Event Subscription

Simple network layout

Configure the Vista1.test.com to be an event collector.

wecutil qc

Configure the MSIR2.test.com to be a event listener.

winrm quickconfig

Run the command at MSIR2

winrm Enumerate winrm/config/listener

Pay attention to the listener port: 5985

Create a subscription in Vista1.test.com:

wecutil gs msir2

The collector sends out the PULL request to port 80.

Create a Collector initiated Event Subscription

The error message shows that PULL message sends to port 80. However the listener port is 5985. No connection will be established.

Change the listening port number to 80 on MSIR2.test.com

winrm s winrm/config/listener?address=*+transport=http @{Port="80"}

Listener
Address = *
Transport = HTTP
Port = 80
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 127.0.0.1, 192.168.11.1, ::1, fe80::100:7f:fffe%13, fe80::5efe
:192.168.11.1%15

msir2.test.com

net localgroup "Event Log Readers" vista1$@test.com /add

success!!!

How about leave the listener port:5985 unchanged on MSIR2 computer?

winrm s winrm/config/listener?address=*+transport=http @{ Port="5985"}
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 127.0.0.1, 192.168.11.1, ::1, fe80::100:7f:fffe%13, fe80::5efe
:192.168.11.1%15

How about create a source computer initiated subscription?

The listener port on MSIR2 is 5985 (default).

Vista1

The subscription is inactive.

winrm qc

winrm Enumerate winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 80
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 127.0.0.1, 169.254.42.161, 191.121.14.18, 192.168.11.5, ::1, f
e80::100:7f:fffe%14, fe80::5efe:192.168.11.5%15

Default Domain Controller Policy

Computer Configuration--Administrative Templates--Windows Components --Event Forwarding--configure the server address

SubscriptionManager

MSIR2 computer:

net stop winrm

net start winrm

By default,every 15 minute, event subscription is checked.

The following commands set the interval to 2 minutes.

wecutil ss msir2 /cm:custom

wecutil ss msir2 /hi:12000

wecutil gs msir2