Windows Server 2022 Unable to Simultaneously Collect and Forward Events
We have a scenario where we are using a single Windows Server 2022 OS as a WEC, collecting events from multiple devices across the network. The same server then acts as a client, forwarding these events onto a SIEM tool that acts as a WEC. Essentially the Windows Server is an aggregator that funnels logs to the SIEM. This setup works fine with a Server 2019 OS. However in Server 2022 the upstream forwarding will fail intermittently with Event ID 103 "Subscription was unsubscribed" messages. This has been tested across 3 different environments (completely different ADs and infrastructures). Please note we have followed the steps in: https://learn.microsoft.com/en-us/troubleshoot/windows-server/admin-development/events-not-forwarded-by-windows-server-collector for the 2019 server. The SDDL matches these recommendations already in 2022, but we have repeated the steps on the 2022 server to test the effect and it has made no difference. I have also checked https://learn.microsoft.com/en-us/windows/application-management/svchost-service-refactoring However neither article acknowledges Server 2022. The SACL permissions for WinRM and the Event Collector service match those specified in the first article and I can see no further reason for this behaviour. Has anyone else come across this problem, or can provide guidance on the recommended WinRM SDDL/Service split configuration to support this setup on Server 2022?