수집기 시작 구독 만들기
수집기 시작 구독을 사용하여 원격 컴퓨터(이벤트 원본)에서 전달되는 로컬 컴퓨터(이벤트 수집기)에서 이벤트를 수신하도록 구독할 수 있습니다. 수집기 시작 구독에서 구독에는 모든 이벤트 원본 목록이 포함되어야 합니다. 수집기 컴퓨터가 이벤트를 구독하고 원격 이벤트 원본이 이벤트를 전달하려면 먼저 이벤트 수집 및 전달을 위해 두 컴퓨터를 모두 구성해야 합니다. 컴퓨터를 구성하는 방법에 대한 자세한 내용은 전달하도록 컴퓨터 구성 및 이벤트 수집을 참조하세요.
다음 코드 예제는 수집기 시작 구독을 만드는 일련의 단계를 따릅니다.
수집기 시작 구독을 만들려면
- 구독 이름 및 액세스 권한을 EcOpenSubscription 함수에 대한 매개 변수로 제공하여 구독을 엽니다. 액세스 권한에 대한 자세한 내용은 Windows 이벤트 수집기 상수를 참조하세요.
- EcSetSubscriptionProperty 함수를 호출하여 구독의 속성을 설정합니다. 설정할 수 있는 구독 속성에 대한 자세한 내용은 EC_SUBSCRIPTION_PROPERTY_ID 열거형을 참조하세요.
- EcSaveSubscription 함수를 호출하여 구독을 저장합니다.
- EcClose 함수를 호출하여 구독을 닫습니다.
이벤트 원본을 추가하는 방법에 대한 자세한 내용은 이벤트 수집기 구독에 이벤트 원본 추가를 참조하세요.
다음 C++ 코드 예제에서는 수집기 시작 구독을 만드는 방법을 보여줍니다.
#include <windows.h>
#include <iostream>
using namespace std;
#include <string>
#include <xstring>
#include <conio.h>
#include <EvColl.h>
#include <vector>
#include <wincred.h>
#pragma comment(lib, "credui.lib")
#pragma comment(lib, "wecapi.lib")
// Track properties of the Subscription.
typedef struct _SUBSCRIPTION_COLLECTOR_INITIATED
{
std::wstring Name;
std::wstring Description;
std::wstring URI;
std::wstring Query;
std::wstring DestinationLog;
std::wstring Password;
std::wstring UserName;
EC_SUBSCRIPTION_CONFIGURATION_MODE ConfigMode;
EC_SUBSCRIPTION_DELIVERY_MODE DeliveryMode;
EC_SUBSCRIPTION_TYPE SubscriptionType;
DWORD MaxItems;
DWORD MaxLatencyTime;
DWORD HeartbeatInerval;
EC_SUBSCRIPTION_CONTENT_FORMAT ContentFormat;
EC_SUBSCRIPTION_CREDENTIALS_TYPE CredentialsType;
BOOL SubscriptionStatus;
} SUBSCRIPTION_COLLECTOR_INITIATED;
// Subscription Information
DWORD GetProperty(EC_HANDLE hSubscription,
EC_SUBSCRIPTION_PROPERTY_ID propID,
DWORD flags,
std::vector<BYTE>& buffer,
PEC_VARIANT& vProperty);
void __cdecl wmain()
{
LPVOID lpwszBuffer;
DWORD dwRetVal = ERROR_SUCCESS;
EC_HANDLE hSubscription = 0;
EC_VARIANT vPropertyValue;
std::vector<BYTE> buffer;
PEC_VARIANT vProperty = NULL;
SUBSCRIPTION_COLLECTOR_INITIATED sub;
sub.Name = L"TestSubscription-CollectorInitiated";
sub.Description = L"A subscription that collects events that are published in\n" \
L"the Microsoft-Windows-TaskScheduler/Operational log and forwards them\n" \
L"to the ForwardedEvents log.";
sub.URI = L"http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog";
sub.Query = L"<QueryList>" \
L"<Query Path=\"Microsoft-Windows-TaskScheduler/Operational\">" \
L"<Select>*</Select>" \
L"</Query>" \
L"</QueryList>";
sub.DestinationLog = L"ForwardedEvents";
sub.ConfigMode = EcConfigurationModeCustom;
sub.MaxItems = 5;
sub.MaxLatencyTime = 10000;
sub.HeartbeatInerval = 10000;
sub.DeliveryMode = EcDeliveryModePull;
sub.ContentFormat = EcContentFormatRenderedText;
sub.CredentialsType = EcSubscriptionCredDefault;
sub.SubscriptionStatus = true;
sub.SubscriptionType = EcSubscriptionTypeCollectorInitiated;
std::wstring eventSource = L"localhost";
BOOL status = true;
PEC_VARIANT vEventSource = NULL;
DWORD dwEventSourceCount;
EC_VARIANT vSourceProperty;
// Create a handle to access the event sources array.
