default. Existing WinRM configuration can be reviewed using the PowerShell command winrm get winrm/config. If it's not enabled, we can enable it using the winrm quickconfig command.
  3. Even if we are logged in as domain admin or enterprise admin, by default, it is not allowed to collect events from remote computers. In order to do that, we need to add a collector computer account (the server where the server group is created) to the Event Log Readers group. This is a built-in local group. Members of this group can read event logs from the local machine. We can add a computer account to the group using the following command:
        Add-ADGroupMember –identity 'Event Log Readers'
        –members REBELNET-PDC01$
REBELNET-PDC01 can be replaced with the collector computer account.
  1. In order to create a server group, go to Server Manager from the dashboard and select Create a server group:
  1. In the new window, we can provide a name for the group and add members to the group. It provides different methods to select from, in order to search for the members:
  1. Once a group is created, you can access it using the left-hand panel in the Server Manager. Inside the group window, there is a separate section for events, labeled EVENTS. When we navigate through each member, it will show us events related to each in the events window:

We can configure the event data and modify:

  • Event severity levels
  • Event time frames
  • Event log files where the data will be gathered

The following screenshot explains how we can configure event data using different options:

We also can filter events and save it as a query for future use. As an example, I need to list events with ID 129. I can just filter it out by typing 129 in the filter field. But at the same time, I can create a query for it and save it for future use. So, the next time, I can just run the query to filter out data:

In the following screenshot, once the query is created, it can be accessed whenever needed:

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.227.228.95