Winrm 로그 포워딩 방법

출처: https://blog.thesysadmins.co.uk/winrm-winrs-and-forwarded-event-logs.html

This post should give you a quick understanding of WinRM, WinRS, forwarding event logs and when you’re likely to see the 0x80338126 error.

WinRM (Windows Remote Management) is Microsoft’s new remote management which allows remote management of Windows machines. It was introduced in Server 2003 R2, but I didn’t really hear much about it until Server 2008.

WinRM is the ‘server’ component and WinRS is the ‘client’ that can remotely manage the machine with WinRM configured.

Differences you should be aware of:

WinRM 1.1
Vista and Server 2008
Port 80 for HTTP and Port 443 for HTTPS

WinRM 2.0
Windows 7 and Server 2008 R2
Port 5985 for HTTP and Port 5986 for HTTPS

WinRM 1.1 can also be downloaded and installed on pre-R2 2003 and XP from here.

WinRM

To enable WinRM head to the command prompt and type winrm qc or winrm quickconfig this does the following:

Performs configuration actions to enable this machine for remote management.
Includes:
1. Start the WinRM service
2. Set the WinRM service type to auto start
3. Create a listener to accept request on any IP address
4. Enable firewall exception for WS-Management traffic (for http only)

It’ll ask you if you want to make these changes, type ‘y’ and press enter.

To verify a listener has been created type winrm enumerate winrm/config/listener

Just to round off this quick introduction to WinRM, to delete a listener use winrm delete winrm/config/listener?address=*+Transport=HTTP

WinRS

WinRS (Windows Remote Shell) is the client that connects to a WinRM configured machine (as seen in the first part of this post). WinRS is pretty handy, you’ve probably used PSTools or SC for similar things in the past. Here are a few examples of what you do.

Connecting to a remote shell
winrs -r:http://hostnameofclient "cmd"
Stop / Starting remote service
winrs -r:http://hostnameofclient "net start/stop spooler"
Do a Dir on the C drive
winrs -r:http://hostnameofclient "dir c:\"

Forwarded Event Logs

This is configured using ‘subscribers’, which connect to WinRM enabled machines.

To configure these subscribers head over to event viewer, right click on forwarded events and select properties. Select the 2nd tab along subscriptions and press create.

This is where you’ll select the WinRM enabled machine and choose which events you would like forwarded.

Right click the subscription and select show runtime status.

Now it took me a minute or two to figure this one out. Was it a firewall issue (this gives the same error code), did I miss some configuration steps? Well no, it was something a lot more basic than that. Remember earlier on we were talking about the port changes in WinRM 1.1 to 2.0?

That’s right, I was using server 2008 R2 to set the subscriptions which automatically sets the port to 5985. The client I configured initially was server 2008 so uses version 1.1. If you right click the subscription and click properties -> advanced you’ll be able to see this. I changed this to port 80 and checked the runtime status again.

[DC2.domain.local] – Error – Last retry time: 03/02/2011 20:20:30. Code (0x5): Access is denied. Next retry time: 03/02/2011 20:25:30.”

Head back to the advanced settings and change the user account from machine account to a user with administrative rights. After making these changes the forwarded events started to flow.