EC_OBJECT_ARRAY_PROPERTY_HANDLE hArray = NULL;
// The subscription name, URI, and query string must be defined to create
// the subscription.
if ( sub.Name.empty() || sub.URI.empty() || sub.Query.empty() )
{
dwRetVal = ERROR_INVALID_PARAMETER;
goto Cleanup;
}
// Step 1: Open the Event Collector subscription.
hSubscription = EcOpenSubscription(sub.Name.c_str(),
EC_READ_ACCESS | EC_WRITE_ACCESS,
EC_CREATE_NEW);
if ( !hSubscription)
{
dwRetVal = GetLastError();
goto Cleanup;
}
// Step 2: Define the subscription properties.
// Set the Description property that contains a description
// of the subscription.
vPropertyValue.Type = EcVarTypeString;
vPropertyValue.StringVal = sub.Description.c_str();
if (!EcSetSubscriptionProperty(hSubscription,
EcSubscriptionDescription,
NULL,
&vPropertyValue))
{
dwRetVal = GetLastError();
goto Cleanup;
}
// Set the subscription type property (collector initiated).
vPropertyValue.Type = EcVarTypeUInt32;
vPropertyValue.UInt32Val = sub.SubscriptionType;
if (!EcSetSubscriptionProperty(hSubscription,
EcSubscriptionType,
NULL,
&vPropertyValue))
{
dwRetVal = GetLastError();
goto Cleanup;
}
// Set the URI property that specifies the URI of all the event sources.
vPropertyValue.Type = EcVarTypeString;
vPropertyValue.StringVal = sub.URI.c_str();
if (!EcSetSubscriptionProperty(hSubscription,
EcSubscriptionURI,
NULL,
&vPropertyValue))
{
dwRetVal = GetLastError();
goto Cleanup;
}
// Set the Query property that defines the query used by the event
// source to select events that are forwarded to the event collector.
vPropertyValue.Type = EcVarTypeString;
vPropertyValue.StringVal = sub.Query.c_str();
if (!EcSetSubscriptionProperty(hSubscription,
EcSubscriptionQuery,
NULL,
&vPropertyValue))
{
dwRetVal = GetLastError();
goto Cleanup;
}
// Set the Log File property that specifies where the forwarded events
// will be stored.
vPropertyValue.Type = EcVarTypeString;
vPropertyValue.StringVal = sub.DestinationLog.c_str();
if (!EcSetSubscriptionProperty(hSubscription,
EcSubscriptionLogFile,
NULL,
&vPropertyValue))
{
dwRetVal = GetLastError();
goto Cleanup;
}
// Set the ConfigurationMode property that specifies the mode in which events
// are delivered.
vPropertyValue.Type = EcVarTypeUInt32;
vPropertyValue.UInt32Val = sub.ConfigMode;
if (!EcSetSubscriptionProperty(hSubscription,
EcSubscriptionConfigurationMode,
NULL,
&vPropertyValue))
{
dwRetVal = GetLastError();
goto Cleanup;
}
// If the Configuration Mode is Custom, set the DeliveryMode, DeliveryMaxItems,
// HeartbeatInterval, and DeliveryMaxLatencyTime properties.
if ( sub.ConfigMode == EcConfigurationModeCustom)
{
// Set the DeliveryMode property that defines how events are delivered.
// Events can be delivered through either a push or pull model.
vPropertyValue.Type = EcVarTypeUInt32;
vPropertyValue.UInt32Val = sub.DeliveryMode;
if (!EcSetSubscriptionProperty(hSubscription,
EcSubscriptionDeliveryMode,
NULL,
&vPropertyValue))
{
dwRetVal = GetLastError();
goto Cleanup;
}
// Set the DeliveryMaxItems property that specifies the maximum number of
// events that can be batched when forwarded from the event sources.
vPropertyValue.Type = EcVarTypeUInt32;
vPropertyValue.UInt32Val = sub.MaxItems;
if (!EcSetSubscriptionProperty(hSubscription,
EcSubscriptionDeliveryMaxItems,
NULL,
&vPropertyValue))
{
dwRetVal = GetLastError();
goto Cleanup;
}
// Set the HeartbeatInterval property that defines the time interval, in
// seconds, that is observed between the heartbeat messages.
