I went ahead and successfully configured event fowarding and subscriptions (winrm/wecutil). Now is it possible to have all logs that have already happened to be fowarded to my collector? Or is it only events going forward that will be logged?
Asked
Active
Viewed 618 times
2 Answers
5
You can try this:
WECUtil SS "SubscriptionName" /cm:custom /ree:true
This should be done before the Subscription is started. In other words, after you create the subscription disable it, then run the above command, then renable it. The list will then populate
http://blog.zenshaze.com/2011/06/13/event-forwarding-of-security-logs/
RomeNYRR
- 1,441
- 11
- 16
0
Add this:
<ReadExistingEvents>true</ReadExistingEvents>
To your subscription xml-configuration file, inside the <Subscription> tag
Mathias R. Jessen
- 25,161
- 4
- 63
- 95
-
What's the path to the XML? :D – Rome Feb 08 '12 at 21:01
-
the one you used to initiate your subscription ;-) `wecutil cs configfilename.xml` <-- that one – Mathias R. Jessen Feb 08 '12 at 21:45