Shulou(Shulou.com)05/31 Report--

This article is about how to skillfully use forwarding and subscription to centrally manage server logs. The editor thinks it is very practical, so I share it with you. I hope you can learn something after reading this article. Let's take a look at it with the editor.

Event log management is not only a very important daily work in server maintenance, but also an energy-consuming and physical work, especially when there are a lot of application servers in the local area network. A good management solution is to deploy a central server dedicated to event log management, and then forward logs from other servers to the central server for centralized management. However, this needs to be achieved using third-party software. A new feature is provided in Windows Server 2008, through which we can forward and subscribe server event logs, and customize and centralize the management of specific server event logs. Below, the author deploys the environment and demonstrates this with an example.

Environment description:

Taking the domain environment as an example, there are two servers: one is server1 as the source server to forward logs to the log server, and the other is server2 as the log server to subscribe to the logs forwarded on the source server.

Mission objectives:

The error system log with ID 100 of the server1 server in the past 24 hours is forwarded to the log server server2 in real time, and once there is a log that meets the setting on the server1, the administrator will be notified in the form of a message box on the server2.

Implementation process:

1. Create a custom view

Log in to the server1 server as an administrator, click start → run, and type eventvwr.msc to open the event Viewer window. Click to select Custom View in the left pane, and then click to expand the actions menu and choose the create Custom View command. In the filter tab of the create Custom View wizard window, set record time to Last 24 hours, event level to error, and event Log to system. After setting up, click OK to exit, and in the pop-up Save filter to Custom View dialog box, we name the view Error Events (24 hours), and then OK to exit. This allows you to see the view you just created called "Error Events (24 hours)" under Custom View. (figure 1)

two。 Add custom events to the Syslog

In fact, this step is not needed in practice. The reason why I added this step is to test the effect of the custom view we created, that is, to create a custom specific event, and then see if it will appear in the custom view. Run the command prompt as an administrator in the server1 server, and then execute the command "Eventcreate / T ERROR / ID 100 / L SYSTEM / D" Application Error # 1 "/ SO MyApp". You can see that the command executes successfully, through which we customize an event. The Eventcreate command is used to create an event log, the parameter "/ T" is used to specify that the level of the event is "ERROR", the parameter "/ ID" is used to specify that the event ID is "100", the parameter" / L "is used to specify the event type as" SYSTEM ", the parameter" / D "is the description of the event" Application Error # 1 ", and the parameter" / SO "is the source of the event that is" MyApp ". After the custom log is created, we re-open the "event Viewer" and locate it to the "Error Events (24 hours)" under the "Custom View". Expand the "actions" menu and select the "Refresh" command. After refreshing, you can see the event we just customized, because it meets the filter conditions of the custom view we just created, and it also verifies that the custom view we created is correct. (figure 2)

3. Create an event subscription

Log in to the server2 server as an administrator and go to its event Viewer console window. Click the "subscribe" item at the bottom, and a dialog box will pop up asking if we want to start the Windows event Collector Service, and click "Yes" to start the service. Then right-click subscription and choose the create subscription command from the right-click menu to bring up the subscription Properties dialog box. Set up in this dialog box: subscribe to the system error event named "MyApp Errors on server1" from the server server1; click the "add" button under "Source computer" to pop up the "Select computer" dialog box, enter server1 to add the server that needs to subscribe to the event log, and click OK to return to the "subscription Properties" dialog box. Here, we can add multiple servers according to the above method. When you are done, click the Test button on the right below to verify the validity of the server you just added. If an error dialog box pops up, we don't have to click OK. This error dialog box pops up because WimRM on server1 is not started and configured, so we can configure it later. (figure 3)

