My scenario:
I want several Windows servers to forward Events either to Collector A or to Collector B and so on.
What I tried:
Set the GPO:
Computer Settings – Policies- Administrative Templates – Windows Components – Event Forwarding – Configure target Subscription Manager
Server=http://Collectors.contoso.com:5985/wsman/SubscriptionManager/WEC
where Collectors is the name of the Cluster (set up via NLB), where Collector A and B are members of.
The Problem: no events have been forwarded.
How does the Event-Forwaring actually work?
Is it possible and useful to use Network Load Balancing (NLB)?
Notes:
Im using WinServ 2012R2 and all Firewalls have been disabled.
My Subscription von Collector A and B:
<?xml version="1.0" encoding="UTF-8"?>
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
<SubscriptionId>pull1</SubscriptionId>
<SubscriptionType>SourceInitiated</SubscriptionType>
<Description></Description>
<Enabled>true</Enabled>
<Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
<ConfigurationMode>Normal</ConfigurationMode>
<Delivery Mode="Push">
<Batching>
<MaxLatencyTime>900000</MaxLatencyTime>
</Batching>
<PushSettings>
<Heartbeat Interval="900000"/>
</PushSettings>
</Delivery>
<Query>
<![CDATA[
<QueryList><Query Id="0"><Select Path="Application">*</Select><Select Path="Security">*</Select><Select Path="Setup">*</Select><Select Path="System">*</Select><Select Path="ForwardedEvents">*</Select></Query></QueryList>
]]>
</Query>
<ReadExistingEvents>false</ReadExistingEvents>
<TransportName>HTTP</TransportName>
<ContentFormat>RenderedText</ContentFormat>
<Locale Language="en-US"/>
<LogFile>ForwardedEvents</LogFile>
<PublisherName>Microsoft-Windows-EventCollector</PublisherName>
<AllowedSourceNonDomainComputers>
<AllowedIssuerCAList>
</AllowedIssuerCAList>
</AllowedSourceNonDomainComputers>
<AllowedSourceDomainComputers>O:NSG:BAD:P(A;;GA;;;DC)S:</AllowedSourceDomainComputers>
</Subscription>
Thanks
Best Answer
Event forwarding depends on WSMan/WinRM (windows remote management service). For domain joined scenarios, this uses Kerberos as a default for authentication and encryption, which requires a service principal name (SPN). SPNs are meant to be unique. Therefore, no two domain joined computers should be permitted to register the same SPN for their computer accounts/identity, which makes load balancing with default setup unworkable. While there are some guides on configuring IIS to use a specific service domain account (instead of computer account), and letting a pool of IIS web servers share that service account, WSMan/WinRM is more of core OS service. It seems to be heavily tied into running as the Network Service account of a machine, which in turn depends on the computer's built-in machine account and SPN. Hence, it's non-trivial to load balance windows event forwarding.
Most references I've seen on the topic suggest a number of work-arrounds, such as:
Neither of the above provide HA, just splitting load. For HA, I've seen a recommendation to set 2 servers with the same subscriptions, but this duplicates the events sent (and wastes bandwidth, etc).