C
Cookie.Monster
Guest
Greetings,
I recently set up a test Event Collection server (win2k8 r2) with a source computer initiated subscription and corresponding GPO. I set this up on a test desktop PC prior, with the same settings (apart from the server address in the GPO).
In both cases, I run winrm qc, and test a connection from another PC without issue.
On the desktop PC, the forwarding seemed to work, although intermittently it would stop collecting logs and the System logs would show Event ID 10149 twice, and then Event ID 10148 twice. Considering that winrm is set up and available from another PC, the following link is not very helpful in troubleshooting this: http://www.google.com/url?sa=t&source=web&cd=1&ved=0CCgQFjAA&url=http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fdd363600(v%3Dws.10).aspx&ei=GIyDTrveGenj0QGVx620AQ&usg=AFQjCNEdAbLhM7w4GmIV51pPggI1ZR7kVg
On the server, the forwarding has resulted in no logs thus far, although the symptoms appear to be the same (same errors). Additionally, all Source Computers show up as Inactive.
Regarding the event collection, it is set up as follows:
Subscription Id: DC-Sec
SubscriptionType: SourceInitiated
Description: Selected Security logs from Domain Controllers
Enabled: true
Uri: http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
ConfigurationMode: Custom
DeliveryMode: Push
DeliveryMaxItems: 5
DeliveryMaxLatencyTime: 180000
HeartbeatInterval: 300000
Query: <QueryList><Query Id="0"><Select Path="Security">*[System[(EventID=4652 o
r EventID=4653 or EventID=4720 or EventID=4724 or EventID=4725 or EventID=4726 o
r EventID=4727 or EventID=4728 or EventID=4730 or EventID=4731 or EventID=4740 o
r EventID=4741 or EventID=4743 or EventID=4749 or EventID=4753 or EventID=4754 o
r EventID=4758 or EventID=4759 or EventID=4767 or EventID=4771 or EventID=4772 o
r EventID=4773 or EventID=4775 or EventID=4777 or EventID=4983 or EventID=4984)]
]</Select></Query></QueryList>
ReadExistingEvents: false
TransportName: HTTP
ContentFormat: Events
Locale: en-US
LogFile: ForwardedEvents
PublisherName: microsoft-windows-eventcollector
AllowedIssuerCAList:
AllowedSubjectList:
DeniedSubjectList:
AllowedSourceDomainComputers: O:NSG:BAD
(A;;GA;;;DD)S:
Nothing helpful on the collection server Windows Remote Management events. I ran gpupdate on the source computers, rebooted them. In the Eventlog-ForwardingPlugin log I see error 102 (The subscription DC-Sec can not be created. The error code is 5004).
Any tips on what could be causing WinRM to intermittently fail? Rebooting has not helped. I'm not going to bother re-installing as this happened on two PCs with the same setup, I assume I might have some configuration out of place?
Your insight would be greatly appreciated!
Regards,
W
Continue reading...
I recently set up a test Event Collection server (win2k8 r2) with a source computer initiated subscription and corresponding GPO. I set this up on a test desktop PC prior, with the same settings (apart from the server address in the GPO).
In both cases, I run winrm qc, and test a connection from another PC without issue.
On the desktop PC, the forwarding seemed to work, although intermittently it would stop collecting logs and the System logs would show Event ID 10149 twice, and then Event ID 10148 twice. Considering that winrm is set up and available from another PC, the following link is not very helpful in troubleshooting this: http://www.google.com/url?sa=t&source=web&cd=1&ved=0CCgQFjAA&url=http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fdd363600(v%3Dws.10).aspx&ei=GIyDTrveGenj0QGVx620AQ&usg=AFQjCNEdAbLhM7w4GmIV51pPggI1ZR7kVg
On the server, the forwarding has resulted in no logs thus far, although the symptoms appear to be the same (same errors). Additionally, all Source Computers show up as Inactive.
Regarding the event collection, it is set up as follows:
Subscription Id: DC-Sec
SubscriptionType: SourceInitiated
Description: Selected Security logs from Domain Controllers
Enabled: true
Uri: http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
ConfigurationMode: Custom
DeliveryMode: Push
DeliveryMaxItems: 5
DeliveryMaxLatencyTime: 180000
HeartbeatInterval: 300000
Query: <QueryList><Query Id="0"><Select Path="Security">*[System[(EventID=4652 o
r EventID=4653 or EventID=4720 or EventID=4724 or EventID=4725 or EventID=4726 o
r EventID=4727 or EventID=4728 or EventID=4730 or EventID=4731 or EventID=4740 o
r EventID=4741 or EventID=4743 or EventID=4749 or EventID=4753 or EventID=4754 o
r EventID=4758 or EventID=4759 or EventID=4767 or EventID=4771 or EventID=4772 o
r EventID=4773 or EventID=4775 or EventID=4777 or EventID=4983 or EventID=4984)]
]</Select></Query></QueryList>
ReadExistingEvents: false
TransportName: HTTP
ContentFormat: Events
Locale: en-US
LogFile: ForwardedEvents
PublisherName: microsoft-windows-eventcollector
AllowedIssuerCAList:
AllowedSubjectList:
DeniedSubjectList:
AllowedSourceDomainComputers: O:NSG:BAD
(A;;GA;;;DD)S:Nothing helpful on the collection server Windows Remote Management events. I ran gpupdate on the source computers, rebooted them. In the Eventlog-ForwardingPlugin log I see error 102 (The subscription DC-Sec can not be created. The error code is 5004).
Any tips on what could be causing WinRM to intermittently fail? Rebooting has not helped. I'm not going to bother re-installing as this happened on two PCs with the same setup, I assume I might have some configuration out of place?
Your insight would be greatly appreciated!
Regards,
W
Continue reading...