Source Initiated Subscription – Non Domain Joined Machines

So you came here expecting to learn about how to set up a source initated subscription because you have a non domain joined machine you want to collect even logs from.

You’ve followed the instructions here: https://msdn.microsoft.com/en-us/library/windows/desktop/bb870973%28v=vs.85%29.aspx  and failed.

Same. I failed for days.

So after a suggestion from a collegue to fool the Collector Initated one using a computer object in AD I found this process worked fine.

1 – Create a computer object with the name of the server your wanting to collect events from

2 – Create a local account on the server and join it to the Administrators and Event Log Reader groups

3 – Create a Collector Initaited subscription on your collector and add in the “domain joined machine” selecting the fake computer OBJ from the AD.

4 – Set the Advanced options to use a User account when connecting to the non domain joined machine. Specify the name of the server and the server account SERVER\USERNAME and set the password

5 – Set the trusted host for windows remote management winrm s winrm/config/client @{TrustedHosts=”YourSeversFQDN”} making sure you use the FQDN

6 – Set it to HTTP not HTTPS; I haven’t worked out how to do HTTPS yet.

7 – Ensure the server you want to collect from is setup with the remote management procedure call and the correct firewall rules for port 5985.  winrm quickconfig usual helps with that.

Thats about it.