A: For testing Windows event forwarding and collection, you can use the Eventcreate command-line utility (eventcreate.exe). This tool lets an administrator create a custom event in a specified event log. For example, to create an event with event ID 100 in the application log, you can type the following command on the event source computer:
eventcreate /t error /id 100 /l application /d "Custom event in application log"
If all event forwarding and collection components are functioning properly and there's normal network latency, the test event you create on a source computer should arrive in the event collector's Forwarded Events log within one minute.
If the event doesn't appear on the event collector, you can consider the following simple troubleshooting steps:
- Make sure you've applied the latest Group Policy Object (GPO) settings on the source computer. The configuration for event forwarding on the source computer can be set using GPO settings. To make sure the latest GPO settings have been applied, you can force GPO application by typing the following at the command line on the source computer:
gpupdate /force
- Check the status of the Windows Remote Management (WinRM) service on the source computer. Make sure WinRM is running and set to start automatically. On Windows clients, WinRM isn't enabled and configured by default, but you can easily do so from the command line using the winrm command and the quickconfig switch, as follows:
winrm quickconfig
This command sets the WinRM service to start automatically, creates a WinRM listener, and creates a Windows Firewall exception for WinRM.
- Make sure that the event collector can reach the source computer using WinRM. To do so, run the following command on the event collector:
winrm id -remote:<source_computer_name> -auth:none
- If you use collector-initiated event subscriptions, make sure the collector is using the right credentials for connecting to the source computer. To check the credentials against the source computer, run the following command on the collector machine:
winrm id -remote:<source_computer_name> -u:<username> -p:<password>
- If you use collector-initiated event subscriptions, make sure that the username you use to connect to the source computer is a member of the Event Log Readers group on the source computer. Event Log Readers is a predefined local group that controls access to the local event logs. Only members of a computer's Event Log Readers group can read the events on that particular computer.
- Check whether the source computer has registered with the event collector. To list all registered source computers for a given subscription, use the following Windows Event Collector Utility (wecutil.exe) command:
wecutil gr <name_of_subscription>
- Make sure that event forwarding isn't blocked on the event collector due to bad Windows Firewall configuration settings. Make sure that the Windows Firewall Inbound Rules are enabled for accepting incoming WinRM connections ("Windows Remote Management (HTTP-In)" and "Windows Remote Management (HTTP-In)-Compatibility Mode"). If you've configured a subscription to use the HTTPS protocol, you must also make sure that you create a Windows Firewall exception for HTTPS on port 443.
You can find more event forwarding and collection troubleshooting tips in the Microsoft TechNet article "Configure Computers to Forward and Collect Events."
