Everyone in IT knows that one of the first places to look when troubleshooting a Windows workstation or server are the Windows Event Logs. This doesn’t do a whole lot of good if the system is part of a random-pooled non-persistent machine catalog and has rebooted since the issue occurred…those logs are gone, right? Not necessarily…
Windows includes built-in functionality for forwarding event logs to a centralized location, and it’s actually pretty simple to setup. The process consists of some manual configuration on the server which will be receiving the logs and group policy for members of the machine catalog.
Step One: Configure an Event Log Subscription
Select a server to use as your event log collector, this could be a dedicated server but can usually run just fine shared with other services. On the server, open the Event Viewer and select Subscriptions. You may be prompted to start the Windows Event Collector service and set it to automatic start, select Yes.
Select the Create Subscription… option in the Actions pane, and you’ll see the Subscription Properties window:
The first option of consequence (other than the name) is the destination log, by default this goes to forwarded events and that’s how we’ll leave it.
The next decision we must make is the Subscription type, our two options are collector initiated andsource computer initiated. A collector initiated subscription requires a full list of all the event source computers, which it then uses to poll each event source. Given the transient nature of non-persistent machine catalogs, this is not a great option. We’re going to select source computer initiated. The advantage with this type of subscription is that we can specify a security group, instead of having to specify each event source explicitly:
Next, we must select what events we’re going to collect. If we’re looking for XenDesktop specific errors, we know that we’ll probably just want to capture warnings, errors and critical events in the Application Event Log:
Finally, Advanced Subscription Settings are available that allow you to specify the frequency with which the updates are forwarded:
Step Two: Configure Log Source via Group Policy
We’ll need to create a new GPO or edit an existing one. We’re going to edit the following settings:
Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding\Configure target Subscription Manager
Here we need to specify the FQDN of our collector:
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management\WinRM Service\Allow remote server management through WinRM
Here we need to enable the setting and assign a wildcard for the IPv4 and IPv6 filter (you could also specify the IP address range that your Xendesktop VMs are using):
We also need to set the startup type of the WindowsRM service to automatic:
Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Windows Remote Management (WS-Management)
Step Three: Test Functionality
To test this, we need to power up our master image and run a gpupdate /force to ensure it’s getting our group policies. Then we simply run something like the following command from Powershell:
Write-EventLog –LogName Application –EventID 239 –Source “Citrix Desktop Service” –EventID 239 –EntryType Error –Message “This is a test”
If it worked, we should see this in our forwarded events log on the event collector: