Event Viewer
What two kinds of subscriptions are available to machines?
1) "Push" / Source-Initiated 2) "Pull" / Collector-initiated
What are six Event Log tips?
1) Look for the first domino to fall 2) Some events fix themselves after a retry 3) Some events don't matter 4) Start with 'Administrative Events' 5) See what actions recreate events 6) Build a custom filter that's relevant for you
What two services are required to run on the collector system?
1) WinRM 2) Windows Event Collector
What is an important difference between PowerShell and the GUI?
Can use PowerShell to retrieve logs, but "Source" values are not as displayed (E.g. Get-EVentLog -LogNameSystme -Source "Microsoft-Windows-WindowsUpdateClient"
Where can the "Push" subscription Group Policy be found?
Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding
What is the purpose of an Event Subscription?
Consolidate selected events from multiple computers
What group does the collector machine need to be in to collect events from other machines?
Event Log Readers group
What is the name of the executable for Event Viewer?
Eventvwr.exe
What PowerShell command is available for obtaining Event Viewer logs?
Get-EventLog
What utility can be used to configure source machines in a "Push" subscription?
Group Policy
What does the wevtutil.exe do?
Handles queries, archiving, and log management
For what situations are "Pull" subscriptions ideal?
Limited-time testing and specify predetermined list of computers
What are the components of an Event Log?
Log name, Event ID, Description, Source, LEvel, Date/time, Computer/user
What is a problem with Event IDs?
No always unique IDs
What is required for console remoting with Event Viewer to another machine?
Remote Event Log Management firewall exception must be enabled on remote PC
When is a "Push" subscription ideal?
When additional computers may be added to the subscription
What service is required to run on both source and collector systems?
WinRM service
Where do you find the formal PowerShell name of a source log to use the correct command?
XML information in the Event Log
