How to configure an event source for multiple devices via Group Policy

How to configure an event source for multiple devices via Group Policy

Objective 

This article explains how to configure event sources for multiple Windows devices using Group Policy and a PowerShell script. This helps with enabling the Event Source file individually for each machine.

Prerequisites 

User permissions:

  • Domain administrator or equivalent privileges to create and edit Group Policy Objects.

Dependencies:


Poweshell script:

Download the PowerShell script file from Zoho Workdrive:  https://workdrive.zohoexternal.com/file/4p2s5484ea211168f4fad822da643066e45b9

You can also paste the following script in a text file and reformat it as a PS1 document.

Script:

$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Services\EventLog", $true)

$key.CreateSubKey('Microsoft-Windows-GroupPolicy/Operational')

$key.CreateSubKey('Microsoft-Windows-Application-Experience/Program-Inventory')

$key.CreateSubKey('Microsoft-IIS-Configuration/Operational')

$key.CreateSubKey('Microsoft-Windows-PrintService/Operational')

$key.CreateSubKey('Microsoft-Windows-TerminalServices-Gateway/Operational')

$key.Close()

Note: The above will create an Event Source for Microsoft-Windows-GroupPolicy/Operational, Microsoft-Windows-Application-Experience/Program-Inventory, Microsoft-IIS-Configuration/Operational, Microsoft-Windows-PrintService/Operational, and Microsoft-Windows-TerminalServices-Gateway/Operational. Customize the script based on your requirement.

Steps to follow 

Step 1: Create a Group Policy Object:  

On a domain controller or an admin machine with the Group Policy Management Console (GPMC) installed, Press Windows + R, type gpmc.msc in the search bar, and press Enter. This opens the GPMC.

Or, from the domain controller, open Server Manager > Tool > Group Policy Management.

Step 2: Right-click Group Policy Object and click New.


Step 3: After creating a Group Policy Object, click Edit and go to Policies > Windows Settings > Scripts > Startup, and then add the provided PowerShell script after adding the required event log source in the PowerShell script.

Sample screenshot of PowerShell script for adding event log source:

Copy the name of the event source from Event Viewer and the entries in the script accordingly.

Step 4: Allow the PowerShell script execution in the Group Policy Object. To do so, go to Policies > Administrative templates > Windows components > Windows PowerShell > Turn on Script Execution > Enable > Allow all scripts.


Step 5: Update the Group Policy by executing the below command in a Command Prompt to apply the Group Policy:

gpupdate /force

Tips

  1. To verify if Group Policy has been updated, execute the command gpresult /r and check if your Group Policy changes were mentioned.

  2. To verify the policy is added in the client system, go to the registry path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog and check if the event log sources added in script is successfully added.

  1. Always test your Group Policy Object on a small group before large-scale deployment.

  2. Keep the script versioned and documented for future updates. 

                  New to ADSelfService Plus?

                    • Related Articles

                    • How to install the EventLog Analyzer agent on Windows devices using a GPO

                      Overview EventLog Analyzer requires agents in specific scenarios to ensure seamless log collection and file monitoring: Windows file server monitoring: An agent is required to monitor files on Windows file servers. RPC connectivity issues: An agent ...
                    • Configuring event sources

                      Follow the step-by-step procedure below to configure event sources in EventLog Analyzer. To start with, ensure that the following ports and protocols are available for configuring the event source. Port 139 and 445: SMB and Remcom protocols 135, 137, ...
                    • How to configure Windows file integrity monitoring

                      Objective This article provides step-by-step instructions to configure Windows file integrity monitoring (FIM) in EventLog Analyzer. FIM is a feature that helps you monitor all changes (additions, deletions, and modifications) made to files and ...
                    • How to create a custom Device Group in EventLog Analyzer

                      Objective This article offers detailed information on how to create a Custom Device Group in EventLog Analyzer. Prerequisites Need access to EventLog Analyzer console with an administrator role or a role with delegated Manage Device Group permission. ...
                    • How to collect historic logs from Windows devices in EventLog Analyzer

                      Objective When a Windows device is onboarded in EventLog Analyzer, log collection starts from the moment of onboarding. To retrieve Windows event logs generated before the onboarding, you can use the following methods: Historic log collection: Can be ...