Windows event collector (WEC) troubles
Hi all. I have really frustrating issue I can`t resolve. We have set up WEC, a long time ago... Now I upgraded in-place to server 2025 and it`s behaving really weird. Problem is this: I created new subscription and my PC was sending events just fine yesterday. I rebooted server and my PC, still all is fine. Turned off my PC, went to sleep, started working in the morning and NO logs from my machine in WEC. At all. Other PCs also randomy sending logs some yes some no. So I tested WinRM connectivity all fine. Error on my PC: The forwarder is having a problem communicating with subscription manager at address http://MYWECSERVER:5985/wsman/SubscriptionManager/WEC. Error code is 2150859263 and Error Message is <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859263" Machine="MYWECSERVER"><f:Message> <f:ProviderFault provider="Subscription Manager Provider" path="%systemroot%\system32\WsmSvc.dll"> <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859263" Machine="MYWECSERVER"> <f:Message>The event source of the push subscription is in disable or inactive on the Event controller server. </f:Message></f:WSManFault></f:ProviderFault></f:Message></f:WSManFault>. I have also some errors on WEC server: The Subscription DomainComputers could not be activated on target machine MY-PERSONAL-PC due to communication error. Error Code is 0. All retries have been performed before reaching this point and so the subscription will remain inactive on this target until subscription is resubmitted / reset. Additional fault message: eventsource is in either disable or inactive state OR The Subscription DomainComputers could not be activated on target machine MY-PERSONAL-PC due to communication error. Error Code is 20. All retries have been performed before reaching this point and so the subscription will remain inactive on this target until subscription is resubmitted / reset. Additional fault message: eventsource is in either disable or inactive state Also runtime status is like this: A lot of Active computers, mine is in yellow Inactive state... I have NO idea how to fix this, and why it works for some clients and not for others and most perplexing question, why it worked yesterday until sleep. Just like that WEC sets status to Inactive and then my PC sends logs and does not change status back to Active. Thanks for all suggestions!
Windows Server 2022 Unable to Simultaneously Collect and Forward Events
We have a scenario where we are using a single Windows Server 2022 OS as a WEC, collecting events from multiple devices across the network. The same server then acts as a client, forwarding these events onto a SIEM tool that acts as a WEC. Essentially the Windows Server is an aggregator that funnels logs to the SIEM. This setup works fine with a Server 2019 OS. However in Server 2022 the upstream forwarding will fail intermittently with Event ID 103 "Subscription was unsubscribed" messages. This has been tested across 3 different environments (completely different ADs and infrastructures). Please note we have followed the steps in: https://learn.microsoft.com/en-us/troubleshoot/windows-server/admin-development/events-not-forwarded-by-windows-server-collector for the 2019 server. The SDDL matches these recommendations already in 2022, but we have repeated the steps on the 2022 server to test the effect and it has made no difference. I have also checked https://learn.microsoft.com/en-us/windows/application-management/svchost-service-refactoring However neither article acknowledges Server 2022. The SACL permissions for WinRM and the Event Collector service match those specified in the first article and I can see no further reason for this behaviour. Has anyone else come across this problem, or can provide guidance on the recommended WinRM SDDL/Service split configuration to support this setup on Server 2022?
Windows Event Forwarding Transport Encryption with Kerberos?
Hello out there, I would like to use Windows Event Forwarding, but I have a requirement that the traffic between Windows Event Collector and the endpoints should be encrypted. On Microsoft web pages I find contradictory statements about this, whether transport encryption exists for this. On one side they say that the connection is encrypted by Kerberos (probably by WinRM) (https://learn.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection#are-wef-events-encrypted-i-see-an-httphttps-option) and on the other side it is better to use IPSec or certificates to secure the transport of the log data. Kerberos I had always understood as an authentication protocol and not as a transport encryption protocol (at least not primarily). My question: Does Kerberos encrypt the log data between the Windows Event Collector and the endpoints or only the authentication information of Kerberos?Windows WEF subscriptions evaluation
Hello I have searched online and cannot find an answer around how Windows Event Forwarding subscriptions are evaluated, in what priority or order, when there are overlapping subscriptions or conflicts. I also cannot seem to decipher the outcomes when i test. Here goes. My base config is Source Initiated, applies to all Domain Controllers and Domain Computers. I use GP to enable security auditing across most of the auditing categories, as per MS, ASD, Palantir, SwiftOnSecurity and IGOR documentation. I have the Network Service as an Event Log Readers group member across the entire domain. If i create a GUI initiated subscription to collect the entire Security event log, all of my computers quickly subscript and i see all kinds of security related event IDs. If i copy paste the XML query from the GUI for the subscription above, drop it into a subscription XML file, and create the subscription using wecutil cs <name.xml>, i get no logs forwarded. All the clients stop sending logs. There are no Event Forwarder Plugin Events 102 errors either. -- The XML Query <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*</Select> </Query> </QueryList> Question: Why does the exact same subscription work when created using the GUI vs created using the XML file (preferred)?
