MZ@ !L!This program cannot be run in DOS mode. $Rؕ3}3}3}H̴3}H̱3}Rich3}PEL!  ا@.rsrc@@( @Xp   DMUIDQ14Ʀ"Pk J~Ϩ MUI en-US9,Out of memory.%0 TFailed to open output file: %1!s!.%0 TFailed to open config file: %1!s!.%0 8Invalid config file.%0 PFailed to read from config file.%0 @Failed to initialize COM.%0 pFailed to read subscription id from config file.%0 HFailed to open subscription.%0 HFailed to save subscription.%0 The subscription is saved successfully, but it can't be activated at this time. Use retry-subscription command to retry the subscription. If subscription is running, you can also use get-subscriptionruntimestatus command to get extended error status. LFailed to delete subscription.%0 `Failed to open subscription enumeration.%0 TFailed to enumerate subscriptions.%0 HFailed to get %1!s! property.%0 HFailed to set %1!s! property.%0 XFailed to retry event source: %1!s!.%0 LFailed to retry subscription. %0 @Format is not supported.%0 @Invalid delivery mode %d.%0 DInvalid content format %d.%0 \Invalid property value '%1!s!' (%2!s!).%0 LCommand %1!s! is not supported.%0 tInvalid option %1!s!. Option name is not specified.%0 Invalid option %1!s!. Option is specified more than once.%0 hInvalid option %1!s!. Option is not integer.%0 xInvalid option %1!s!. Option value is not specified.%0 hInvalid option %1!s!. Option is not Boolean.%0 lInvalid option %1!s!. Option is not supported.%0 PToo many arguments are specified.%0 dRequired argument(s) is/are not specified.%0 ,Internal error.%0 @Failed to read password.%0 XEventSourceAddress is not specified.%0 @Command is not specified.%0 lNo event source is found for this subscription.%0 Root node of config file is not Subscription or in correct namespace.%0 `Warning: event source %1!s! is disabled.%0 TSubscription %1!s! already exists.%0 |Can not add event source %1!s! when it already exists.%0 Windows Event Collector Utility Enables you to create and manage subscriptions to events forwarded from remote event sources that support WS-Management protocol. Usage: You can use either the short (i.e. es, /f) or long (i.e. enum-subscription, /format) version of the command and option names. Commands, options and option values are case-insensitive. (ALL UPPER-CASE = VARIABLE) wecutil COMMAND [ARGUMENT [ARGUMENT] ...] [/OPTION:VALUE [/OPTION:VALUE] ...] Commands: es (enum-subscription) List existent subscriptions. gs (get-subscription) Get subscription configuration. gr (get-subscriptionruntimestatus) Get subscription runtime status. ss (set-subscription) Set subscription configuration. cs (create-subscription) Create new subscription. ds (delete-subscription) Delete subscription. rs (retry-subscription) Retry subscription. qc (quick-config) Configure Windows Event Collector service. Common options: /h|? (help) Get general help for the wecutil program. wecutil { -help | -h | -? } For arguments and options, see usage of specific commands: wecutil COMMAND -? @)Create a remote subscription. Usage: wecutil { cs | create-subscription } CONFIGURATION_FILE [/OPTION:VALUE [/OPTION:VALUE] ...] CONFIGURATION_FILE String that specifies the path to the XML file that contains subscription configuration. The path can be absolute or relative to the current directory. Options: You can use either the short (i.e. /cun) or long (i.e. /CommonUserName) version of the option names. Options and their values are case-insensitive. /cun:USERNAME (CommonUserName) Sets shared user credential to be used for event sources that do not have their own user credentials. This option applies to collector initiated subscriptions only. Note: if this option is specified, UserName/UserPassword settings for individual event sources from the configuration file are ignored. If you want to use different credential for a specific event source, use ss (set-subscription) command to set it for the event source. /cup:PASSWORD (CommonUserPassword) Sets the user password for the shared user credential. When PASSWORD is set to * (asterisk), the password is read from the console. This option is only valid when /cun (CommonUserName) option is specified. Example: Create a collector initiated subscription to forward events from the Application event log of a remote computer mySource.myDomain.com to ForwardedEvents log. wecutil cs ci_subscription.xml Content of ci_subscription.xml: <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription"> <SubscriptionId>SampleCISubscription</SubscriptionId> <SubscriptionType>CollectorInitiated</SubscriptionType> <Description>Collector Initiated Subscription Sample</Description> <Enabled>true</Enabled> <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri> <!