Return to the subscription Properties dialog box and click the Select event button to enter the query filter dialog box. Make the following settings in the dialog box: set the record time to the past 24 hours, the event level to error, the event log to Windows log\ system, and the event ID to 100. after setting, exit the Select event dialog box. In the subscription Properties dialog box, click the Advanced button to enter the Advanced subscription Settings dialog box. In this dialog box, set user account to specific user, and then click the user and password button on the right to bring up the credentials of subscription Source dialog box. The default user name is administrator. Enter the administrator's password below. Then set the event delivery optimization mode to minimize latency, and the protocol and port remain the default. * Click OK to exit the subscription Properties dialog box, and the event View promotion dialog box pops up to tell us what to do next. Click Yes to exit. At this point, you can see the subscription we just created from the subscriptions section of the event Viewer console, but it appears as a red exclamation mark because server1's WimRM is not started and configured. (figure 4)

4. Start and configure WimRM

Log in to the server server1 as an administrator, and then run the command prompt as an administrator to execute the command "WINRM QuickConfig" to quickly configure WinRM. When the command is executed, the WindRM client will be prompted to listen and can traverse the firewall, asking if we can change it, belong to "y" and enter after the WinRM on the sever1 is quickly configured. Next, we log in to the log server server2 for verification, enter its "event Viewer" console, right-click "subscribe" and select the "Refresh" command in the right-click menu. After refreshing, you can see that the subscription we just created shows a green check box, indicating that it is normal. In addition, I can verify it further. Log in to the log server server2, then open a command prompt as an administrator and enter the command "EVENTCREATE / S server1.test.com / L System / T Error / ID 100 / SO MyApp / D" MyApp Encountered an error "". If the command is executed successfully, our configuration is correct. This command uses the eventcreate command to create an event log for server1 on the log server server2, where the parameter "/ S" specifies the target server, test.com is the domain name, and server2 is the server name. In the server2 event Viewer console, expand the Windows Log → forwarded events node, right-click the node and select Refresh, you can see on the right that the log you just created has been forwarded successfully. Similarly, we log in to the server1 server and see the log we just created through server2 in the event viewing console. This shows that our configuration is correct. (figure 5)

5. Attach a task to an event

Attaching tasks to events is a very useful feature, and we can bundle tasks and events together, triggering a task when an event occurs. Using this function, we can run a program or script when an event occurs, or display an alert, or even send an email to notify the administrator to attract attention, and generally take corresponding action. In this case, let's take triggering an alarm as an example. That is, when the event we define occurs on the server server1, an alert dialog box is displayed on the log server server2. The method of body realization is as follows.

Log in to the log server server2, go to its "event Viewer" console, navigate to the "Windows log" → "forward events" node, find the log "MyApp Encountered an error" that we just customized in the content pane on the right, right-click the log and select the "attach Task to this event" command to open the create basic Task Wizard. On the "create basic task" page, set the name to "MyApp Error 100Interactive Notification"; on the "actions" page, set "actions you want the task to perform" to "display message", the message title is "SERVER2 server event report", the message content is "Server2 server has encountered a system error, ask the administrator to debug immediately!", exit the wizard after setting up. A prompt dialog box will pop up at this time, and we can just "OK". (figure 6)

6. Verify log report

At this step, we have completed the subscription and forwarding of logs between servers, and let's verify the effect. This can be done on the server server2 or on the log server server1, which we verify on the server server2. The idea of verification is to create a system error log via the EVENTCREATE command subdefinition on the server server2 and forward a system error log to the server server1, and see how the event alarm we set reacts. Run the command prompt as an administrator on the server server2, and then execute the command "EVENTCREATE / S server1.test.com / L System / T Error / ID 100 / SO MyApp / D" MyApp Encountered an error "E". After the command is executed, a warning dialog box pops up, indicating that a system error has occurred on the Server2 server. "ask the administrator to debug it immediately!", and this is the warning box we just set. It can be seen that our experiment is successful. In this way, when an event we define occurs on the server server1, the administrator will see it on the log server.

The above is how to skillfully use forwarding and subscription to centrally manage server logs. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.