Forum Discussion

GregecSLO_MO's avatar
GregecSLO_MO
Copper Contributor
Jul 11, 2025

Windows event collector (WEC) troubles

Hi all. I have really frustrating issue I can`t resolve. We have set up WEC, a long time ago... Now I upgraded in-place to server 2025 and it`s behaving really weird. Problem is this: I created n...
WEC
WEC Server
wef
windows event forwarding
Windows Server
kyazaferr's avatar
kyazaferr
MCT
Oct 08, 2025

Why this happens

The Event Collector service (wecsvc) keeps per-client state in the C:\Windows\System32\winevt\SubscriptionManager folder.

During in-place upgrades, those entries sometimes get corrupted or marked inactive.

After a reboot or sleep cycle, the client sends again, but the collector refuses it because it still sees it as “disabled.”

wecutil es

→ lists all subscriptions and states.

and on the affected client:

wecutil gs
winrm enumerate winrm/config/subscriptionmanager


Make sure the client points to the correct collector and that WinRM is working:

winrm id -r:MyWecServer


If connectivity is fine, proceed to refresh the subscription.

Reset or re-register the inactive source

On the collector, run:

wecutil ss "DomainComputers" /c:My-Personal-PC /r


This resets the subscription state for that computer.
You can also remove and re-add the affected source by deleting the .subscription cache under:

C:\Windows\System32\winevt\SubscriptionManager


and restarting the Windows Event Collector service:

net stop wecsvc
net start wecsvc


Then on the client:

wecutil qc /q


This reconfigures the local WinRM listener and re-registers with the collector. Rebuild the subscription if the problem persists

If multiple machines are stuck as inactive:

Export your subscription:

wecutil gs "DomainComputers" > C:\temp\DomainComputers.xml


Delete it:

wecutil ds "DomainComputers"


Re-import:

wecutil cs C:\temp\DomainComputers.xml


Restart wecsvc.

Verify group policy and permissions

Ensure the Event Log Readers and Network Service accounts still have rights after upgrade:

Group Policy path:
Computer Configuration → Administrative Templates → Windows Components → Event Forwarding

The Collector Initiated Subscriptions require that the computer accounts of sources have permission to read and send events.

Sometimes upgrading resets the WinRM service ACLs.
You can restore them:

winrm quickconfig -q

Monitor runtime state

Run:

wecutil gr "DomainComputers"


“Active” means healthy; “Inactive” means collector still sees the client as stale.
If it stays inactive after you’ve verified connectivity, clear the cache again and restart wecsvc.

Resources