“Could you please take a look at the provisioned XenApp and XenDesktop environment ? We had some random freezes yesterday”.
So you log on to a server, open the eventlog and find….. Nothing.
The servers and desktop are running on a read-only vDisk and after a reboot all events are gone.
I’ve seen administrators work around this problem by redirecting the eventlog to the D: drive and although this works just fine, there’s a much better way of doing this, it’s called event forwarding.
Event forwarding allows you to forward events to a central server called the event collector.
By doing this you’re able to get a quick overview of what’s going on, and more importantly: what’s going wrong in your environment.
Because events are stored centrally on the event collector, event forwarding is a must in any Citrix provisioning environment with read-only target devices.
Event forwarding functions through Windows Remote Management (WinRM), which comes in different versions, depending on your operating system.
For the event collector to be able to properly monitor all down-level client versions, make sure you upgrade to WinRM 2.0 (which is installed by default on Windows 7 and Windows 2008 R2).
Make sure you’re target devices are running at least WinRM 1.1.
Let’s start with setting up the event collector.
Log on to the server that you want to setup as an event collector and execute the following commands:
- winrm quickconfig
- wecutil quick-config
Now open the event viewer, create a new subcription (give it a meaningful name) and select “Source computer initiated”.
Add all target devices that you want to monitor in the next screen.
Back in the cubscription properties screen, click “Select Events” and check “Critical”, “Warning” and “Error” from the “Application” and “System” logs.
Make sure your event collector is prepared for a high volume of events when you check “Information”.
Back in the subscription properties screen again, click “Advanced” and select “Minimize Latency” in the next screen.
You’ve now finished configuring the event collector.
The best way to configure your target devices to forward their events to your event collector is through GPO.
Create and link a new GPO on the OU in which your target devices are located and configure the event collector name according to the screenshot below:
And finally, we configure the WinRM listener to be enabled automatically and listens on the network:
If you configured a Windows 2008 R2 server as an event collector (which comes with WinRM 2.0), enable “Turn on Compatibility HTTP Listener” and “Turn on Compatibility HTTPS Listener” as well if your target devices are running WinRM 1.1.
You’re all done !
Now execute a gpupdate /force and watch the events coming in.
If you can’t wait for your desktop or server to generate an error and you want to make sure everything is working correctly, you can create your own custom error by executing the following command:
eventcreate /id 666 /t Error /l System /d "Test"
Very nice article!
What happends when the event logs central server goes down ?
Hi Jonathan,
If the event collector goes down, the events are lost.