-- Use Normal (default), Custom, MinLatency, MinBandwidth --> <ConfigurationMode>Custom</ConfigurationMode> <Delivery Mode="Push"> <Batching> <MaxItems>20</MaxItems> <MaxLatencyTime>60000</MaxLatencyTime> </Batching> <PushSettings> <HostName>thisMachine.myDomain.com</HostName> <Heartbeat Interval="60000"/> </PushSettings> </Delivery> <Expires>2010-01-01T00:00:00.000Z</Expires> <Query> <![CDATA[ <QueryList> <Query Path="Application"> <Select>*</Select> </Query> </QueryList> ]]> </Query> <ReadExistingEvents>false</ReadExistingEvents> <TransportName>http</TransportName> <ContentFormat>RenderedText</ContentFormat> <Locale Language="en-US"/> <LogFile>ForwardedEvents</LogFile> <CredentialsType>Default</CredentialsType> <EventSources> <EventSource Enabled="true"> <Address>mySource.myDomain.com</Address> <UserName>myUserName</UserName> </EventSource> </EventSources> </Subscription> Example: Create a source initiated subscription to forward events from the Application event log of a remote computer mySource.myDomain.com to ForwardedEvents log. wecutil cs si_subscription.xml Content of si_subscription.xml: <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription"> <SubscriptionId>SampleSISubscription</SubscriptionId> <SubscriptionType>SourceInitiated</SubscriptionType> <Description>Source Initiated Subscription Sample</Description> <Enabled>true</Enabled> <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri> <!-- Use Normal (default), Custom, MinLatency, MinBandwidth --> <ConfigurationMode>Custom</ConfigurationMode> <Delivery Mode="Push"> <Batching> <MaxItems>1</MaxItems> <MaxLatencyTime>1000</MaxLatencyTime> </Batching> <PushSettings> <Heartbeat Interval="60000"/> </PushSettings> </Delivery> <Expires>2018-01-01T00:00:00.000Z</Expires> <Query> <![CDATA[ <QueryList> <Query Path="Application"> <Select>Event[System/EventID='999']</Select> </Query> </QueryList> ]]> </Query> <ReadExistingEvents>true</ReadExistingEvents> <TransportName>http</TransportName> <ContentFormat>RenderedText</ContentFormat> <Locale Language="en-US"/> <LogFile>ForwardedEvents</LogFile> <AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers> <AllowedSourceDomainComputers>O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)</AllowedSourceDomainComputers> </Subscription> Note, that when creating a source initiated subscription, if AllowedSourceDomainComputers, AllowedSourceNonDomainComputers/AllowedIssuerCAList, AllowedSubjectList, and DeniedSubjectList are all empty, then a default will be provided for AllowedSourceDomainComputers - O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS). This SDDL default grants members of the Domain Computers domain group, as well as the local Network Service group (for local forwarder), the ability to raise events for this subscription. LList the names of all existent remote event subscriptions. Usage: wecutil { es | enum-subscription } Example: List event subscriptions. wecutil es Displays remote subscription configuration information. Usage: wecutil { gs | get-subscription } SUBSCRIPTION_ID [/OPTION:VALUE [/OPTION:VALUE] ...] SUBSCRIPTION_ID String that uniquely identifies a subscription, specified by the <SubscriptionId> tag of the XML configuration file used to create the subscription Options: You can use either the short (i.e. /f) or long (i.e. /format) version of the option names. Options and their values are case-insensitive. /f:VALUE (format) VALUE can be XML or Terse. If VALUE is XML, print output in XML. If VALUE is Terse (default), print value as name-value pairs. /u:VALUE (unicode) Display output in unicode (UTF-16). VALUE can be true or false. If VALUE is true then output is in Unicode. Example: Output configuration information on a subscription named sub1. wecutil gs sub1 Example output: Subscription Id: sub1 SubscriptionType: CollectorInitiated Description: Push Collector Initiated Subscription Enabled: true Uri: http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog ConfigurationMode: Custom DeliveryMode: Push DeliveryMaxItems: 1 DeliveryMaxLatencyTime: 1000 HostName: thisMachine.myDomain.com HeartbeatInterval: 60000 Expires: 2010-01-01T00:00:00.000Z Query: <QueryList> <Query Path="Application"> <Select>*</Select> </Query> </QueryList> ReadExistingEvents: