Posted on

70-687 Configuring Windows 8.1 – sample exam – Q54

A company has client computers that run Windows 8.1. The client computers are in a workgroup. Windows Remote Management (WinRM) is configured on all computers.
You need to configure a computer named COMPUTER1 to retrieve Windows event logs from all other computers in the workgroup.
Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)

A. Add machine accounts of all other computers to the Event Log Readers local group on COMPUTER1.
B. Create and configure a collector-initiated subscription.
C. Start the Windows Event Collector service on all computers other than COMPUTER1.
D. Start the Windows Event Collector service on COMPUTER1.
E. Create and configure a source computerjsinitiated subscription.
F. Start the Windows Event Log service on all computers other than COMPUTER1.
G. Add COMPUTER1 machine account to the Event Log Readers local group on all other computers.


Correct Answer: B,D,G

Explanation:
For best management we want a collector-initiated subscription-meaning we’ll be setting up the subscription at the collecting computer instead of at each individual computer. The Windows Event Collector service is requested for subscriptions to work on the computer doing the collecting. The collecting computer must be a member of the Event Log Readers local group on all computer in order to be able to read the event log.
http://blog.oneboredadmin.com/2012/06/windows-event-collection.html Windows Event Collection
The only basic rules are that the source machine should have Winrm2 installed and running on it, and the Event Collector Service should be running on the collector machine. There are two methods available to complete this challenge – collector initiated and source initiated.
Collector Initiated
When defining such a subscription, you instruct the collector to open a WinRM session to the source ma- chine(s) using a specified set of credentials (or the computer account) and ask for a subscription.
Further Information:
For best management we want a collector-initiated subscription-meaning we’ll be setting up the subscrip¬tion at the collecting computer instead of at each individual computer. The Windows Event Collector ser¬vice is requested for subscriptions to work on the computer doing the collecting. The collecting computer must be a member of the Event Log Readers local group on all computer in order to be able to read the event log.
http://msdn.microsoft.com/en-us/library/windows/desktop/bb427443%28v=vs.85%29.aspx Windows Event Collector
You can subscribe to receive and store events on a local computer (event collector) that are forwarded from a remote computer (event source).
The following list describes the types of event subscriptions:
Source-initiated subscriptions: allows you to define an event subscription on an event collector computer without defining the event source computers. Multiple remote event source computers can then be set up (using a group policy setting) to forward events to the event collector computer. This subscription type is useful when you do not know or you do not want to specify all the event sources computers that will forward events.
Collector-initiated subscriptions: allows you to create an event subscription if you know all the event source computers that will forward events. You specify all the event sources at the time the subscrip- tion is created.
http://msdn.microsoft.com/en-us/library/windows/desktop/bb513652%28v=vs.85%29.aspx Creating a Collector Initiated Subscription
You can subscribe to receive events on a local computer (the event collector) that are forwarded from re¬mote computers (the event sources) by using a collector-initiated subscription. In a collector-initiated sub¬scription, the subscription must contain a list of all the event sources. Before a collector computer can subscribe to events and a remote event source can forward events, both computers must be configured for event collecting and forwarding.
http://technet.microsoft.com/en-us/library/cc748890.aspx Configure Computers to Forward and Collect Events
Before you can create a subscription to collect events on a computer, you must configure both the collect¬ing computer (collector) and each computer from which events will be collected (source).
In a workgroup environment, you can follow the same basic procedure described above to configure com¬puters to forward and collect events. However, there are some additional steps and considerations for workgroups:
You can only use Normal mode (Pull) subscriptions.
You must add a Windows Firewall exception for Remote Event Log Management on each source com¬puter.
You must add an account with administrator privileges to the Event Log Readers group on each source computer. You must specify this account in the Configure Advanced Subscription Settings dialog when creating a subscription on the collector computer.
Type winrm set winrm/config/client @{TrustedHosts=”“} at a command prompt on the collector computer to allow all of the source computers to use NTLM authentication when communicating with WinRM on the collector computer. Run this command only once.

Leave a Reply

Your email address will not be published. Required fields are marked *