Forum Discussion

GregecSLO_MO's avatar
GregecSLO_MO
Copper Contributor
Jul 11, 2025

Windows event collector (WEC) troubles

Hi all.

I have really frustrating issue I can`t resolve. We have set up WEC, a long time ago...
Now I upgraded in-place to server 2025 and it`s behaving really weird.

Problem is this:
I created new subscription and my PC was sending events just fine yesterday. I rebooted server and my PC, still all is fine.

Turned off my PC, went to sleep, started working in the morning and NO logs from my machine in WEC. At all.

Other PCs also randomy sending logs some yes some no.

So I tested WinRM connectivity all fine.

Error on my PC:

The forwarder is having a problem communicating with subscription manager at address http://MYWECSERVER:5985/wsman/SubscriptionManager/WEC. Error code is 2150859263 and

Error Message is <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859263" Machine="MYWECSERVER"><f:Message>

<f:ProviderFault provider="Subscription Manager Provider" path="%systemroot%\system32\WsmSvc.dll">

<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859263" Machine="MYWECSERVER">

<f:Message>The event source of the push subscription is in disable or inactive on the Event controller server. </f:Message></f:WSManFault></f:ProviderFault></f:Message></f:WSManFault>.

I have also some errors on WEC server:

The Subscription DomainComputers could not be activated on target machine MY-PERSONAL-PC due to communication error. Error Code is 0. All retries have been performed before reaching this point and so the subscription will remain inactive on this target until subscription is resubmitted / reset.

Additional fault message: eventsource is in either disable or inactive state

OR

The Subscription DomainComputers could not be activated on target machine MY-PERSONAL-PC due to communication error. Error Code is 20. All retries have been performed before reaching this point and so the subscription will remain inactive on this target until subscription is resubmitted / reset. Additional fault message: eventsource is in either disable or inactive state

Also runtime status is like this:
A lot of Active computers, mine is in yellow Inactive state...

I have NO idea how to fix this, and why it works for some clients and not for others and most perplexing question, why it worked yesterday until sleep.

Just like that WEC sets status to Inactive and then my PC sends logs and does not change status back to Active.

Thanks for all suggestions!

WEC
WEC Server
wef
windows event forwarding
Windows Server

1 Reply

  • kyazaferr's avatar
    kyazaferr
    MCT
    Oct 08, 2025

    Why this happens

    The Event Collector service (wecsvc) keeps per-client state in the C:\Windows\System32\winevt\SubscriptionManager folder.

    During in-place upgrades, those entries sometimes get corrupted or marked inactive.

    After a reboot or sleep cycle, the client sends again, but the collector refuses it because it still sees it as “disabled.”

    wecutil es

    → lists all subscriptions and states.

    and on the affected client:

    wecutil gs
    winrm enumerate winrm/config/subscriptionmanager


    Make sure the client points to the correct collector and that WinRM is working:

    winrm id -r:MyWecServer


    If connectivity is fine, proceed to refresh the subscription.

    Reset or re-register the inactive source

    On the collector, run:

    wecutil ss "DomainComputers" /c:My-Personal-PC /r


    This resets the subscription state for that computer.
    You can also remove and re-add the affected source by deleting the .subscription cache under:

    C:\Windows\System32\winevt\SubscriptionManager


    and restarting the Windows Event Collector service:

    net stop wecsvc
    net start wecsvc


    Then on the client:

    wecutil qc /q


    This reconfigures the local WinRM listener and re-registers with the collector. Rebuild the subscription if the problem persists

    If multiple machines are stuck as inactive:

    Export your subscription:

    wecutil gs "DomainComputers" > C:\temp\DomainComputers.xml


    Delete it:

    wecutil ds "DomainComputers"


    Re-import:

    wecutil cs C:\temp\DomainComputers.xml


    Restart wecsvc.

    Verify group policy and permissions

    Ensure the Event Log Readers and Network Service accounts still have rights after upgrade:

    Group Policy path:
    Computer Configuration → Administrative Templates → Windows Components → Event Forwarding

    The Collector Initiated Subscriptions require that the computer accounts of sources have permission to read and send events.

    Sometimes upgrading resets the WinRM service ACLs.
    You can restore them:

    winrm quickconfig -q

    Monitor runtime state

    Run:

    wecutil gr "DomainComputers"


    “Active” means healthy; “Inactive” means collector still sees the client as stale.
    If it stays inactive after you’ve verified connectivity, clear the cache again and restart wecsvc.

Resources