true TransportName: http ContentFormat: RenderedText Locale: en-US LogFile: ForwardedEvents CredentialsType: Default CommonUserName: Administrator CommonUserPassword: * EventSource[0]: Address: mySource.myDomain.com Enabled: true UserName: myUserName UserPassword: * EventSource[1]: Address: mySource1.myDomain.com Enabled: true UserName: myUserName UserPassword: * Displays subscription runtime status. Usage: wecutil { gr | get-subscriptionruntimestatus } SUBSCRIPTION_ID [EVENT_SOURCE [EVENT_SOURCE] ...] SUBSCRIPTION_ID String that uniquely identifies a subscription, specified by the <SubscriptionId> tag of the XML configuration file used to create the subscription EVENT_SOURCE String that identifies a machine serving as a source of events using fully-qualified domain name, NetBIOS name, or an IP address. Example: Display runtime status of subscription named sub1. wecutil gr sub1 Subscription: sub1 RunTimeStatus: Active LastError: 0 ErrorMessage: ErrorTime: 2007-01-01T12:00:00.000 NextRetryTime: LastHeartbeatTime: EventSources: MYSOURCE$ RunTimeStatus: Active LastError: 0 ErrorMessage: ErrorTime: NextRetryTime: LastHeartbeatTime: 2007-01-01T12:15:00.000 Deletes a specific subscription and unsubscribes from all event sources that deliver events into the Event Log for the subscription. Any events already received and logged are not deleted. Usage: wecutil { ds | delete-subscription } SUBSCRIPTION_ID SUBSCRIPTION_ID String that uniquely identifies a subscription, specified by the <SubscriptionId> tag of the XML configuration file used to create the subscription Example: Delete a subscription named sub1. wecutil ds sub1 xRetries inactive subscription by attempting to reactivate all or specified event sources by establishing a connection and sending a remote subscription request. Disabled sources are not retried. Usage: wecutil { rs | retry-subscription } SUBSCRIPTION_ID [EVENT_SOURCE [EVENT_SOURCE] ...] SUBSCRIPTION_ID String that uniquely identifies a subscription, specified by the <SubscriptionId> tag of the XML configuration file used to create the subscription EVENT_SOURCE String that identifies a machine serving as a source of events using fully-qualified domain name, NetBIOS name, or an IP address. Example: Retry all sources of a subscription named sub1. wecutil rs sub1 &Sets subscription configuration by changing subscription parameters from the command line or by using an XML configuration file. Usage: wecutil { ss | set-subscription } SUBSCRIPTION_ID [/OPTION:VALUE [/OPTION:VALUE] ...] wecutil { ss | set-subscription } /c:CONFIG_FILE [/cus:USERNAME [/cup:PASSWORD] ...] SUBSCRIPTION_ID String that uniquely identifies a subscription, specified by the <SubscriptionId> tag of the XML configuration file used to create the subscription Options: You can use either the short (i.e. /q) or long (i.e. /Query) version of the option names. Options and their values are case-insensitive. COMMON OPTIONS (for all type of subscriptions): /c:CONFIG_FILE (Config) String that specifies the path to the XML file that contains subscription configuration. The path can be absolute or relative to the current directory. This option may only be used with the optional /cus (CommonUserName) and /cup (CommonUserPassword) options and is mutually exclusive with all other options. /e[:VALUE] (enabled) Enable or disable a subscription. VALUE can be true or false. The default value of this option is true. /d:DESCRIPTION (Description) String that describes the subscription. /ex:DATE_TIME (Expires) String that specifies the subscription expiration time. DATE_TIME value is specified in standard XML or ISO8601 date-time format: yyyy-MM-ddThh:mm:ss[.sss][Z], where T is the time separator and Z indicates UTC time. /uri:URI String that specifies the type of the events consumed by the subscription. The address of the event source machine along with the URI uniquely identifies the source of the events. /cm:CONFIGURATION_MODE (ConfigurationMode) String that specifies the configuration mode. CONFIGURATION_MODE can be one of the following strings: Normal, Custom, MinLatency or MinBandwidth. The Normal, MinLatency, and MinBandwidth modes set delivery mode, delivery max items, heartbeat interval, and delivery max latency time. The /dm (DeliveryMode), /dmi (DeliveryMaxItems), /hi (HeartbeatInterval) or /dmlt (DeliveryMaxLatencyTime) option may only be specified if the configuration mode is set to Custom. /q:QUERY (Query) String that specifies that query string for the subscription. The format of this string may be different for different URI values and applies to all sources in the subscription. /dia:DIALECT (Dialect) String that specifies the dialect the query string uses. /cf:FORMAT (ContentFormat) String that specifies the format of the returned events. FORMAT can be Events or RenderedText. When the value is RenderedText, the events are returned with the localized strings (such as event description) attached to the event. The default value of FORMAT is RenderedText. /l:LOCALE (Locale) String that specifies the locale for delivery of the localized strings in RenderedText format. LOCALE is a language/country culture identifier, for example, "en-US". This option is valid only if /cf (ContentFormat) option is set to "RenderedText". /ree[:VALUE] (ReadExistingEvents) Specifies which events are to be delivered for the subscription. VALUE can true or false. When the VALUE is true, all existing events are read from the subscription event sources. When the VALUE is false, only future (arriving) events are delivered. The default value is true for an /ree option without a value. If no /ree option is specified, the default value is false. /lf:FILENAME (LogFile) String that specifies the local event log used to store events received from the event sources. /pn:PUBLISHER (PublisherName) String that specifies the publisher name. It must be a publisher which owns or imports log specified by /lf (LogFile) option. /dm:MODE (DeliveryMode) String that specifies the delivery mode. MODE can be either pull or push for collector initiated subscriptions and only push for source initiated subscriptions. This option is valid only if /cm (ConfigurationMode) option is set to Custom. /dmi:NUMBER (DeliveryMaxItems) A number that specifies the maximum number of items for batched delivery. This option is valid only if /cm (ConfigurationMode) is set to Custom. /dmlt:MS (DeliveryMaxLatencyTime) A number that specified the maximum latency in delivering a batch of events. MS is the number of milliseconds. This option is valid only if /cm (ConfigurationMode) is set to Custom. /hi:MS (HeartbeatInterval) A number that specifies the heartbeat interval for push subscriptionsm, or the polling interval for pull subscriptions. MS is the number of milliseconds. This option is valid only if /cm (ConfigurationMode) is set to Custom. /tn:TRANSPORTNAME (TransportName) String that specifies the name of the transport used to connect to remote event source. It can be http or https. $/esa:EVENT_SOURCE (EventSourceAddress) Specifies the address of an event source. EVENT_SOURCE is a string that identifies a machine serving as a source of events using fully-qualified domain name, NetBIOS name, or an IP address. This option should be used with /ese (EventSourceEnabled), /aes (AddEventSource), /res (RemoveEventSource), or /un (UserName) and /up (UserPassword) options. /ese[:VALUE] (EventSourceEnabled) Enable or disable an event source. VALUE can be true or false. This option is allowed only if /esa (EventSourceAddress) option is specified. The default value of this option is true. OPTIONS SPECIFIC TO COLLECTOR INITIATED SUBSCRIPTIONS: /aes (AddEventSource) Adds event source specified by the /esa (EventSourceAddress) option, if it is not already a part of the subscription. If the address specified by the /esa (EventSourceAddress) is already a part of the subscription, an error is raised. This option is allowed only if /esa (EventSourceAddress) option is specified. /res (RemoveEventSource) Removes event source specified by the /esa (EventSourceAddress) option, if it is already a part of the subscription. If the address specified by the /esa (EventSourceAddress) is not a part of the subscription, an error is raised. This option is allowed only if /esa (EventSourceAddress) option is specified. /un:USERNAME (UserName) Specifies user credential to be used with the source specified by the /esa (EventSourceAddress) option. This option is allowed only if /esa (EventSourceAddress) option is specified. /up:PASSWORD (UserPassword) Sets the user password for the user credential for the source specified by the /esa (EventSourceAddress) option. This option is allowed only if /un (UserName) option is specified. /tp:TRANSPORTPORT (TransportPort) Port number used by transport when connecting to remote