Enabling Windows event collection (Windows collection host)

Before you create the data collector for collecting Windows events remotely, you need to first enable the event collection by performing some configurations on the target host (where the events reside) and on the collection host (where the Collection Agent or Collection Station resides).

This topic contains the following information:

Before you begin

Ensure that the following requirements are already met:

  • On the target host and the collection host, ensure that Windows PowerShell 2.0 or later is already installed.

    Tip

    To find out whether the target host has PowerShell installed, open command prompt and run the following command:

    powershell -Command "&{$PSVersionTable.PSVersion}"

  • On the Collection Agent ensure that Microsoft .NET Framework 4.0 or later is already installed.
    For more information about the instructions for downloading and installing Microsoft .NET Framework, see the Microsoft documentation. .
  • Ensure that you have administrator privileges to perform the configurations required for enabling the event collection.

To enable the event collection


  1. On the target host, perform the following steps with Administrator privileges.
    • If you plan to use Administrator credentials as an input while creating the data collector: Run the following command to enable the running of remote PowerShell commands on the target host.

      powershell.exe invoke-command -scriptblock "{Enable-PSRemoting -force;}"

    • If you plan to use non-Administrator credentials as an input while creating the data collector: Perform the following steps:
      1. Run the following command to enable the running of remote PowerShell commands on the target host by starting the winRM service.

        powershell.exe invoke-command -scriptblock "{Enable-PSRemoting -force;}"

      2. Run the following command to add the user account to the Event Log Readers group.

        net localgroup "event log readers" <username> /add

        In the preceding command, replace <username> with the user name that you plan to use while creating the data collector.

      3. By specifying non-Administrator credentials, you might not be able to collect the Security log. To enable collection of the Security log, provide appropriate permissions to the non-admin user that you plan to use for collecting the logs. To do provide permissions, follow these steps:
        1. Launch regedit as an Administrator.
        2. Navigate to the following path:
          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security
        3. Right-click Security and select Permissions.
        4. Add the non-admin user and provide Read permissions to that user.
  2. On the collection host, run the following command to add the target host name to an existing list of trusted hosts.

    powershell.exe invoke-command -scriptblock "{$h = '<host>';$curValue = (get-item wsman:\localhost\Client\TrustedHosts).value; $newValue = ''; if([string]::IsNullOrEmpty($curValue)) { $newValue = $h; } else{ $newValue = $curValue+', '+ $h;} echo $newValue; set-item wsman:\localhost\Client\TrustedHosts -value $newValue -force;}"

    In the preceding command, replace <host> with the target host name.


Was this page helpful? Yes No Submitting... Thank you

Comments