Remote Windows Event Log Monitoring

The Monitoring Server is able to monitor the local MS Windows Event Logs. However, the Windows Events Collector can be set up so that Event Logs from remote MS Windows servers can also be monitored. This allows for a larger number of Windows events to be captured and Alerts can be created for many servers that do not have Prognosis installed.

The Windows Events Collector process is not enabled by default. In order to enable the monitoring of Windows Events from Skype for Business servers, the following procedure will need to be completed.

Once the configuration is set up, data can be viewed through the Skype for Business Windows Events Display.

Enable Remote Windows Event Log Monitoring

Open the PROGNOSIS Configuration and start the Windows Event Collector. To do this update the following statement by changing N (No) to Y (Yes):

SET RUN (irWIN_EVENTS.EXE,Y)

Setup the WIN_EVENTS Configuration, for details see WIN_EVENTS Configuration Syntax

Example:

ADD SERVER ( \remote.server.com, "eventlognames=Lync Server", ip=10.0.0.1, domain=PR, customer=IR, custom=WinEvents:RemoteServer)
DEFINE SUBSCRIBE-TIMEOUT (30)
DEFINE SUBSCRIBE-ATTEMPTS (2)

Start the Databases for Skype for Business on each Monitoring Server, if not already started.

Start the Thresholds and Alerts for Skype for Business, if not already running.

Configure the Configuring the MS Windows Firewall on the remote server.

Configuring the MS Windows Firewall

A firewall exception for the Remote Event Log Management application must be added in order to allow a remote client to view Windows Events remotely. To do this use the following steps

Open the Windows Control Panel and navigate to the Windows Firewall settings.

Click on Allow an app or feature through Windows Firewall.

Check Remote Event Log Management in the list of 'Allowed apps and features'.

Check Private or Public network as appropriate.

Click the OK button.

Configuring the MS Windows Firewall with Advanced Security

On the Windows Control Panel, Windows Firewalls screen click on Advanced Settings.

The following inbound rules need to be enabled in order to allow a remote client to subscribe to Windows events remotely.

1) Remote Event Log Management (NP-In)

2) Remote Event Log Management (RPC)

3) Remote Event Log Management (RPC-EPMAP)

Subscribing to MS Windows Events as a Remote User

Both administrative and non-administrative users can remotely subscribe to Windows Events.

Additionally, remote users capturing WMI Events can also subscribe to Windows Events. See WMI Configuration for Non-Administrative Users.

Provide feedback on this article