locked
Centralized Logging via Windows Event Forwarding. RRS feed

  • Question

  • User1793880994 posted

    Hello, I understand that with Windows Server 2016, and possibly earlier, it is possible to send IIS logs to the event viewer, as well as the file. I was able to get the logs to the Event Viewer on the local machine running IIS, however, when I try to use Windows Event Forwarding to retrieve the logs from a Collector, I am unable to do so. The collector doesn't show the option for IIS-Logging when selecting events. It only shows the option if IIS is installed, and even then it is unable to retrieve the logs. The standard Windows logs (Application, System, Security, etc.) show up just fine. 

    The purpose of this is to setup a Centralized Logging server, and then use an application such as NXLog to forward to a syslog server. Any help would be appreciated!

    Tuesday, January 23, 2018 4:32 AM

All replies

  • User-460007017 posted

    Hi aunraza,

    If you need to set the windows event forwarding, please ensure the IIS manager->site level->logging->Both log file and ETW event has been selected.

    Secondly, please go to event viewer->application and service logs\Microsoft\Windows\IIS-logging\->right click logs->Enable.

    Then you could create the subscription for application and service logs\Microsoft\Windows\IIS-logging\

    Best Regards,

    Yuk Ding

    Tuesday, January 23, 2018 6:38 AM
  • User1793880994 posted

    Hello Yuk,

    This works fine on the local machine and I see the logs there, but when using Windows Event Forwarding, where I want to be able to see these events on a central server, I am unable to do so. This works fine for the standard Windows logs.

    Thanks.

    Tuesday, January 23, 2018 6:43 AM
  • User-460007017 posted

    Hi anraza,

    You also need to ensure the  machines are in the same domain. Secondly, remember to run cmd as administrator then run

    winrm quickconfig 

    to enable the centralize subscription on the target server.

    If it failed, please try to disable the firewall.

    Of course ,you need to enable the group policy

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v=ws.11)

    Best Regards,

    Yuk Ding

    Tuesday, January 23, 2018 8:19 AM
  • User1793880994 posted

    Hi Yuk,

    Centralized logging is working for Windows Logs (Application, System, Security, etc.), but is not working for IIS Logging as I mentioned earlier. The machines are in the same domain. I've already run that command you mentioned as part of the initial steps to enable centralized logging, but I understand that as part of Windows 2012 and higher, winrm is enabled by default. 

    Any other suggestions?

    Thanks.

    Tuesday, January 23, 2018 10:29 AM
  • User-460007017 posted

    Hi aunraza,

    What's the status when you right click the subscription->status? And could you pass the test when you add the computer to collected initalted I think the problem must be the user account don't have permission to access the forwarding event log. So please ensure you have added the domain account to active directory user and computer\domain.com\builtin\event viewer log user.

    Just remember to reboot both two servers.

    If it is still not working ,please try this:

    https://rockyprogress.wordpress.com/2011/12/04/security-event-log-collection-from-a-domain-controller/

    In addition, remember to disable the firewall.

    Best Regards,

    Yuk Ding

    Wednesday, January 24, 2018 9:49 AM