vPropertyValue.Type = EcVarTypeUInt32;
vPropertyValue.UInt32Val = sub.HeartbeatInerval;
if (!EcSetSubscriptionProperty(hSubscription,
EcSubscriptionHeartbeatInterval,
NULL,
&vPropertyValue))
{
dwRetVal = GetLastError();
goto Cleanup;
}
// Set the DeliveryMaxLatencyTime property that specifies how long, in
// seconds, the event source should wait before forwarding events.
vPropertyValue.Type = EcVarTypeUInt32;
vPropertyValue.UInt32Val = sub.MaxLatencyTime;
if (!EcSetSubscriptionProperty(hSubscription,
EcSubscriptionDeliveryMaxLatencyTime,
NULL,
&vPropertyValue))
{
dwRetVal = GetLastError();
goto Cleanup;
}
}
// Set the ContentFormat property that specifies the format for the event content.
vPropertyValue.Type = EcVarTypeUInt32;
vPropertyValue.UInt32Val = sub.ContentFormat;
if (!EcSetSubscriptionProperty(hSubscription,
EcSubscriptionContentFormat,
0,
&vPropertyValue))
{
dwRetVal = GetLastError();
goto Cleanup;
}
// Set the CredentialsType property that specifies the type of credentials
// used in the event subscription.
vPropertyValue.Type = EcVarTypeUInt32;
vPropertyValue.UInt32Val = sub.CredentialsType;
if (!EcSetSubscriptionProperty(hSubscription,
EcSubscriptionCredentialsType,
0,
&vPropertyValue))
{
dwRetVal = GetLastError();
goto Cleanup;
}
// Set the Enabled property that is used to enable or disable the subscription
// or to obtain the current status of a subscription.
vPropertyValue.Type = EcVarTypeBoolean;
vPropertyValue.BooleanVal = sub.SubscriptionStatus;
if (!EcSetSubscriptionProperty(hSubscription,
EcSubscriptionEnabled,
0,
&vPropertyValue))
{
dwRetVal = GetLastError();
goto Cleanup;
}
// Get the user name and password used to connect to the event sources
wcout << "Enter credentials used to connect to the event sources. " << endl <<
"Enter user name: " << endl;
wcin >> sub.UserName;
cout << "Enter password: " << endl;
wchar_t c;
while( (c = _getwch()) && c != '\n' && c != '\r' && sub.Password.length() < 512)
{sub.Password.append(1, c);}
// Set the CommonUserName property that is used by the local and remote
// computers to authenticate the user with the source of the events. This
// property is used across all the event sources available for this subscription.
vPropertyValue.Type = EcVarTypeString;
vPropertyValue.StringVal = sub.UserName.c_str();
if (!EcSetSubscriptionProperty(hSubscription,
EcSubscriptionCommonUserName,
NULL,
&vPropertyValue))
{
dwRetVal = GetLastError();
goto Cleanup;
}
// Set the CommonPassword property that is used by the local and remote
// computers to authenticate the user with the source of the events.
// Use Credential Manager Functions to handle Password information.
vPropertyValue.Type = EcVarTypeString;
vPropertyValue.StringVal = sub.Password.c_str();
if (!EcSetSubscriptionProperty(hSubscription,
EcSubscriptionCommonPassword,
NULL,
&vPropertyValue))
{
dwRetVal = GetLastError();
goto Cleanup;
}
// When you have finished using the credentials,
// erase them from memory.
sub.UserName.erase();
sub.Password.erase();
//----------------------------------------------
// Add event sources.
// Ensure that a handle to the event sources array has been obtained.
//Initialize the Event Sources Array
dwRetVal = GetProperty( hSubscription,
EcSubscriptionEventSources,
0,
buffer,
vEventSource);
if (vEventSource->Type != EcVarTypeNull &&
vEventSource->Type != EcVarObjectArrayPropertyHandle)
{
dwRetVal = ERROR_INVALID_DATA;
goto Cleanup;
}
hArray = (vEventSource->Type == EcVarTypeNull)? NULL:
vEventSource->PropertyHandleVal;
if(!hArray)
{
dwRetVal = ERROR_INVALID_DATA;
goto Cleanup;
}
if (!EcGetObjectArraySize(hArray, &dwEventSourceCount))
{
dwRetVal = GetLastError();
goto Cleanup;
}
// Step 3: Add a new event source to the event source array.
if (!EcInsertObjectArrayElement(hArray,
dwEventSourceCount))
{
dwRetVal = GetLastError();
goto Cleanup;
}
// Set the properties of the event source
// Set the EventSourceAddress property that specifies the address
// of the event forwarding computer, this property can be localhost
// or a fully-qualified domain name.
