get Event Log Forwarder Subscribers with powershell

Paul Saunders 1 Reputation point
2021-02-16T08:38:38.227+00:00

I want to get a list of subscribers for specific source initiated Event log forwarder subscriptions. Is there a way to get this in powershell?

Eventually I want to to develop a script that will tell me when a new subscriber is added.
It would also be nice if it would be possible to identify which subscribers are active and inactive.

I know they are all in the registry (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\EventCollector\Subscriptions{Subscription Name}\EventSources{Machine Name}

If that is the only way to enumerate a list, does anyone know how to identify which are active?

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,536 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,576 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Ian Xue 38,551 Reputation points Microsoft Vendor
    2021-02-17T08:14:09.817+00:00

    Hi,

    Does this meet your needs? The creation time of a subscription is not recorded in the registry.

    $path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\EventCollector\Subscriptions"  
    Get-ChildItem -Path $path|Select-Object -Property PSChildName,@{name='Enabled';expression={($_|Get-ItemProperty -Name Enabled).Enabled}}  
    

    Best Regards,
    Ian Xue

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.