event source. If not specified the port defaults to the standard one used for the given transport name: 80 for http, 443 for https /hn:NAME (HostName) String that specifies the FQDNS name of the local machine. This name is used by remote event source to push back events and must be used for push subscription only. It is used in scenarios involving multi-homed servers that may have multiple FQDNS names. /ct:TYPE (CredentialsType) String that specifies the credential type to be used for remote source access. TYPE may be one of the following values: "default", "negotiate", "digest", "basic" or "localmachine". The default value is "default". /cun:USERNAME (CommonUserName) Sets shared user credential to be used for event sources that do not have their own user credentials. Note: if this option is specified with the /c (Config) option, UserName/UserPassword settings for individual event sources from the configuration file are ignored. If you want to use different credential for a specific event source, you may override this value by specifying the /un (UserName) and /up (UserPassword) for a specific event source on the command line of another ss (set-subscription) command. /cup:PASSWORD (CommonUserPassword) Sets the user password for the shared user credential. When PASSWORD is set to * (asterisk), the password is read from the console. This option is only valid when /cun (CommonUserName) option is specified. OPTIONS SPECIFIC TO SOURCE INITIATED SUBSCRIPTIONS: /ica:THUMBPRINTS (AllowedIssuerCA) Sets the list of issuer certificate thumbprints, in a comma separated list. /as:SUBJECTS (AllowedSubjects) Comma separated list of strings that specifies the DNS names of non-domain computers allowed to initiate subscriptions. The names may be specified using wildcards, like "*.mydomain.com". By default this list is empty. /ds:SUBJECTS (DeniedSubjects) Comma separated list of strings that specifies the DNS names of non-domain computers not allowed to initiate subscriptions. The names may be specified using wildcards, like "*.mydomain.com". By default this list is empty. /adc:SDDL (AllowedSourceDomainComputers) A string which specifies which domain computers are allowed or not to initiate subscriptions, in SDDL format. Default is to allow all domain computers. EXAMPLES: Update subscription configuration named sub1 from a new XML file, WsSelRg2.xml. wecutil ss sub1 /c:%Windir%\system32\WsSelRg2.xml Update subscription configuration named sub2 with multiple parameters: wecutil ss sub2 /esa:myComputer /ese /un:uname /up:* /cm:Normal Update the allowed and denied subject lists for a source initiated subscription: wecutil ss sub3 /as:"*.private.mydomain.com" /ds:"*.public.mydomain.net,*.mydomain.tv" Configures Windows Event Collector service to make sure subscription can be created and sustained through reboots. This includes the following steps: 1. Enable ForwardedEvents channel if disabled. 2. Set Windows Event Collector service to delay start (Vista and later only). 3. Start Windows Event Collector service if not running. Usage: wecutil { qc | quick-config } [/OPTION:VALUE] Options: You can use either the short (i.e. /q) or long (i.e. /quiet) version of the option names. Options and their values are case-insensitive. /q[:VALUE] (Quiet) VALUE can be true or false. If true, quick-config will not prompt for confirmation. The default value of this option is false. Example: wecutil qc Failed to configure Windows Event Collector service properly. Please try again later.%0 HType the password for %1!s!:%0 Warning: Configuration mode for the subscription is not Custom. Delivery properties are not customizable for such mode. As a result, Delivery node from the provided configuration file will be ignored. Configuration mode for the subscription is not Custom. Property %1!s! can't be set for this mode. The service startup mode will be changed to Delay-Start. Would you like to proceed ( %c- yes or %c- no)?%0 Y%0 N%0 Windows Event Collector service was configured successfully. 4VS_VERSION_INFO@%@%?StringFileInfo040904B0LCompanyNameMicrosoft Corporationr%FileDescriptionEvent Collector Command Line Utilityr)FileVersion6.3.9600.16384 (winblue_rtm.130821-1623)8 InternalNameWECUTIL.EXE.LegalCopyright Microsoft Corporation. All rights reserved.HOriginalFilenameWECUTIL.EXE.MUIj%ProductNameMicrosoft Windows Operating SystemBProductVersion6.3.9600.16384DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD