Hi All Got a funny one here:- 1) Got a 2k8r2 box set up as a Event collector, (I have ran Wecutil qc), just a member server 2) I have 2 dcs I want to monitor, the collector box is a member of the Event Log Readers "Builtin" group as well as the Network Service account as well. WINrm qc has been ran on both boxes and they have both been re-booted. 3) On the collector machine I have created a subscription incluidng both machines and configured it for certain security events. 4) the runtime status for both "DCS" says available, and events are being forwarded into the "Forwarded Events" However, the events are all stating:- "The description for Event ID "??" from source Microsoft-Windows_Security_Auditing cannot be found. Either the component that raises the event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event" This then replicates for all other events. Cannot find any meaty information elsewhere was wondering if anyone else had seen it and resolved it?

Hi, Does this error event log only appear in “"Forwarded Events" on the collector computer or does it also appear on the source computers? What’s number of the error Event ID? (The description for Event ID "??" from source Microsoft-Windows_Security_Auditing cannot be found) Does any other error event logs also appear? Tim Quan TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, How are things going? I have not heard back from you in a few days and wanted to check on the status of the issue. Please let me know how things turned out. Tim Quan