Condividi tramite


Event Collector

Applies To: Windows Server 2003 R2

One of the capabilities of Hardware Management in Windows Server 2003 R2 and Windows Server 2008 is the ability to subscribe to the hardware events stored in the BMC’s System Event Log (SEL) and place them in the Windows Event Viewer. This local hardware event collection is automatically configured, so no further configuration is needed.

When you install the Hardware Management component of Windows Server 2003 R2 or Windows Server 2008, two new event logs are created in the Windows Event Viewer, Forwarded Events and Hardware Events, as shown below:

Event Viewer - Hardware Events empty

The Event Collector service is a Windows Remote Management client that is used to create subscriptions to WS-Management event providers and store the events received in the Windows SEL. Two scenarios are supported in R2 and Windows Server 2008.

  • Logging of hardware events from the local SEL when the operating system is running ("in-band"), using the IPMI driver and WMI provider.

  • Logging of hardware events from a remote server’s BMC using WS-Management (when BMC hardware supports this).

    Event Properties - 400

Windows Server 2003 R2 and Windows Server 2008 use a component called the System Event Log (SEL) plug-in. The SEL plug-in and the Event Collector subscribe to events stored in the BMC’s SEL.

Event Viewer - Hardware Events full

In case of an operating system shutdown or failure, Windows logs IPMI events into the BMC’s SEL. The administrator can then access the BMC's SEL using "out-of-band" tools to determine why a machine is not running.

Windows Event Collector Utility (Wecutil.exe)

This section discusses how to use the command-line tool, Windows Event Collector Utility (Wecutil.exe), to subscribe and unsubscribe to these hardware events.

Subscribing to Hardware Events from a Windows Server 2008 System

Subscribing to events is a manual process. To subscribe to SEL events, use the Event Collector command-line tool, Wecutil.exe. Once an event subscription has been established, it is maintained after rebooting.

To generate the subscription, Wecutil requires an XML configuration file.

  1. On the BMC server, open an elevated command prompt and run the following:
  • Wecutil qc

  • Winrm qc

  • Winrm set winrm/config/client @{TrustedHosts=”localhost”}

  • Wecutil cs SELSubscription.xml (as shown below)

 <Subscription xmlns="https://schemas.microsoft.com/2006/03/windows/events/subscription">
<Description>System Event Log event subscription</Description> 
<SubscriptionId>SELSubscription</SubscriptionId> 
<Uri>https://schemas.microsoft.com/wbem/wsman/1/logrecord/sel</Uri> 
<EventSources>
<EventSource>
<Address>localhost</Address> 
</EventSource>
</EventSources>
<LogFile>HardwareEvents</LogFile> 
<Delivery Mode="pull">
<PushSettings>
<Heartbeat Interval="10000" /> 
</PushSettings>
</Delivery>
</Subscription>

WinRM (specifically the SEL Plugin) should start to populate the SEL events to [Applications and Services Logs\Hardware Events] in Windows Event Log.

Troubleshooting Subscribing to Hardware Events in Windows Server 2008

If the following error occurs in a subscription status, the server might not have a BMC or the BIOS does not support BMC detection through ACPI.

[localhost] - Error - Last retry time: 5/22/2007 1:39:32 PM. Code (0x80041001): <f:ProviderFault provider="SEL plugin for Windows Remote Management " path="%systemroot%\system32\WsmSelPl.dll" xmlns:f="https://schemas.microsoft.com/wbem/wsman/1/wsmanfault"></f:ProviderFault> Next retry time: 5/22/2007 1:44:32 PM.

The following diagnosis test shows if a server has BMC with BIOS supporting BMC detection through ACPI:

  1. Open an elevated command prompt and then launch wbemtest.exe from the command prompt.

  2. Connect to root\wmi namespace and attempt to enumerate instances of Microsoft_IPMI class. The resulting dialog box should return an instance showing device ID starting with “ACPI”. If not, the system BIOS does not support BMC detection through ACPI, which is a requirement for IPMI driver on Windows Server 2008 . To resolve this, upgrade the BIOS.

Subscribing to Hardware Events from a Windows Server 2003 R2 System

Likewise in R2, subscribing to events is a manual process.

To generate the subscription, Wecutil requires an XML configuration file. Windows Server 2003 R2 ships with a sample configuration file, %windir%\system32\WsmSelRg.xml:

<Subscription xmlns="https://schemas.microsoft.com/2004/05/windows/events/subscription">
  <Description>Subscription 1</Description>
  <SubscriptionId>sub1</SubscriptionId>
  <Uri>wsman:microsoft/logrecord/sel</Uri>
  <EventSources>
    <EventSource Enabled="true">
      <Address>localhost</Address>
    </EventSource>
  </EventSources>
  <Delivery Mode="pull">
    <Batching>
      <MaxSize>16000</MaxSize>
      <MaxItems>15</MaxItems>
      <MaxLatencyTime>1000</MaxLatencyTime>
    </Batching>
  </Delivery>
  <Heartbeat Interval="10000"/>
  <LogFile>HardwareEvents</LogFile>
</Subscription>

Note

One of the settings configured in the XML file is the log file to be used to store SEL events.

To create a new subscription to the SEL events using the default configuration file, issue the following command:

wecutil cs %windir%\system32\WsSelRg.xml

(%windir% is the directory where Windows Server 2003 R2 is installed.)

Shortly after executing the above command, hardware SEL events will start appearing in the Hardware Events log of the Event Viewer (assuming that Hardware Events was the log file configured in the XML file):

Event Viewer - Hardware Events warnings

Since SEL events are XML-based, the Event Viewer in Windows Server 2003 R2 has been modified to allow for the viewing these SEL events as XML in the Description area of the event. The following shows properly formatted XML for a hardware event in the Event Properties dialog box:

Event Properties - 400 XML

Enumerating Subscriptions

Using the Event Collector command-line tool, existing subscriptions can be enumerated. This information can then be used to unsubscribe from BMC events. The following command enumerates the current subscriptions:

wecutil es

Assuming that the XML configuration file above was used to subscribe to the events, the following is returned:

sub1

Note

The name of the subscription returned above is based on the <SubscriptionID> tag in the XML file.

Getting Information on an Existing Subscription

Should a system have several subscriptions configured, you can get information about a specific subscription by issuing the following command:

wecutil gs sub1

(sub1 is the subscription ID of the subscription to be viewed.)

This command returns data based on the original XML configuration file used in the subscription:

EventSource[0]:
  Address: localhost
  Enabled: true
Description: Subscription 1
Uri: wsman:microsoft/logrecord/sel
DeliveryMode: pull
DeliveryMaxBufferSize: 16000
DeliveryMaxItems: 15
DeliveryMaxLatencyTime: 1000
HeartbeatInterval: 10000
Locale:
ContentFormat: renderedtext
LogFile: HardwareEvents

Unsubscribing to Hardware Events

To unsubscribe from the BMC SEL events, the following command is issued:

wecutil ds sub1

(sub1 is the subscription ID.)

Future hardware events logged to the SEL by the BMC will not appear in the Event Viewer until a new subscription is created. Any events that have already been logged to the Event Viewer will remain there until manually deleted.