vSourceProperty.Type = EcVarTypeString;
vSourceProperty.StringVal = eventSource.c_str();
if (!EcSetObjectArrayProperty( hArray,
EcSubscriptionEventSourceAddress,
dwEventSourceCount,
0,
&vSourceProperty))
{
dwRetVal = GetLastError();
goto Cleanup;
}
// Set the EventSourceEnabled property that enables the event source
// to forward events.
vSourceProperty.Type = EcVarTypeBoolean;
vSourceProperty.BooleanVal = status;
if (!EcSetObjectArrayProperty(hArray,
EcSubscriptionEventSourceEnabled,
dwEventSourceCount,
0,
&vSourceProperty))
{
dwRetVal = GetLastError();
goto Cleanup;
}
//----------------------------------------------
// Step 3: Save the subscription.
// Save the subscription with the associated properties
// This will create the subscription and store it in the
// subscription repository
if( !EcSaveSubscription(hSubscription, NULL) )
{
dwRetVal = GetLastError();
goto Cleanup;
}
// Step 4: Close the subscription.
Cleanup:
if(hSubscription)
EcClose(hSubscription);
if(hArray)
EcClose(hArray);
if (dwRetVal != ERROR_SUCCESS)
{
FormatMessageW( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
dwRetVal,
0,
(LPWSTR) &lpwszBuffer,
0,
NULL);
if (!lpwszBuffer)
{
wprintf(L"Failed to FormatMessage. Operation Error Code: %u." \
L"Error Code from FormatMessage: %u\n", dwRetVal, GetLastError());
return;
}
wprintf(L"\nFailed to Perform Operation.\nError Code: %u\n" \
L" Error Message: %s\n", dwRetVal, lpwszBuffer);
LocalFree(lpwszBuffer);
}
}
DWORD GetProperty(EC_HANDLE hSubscription,
EC_SUBSCRIPTION_PROPERTY_ID propID,
DWORD flags,
std::vector<BYTE>& buffer,
PEC_VARIANT& vProperty)
{
DWORD dwBufferSize, dwRetVal = ERROR_SUCCESS;
buffer.resize(sizeof(EC_VARIANT));
if (!hSubscription)
return ERROR_INVALID_PARAMETER;
// Get the value for the specified property.
if (!EcGetSubscriptionProperty(hSubscription,
propID,
flags,
(DWORD) buffer.size(),
(PEC_VARIANT)&buffer[0],
&dwBufferSize) )
{
dwRetVal = GetLastError();
if (ERROR_INSUFFICIENT_BUFFER == dwRetVal)
{
dwRetVal = ERROR_SUCCESS;
buffer.resize(dwBufferSize);
if (!EcGetSubscriptionProperty(hSubscription,
propID,
flags,
(DWORD) buffer.size(),
(PEC_VARIANT)&buffer[0],
&dwBufferSize))
{
dwRetVal = GetLastError();
}
}
}
if (dwRetVal == ERROR_SUCCESS)
{
vProperty = (PEC_VARIANT) &buffer[0];
}
else
{
vProperty = NULL;
}
return dwRetVal;
}
구독이 올바르게 작동하는지 확인
이벤트 수집기 컴퓨터에서 다음 절차를 완료합니다.
관리자 권한 명령 프롬프트에서 다음 명령을 실행하여 구독의 런타임 상태 가져옵니다.
wecutil gr<subscriptionID>
이벤트 원본이 연결되어 있는지 확인합니다. 이벤트 원본이 연결될 구독을 만든 후 정책에 지정된 새로 고침 간격이 끝날 때까지 기다려야 할 수 있습니다.
다음 명령을 실행하여 구독 정보를 가져옵니다.
wecutil gs<subscriptionID>
구독 정보에서 DeliveryMaxItems 값을 가져옵니다.
이벤트 원본 컴퓨터에서 이벤트 구독의 쿼리와 일치하는 이벤트를 발생합니다. 전달하려면 DeliveryMaxItems 이벤트 수를 발생시켜야 합니다.
이벤트 수집기 컴퓨터에서 이벤트가 ForwardedEvents 로그 또는 구독에 지정된 로그로 전달되었는지 확인합니다.
관련 항목
피드백
출시 예정: 2024년 내내 콘텐츠에 대한 피드백 메커니즘으로 GitHub 문제를 단계적으로 폐지하고 이를 새로운 피드백 시스템으로 바꿀 예정입니다. 자세한 내용은 다음을 참조하세요. https://aka.ms/ContentUserFeedback
다음에 대한 사용자 의견 제출 및 보기