Windows Event Forwarding - WinRM issues
Greetings, I recently set up a test Event Collection server (win2k8 r2) with a source computer initiated subscription and corresponding GPO. I set this up on a test desktop PC prior, with the same settings (apart from the server address in the GPO). In both cases, I run winrm qc, and test a connection from another PC without issue. On the desktop PC, the forwarding seemed to work, although intermittently it would stop collecting logs and the System logs would show Event ID 10149 twice, and then Event ID 10148 twice. Considering that winrm is set up and available from another PC, the following link is not very helpful in troubleshooting this: http://www.google.com/url?sa=t&source=web&cd=1&ved=0CCgQFjAA&url=http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fdd363600(v%3Dws.10).aspx&ei=GIyDTrveGenj0QGVx620AQ&usg=AFQjCNEdAbLhM7w4GmIV51pPggI1ZR7kVg On the server, the forwarding has resulted in no logs thus far, although the symptoms appear to be the same (same errors). Additionally, all Source Computers show up as Inactive. Regarding the event collection, it is set up as follows: Subscription Id: DC-Sec SubscriptionType: SourceInitiated Description: Selected Security logs from Domain Controllers Enabled: true Uri: http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog ConfigurationMode: Custom DeliveryMode: Push DeliveryMaxItems: 5 DeliveryMaxLatencyTime: 180000 HeartbeatInterval: 300000 Query: <QueryList><Query Id="0"><Select Path="Security">*[System[(EventID=4652 o r EventID=4653 or EventID=4720 or EventID=4724 or EventID=4725 or EventID=4726 o r EventID=4727 or EventID=4728 or EventID=4730 or EventID=4731 or EventID=4740 o r EventID=4741 or EventID=4743 or EventID=4749 or EventID=4753 or EventID=4754 o r EventID=4758 or EventID=4759 or EventID=4767 or EventID=4771 or EventID=4772 o r EventID=4773 or EventID=4775 or EventID=4777 or EventID=4983 or EventID=4984)] ]</Select></Query></QueryList> ReadExistingEvents: false TransportName: HTTP ContentFormat: Events Locale: en-US LogFile: ForwardedEvents PublisherName: microsoft-windows-eventcollector AllowedIssuerCAList: AllowedSubjectList: DeniedSubjectList: AllowedSourceDomainComputers: O:NSG:BAD:P(A;;GA;;;DD)S: Nothing helpful on the collection server Windows Remote Management events. I ran gpupdate on the source computers, rebooted them. In the Eventlog-ForwardingPlugin log I see error 102 (The subscription DC-Sec can not be created. The error code is 5004). Any tips on what could be causing WinRM to intermittently fail? Rebooting has not helped. I'm not going to bother re-installing as this happened on two PCs with the same setup, I assume I might have some configuration out of place? Your insight would be greatly appreciated! Regards, W
September 29th, 2011 12:17am

"The subscription DC-Sec can not be created. The error code is 5004" - This one seems to have been caused by “Network Service” not having permissions to the security log. Add “Network Service” to “Event Log Readers” group. You may need to reboot the server, as group membership is set at logon and “Network Service” logs on at start up. Reference : http://blog.zenshaze.com/2011/06/13/event-forwarding-of-security-logs/ HTHThanks, Santosh (MCTS W2K8 AD and SCCM) To Infinity and Beyond
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2011 5:54am

Hello Santosh, I marked your answer as helpful as this is indeed the correct setup. Unfortunately, that link was one of the resources I used while setting this up; Network Service is already in Event Log Readers and all computers have since been rebooted. I recreated a subscription with cm 'Normal' this morning and did not touch it with wecutil. This seemed to work, until I set cm to Custom, hi to 600000 (10 minutes instead of default 15), dmlt to 600000 and dmi to 5. http://technet.microsoft.com/en-us/library/cc753183(WS.10).aspx for definitions if needed. Is there something I am missing? I am not entirely sure how each of these configurations impacts the system, but it doesn't seem like this should be failing. Will do some more testing and post results. Maybe someone with experience could help with a solution on setting this up, rather than troubleshooting my attempts. My goal is a source initiated subscription that collects logs at ~10 minute or smaller intervals. I am afraid the default 15 minute interval could lead to events being overwritten in the source log (again, not sure if this would impact whether I receive those logs). Regards, W
September 29th, 2011 9:44am

Hello again, Per my previous post, I am still having difficulty using any customized subscription. Additionally, I am facing a new issue. This morning I rebooted the collection server, and 1 hour after it has come back online I have multiple source servers with event id 103: Log Name: Microsoft-Windows-Forwarding/Operational Source: Microsoft-Windows-Forwarding Date: 9/30/2011 11:08:01 AM Event ID: 103 Task Category: None Level: Information Keywords: User: NETWORK SERVICE Computer: ****.viahealth.org Description: The subscription **** is unsubscribed. This functionality seems quite finicky. It seems like each source computer (win2k8 r2) seems to get a mix of error 102 (subscription could not be created), 103 (unsubscribed) or success. The result is an inconsistent, incomplete and thus unusable subset of logs. Am I missing something? Regards, W
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2011 1:25pm

Alrighty, after the weekend and another reboot of each source PC, the subscriptions seems to be successful on each source PC. Not sure why it took so long, and a bit nervous that the issue could easily recur, but this is all set for now! Thanks, w
October 3rd, 2011 11:19am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics