Windows event subscription creation issue, error: Windows Event Forward plugin can't read any event from the query since the query returns no active channel

Question

Windows event subscription creation issue, error: Windows Event Forward plugin can't read any event from the query since the query returns no active channel

Md Mahfuzur Rahman 20

Hi,

I have enabled Windows event forwarding in the source machine using the following commands:


```` Enable-PSRemoting -Force
winrm quickconfig -quiet
$logName = "Microsoft-Windows-DNSServer/Analytical"
# Create a new EventLogConfiguration object
$log = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration $logName
# Enable the log
$log.IsEnabled = $true
# Save the changes
$log.SaveChanges()
$groupName = "Event Log Readers"
# Verify the computer exists
$computer = Get-ADComputer -Identity $collectorName -ErrorAction Stop
Add-ADGroupMember -Identity $groupName -Members $computer

using command:`
Enable-PSRemoting -Force
winrm quickconfig -quiet

`Now when I create a subscription for collector initiated with the following powershell script:`
# Subscription details
$subscriptionName = "pull-subscription"
$eventQuery = @"
<QueryList>
  <Query Id="0" Path="Microsoft-Windows-DNSServer/Analytical">
    <Select Path="Microsoft-Windows-DNSServer/Analytical">*[System[(EventID=261)]]</Select>
  </Query>
</QueryList>
"@


# Create the subscription XML
$subscriptionXML = [xml]@"
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
  <SubscriptionId>pull-subscription-2</SubscriptionId>
  <!-- Use Normal (default), Custom, MinLatency, MinBandwidth -->
  <ConfigurationMode>MinLatency</ConfigurationMode>
  <SubscriptionType>CollectorInitiated</SubscriptionType>
  <Description>Subscription for DNS Server Analytical events</Description>
  <Enabled>true</Enabled>
  <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
  <Content>Events</Content>
  <ReadExistingEvents>true</ReadExistingEvents>
  <EventSources>
    <EventSource>
      <Address>server2.domain.com</Address>
      <Transport>HTTP</Transport>
      <Port>5985</Port>
    </EventSource>
  </EventSources>
  <Query><![CDATA[$eventQuery]]></Query>
</Subscription>
"@

# Output the final XML
$subscriptionXml.OuterXml

# Create the subscription using wecutil
$subscriptionFile = [System.IO.Path]::GetTempFileName()
$subscriptionXml.Save($subscriptionFile)
wecutil cs $subscriptionFile
Remove-Item $subscriptionFile

`The runtime status of the subscription shows error: `Windows Event Forward plugin can't read any event from the query since 
the query returns no active channel. Please check channels in the query and make sure they exist and you have access 
to them.

`But I can see the query can run on the local machine and retrieve events.`

`It shows no error if I modify the $eventQuery to` @"
<QueryList>
  <Query Id="0" Path="Microsoft-Windows-DNS-Client/Operational">
    <Select Path="Microsoft-Windows-DNS-Client/Operational">*</Select>
  </Query>
</QueryList>
"@

`How can I resolve the issue? Your help is highly appreciated.

Accepted answer

0 additional answers

Your answer

Answer 1

Rich Matheisen 47,901

Without an error code that points to a particular problem means we can only use the error text you provided. That may be enough, though.

https://serverfault.com/questions/763026/event-log-subscription-returns-error-code-0x138c

https://rockyprogress.wordpress.com/2011/12/04/security-event-log-collection-from-a-domain-controller/

You added the name of the server to the "Event Log Readers" group (I'm assuming you've waited a sufficiently long time to allow for AD replication to propagate the addition), but I think you need to add the "Network Service" account to the group.

You may also need to modify the Channel Access permission on the remote machines' log file.

Md Mahfuzur Rahman 20 Reputation points

2024-12-02T21:40:34.7533333+00:00
I have added Network Service to Event Log Readers. I also added Channel Access permission for network service using:

wevtutil sl Microsoft-Windows-DNSServer/Analytical /ca:"O:BAG:SYD:(A;;0xf0005;;;NS)"

Now I don't see the error any more. Thanks!

However, I don't see events are being pulled automatically. If I create subscription for regular Windows events using Filter for Select Events, it fetches periodically automatically. Is there any difference between Windows regular events and Windows DNS-Server/ Analytical? How can it fetch periodically for DNS-Server/Analytical?
Rich Matheisen 47,901 Reputation points

2024-12-02T23:48:53.37+00:00

I don't think ETW logs are supposed to be logging events all the time. Are you using Start-EtwTraceSession and Stop-EtwTraceSession? There are other ETW related cmdlets, too.

What are you trying to do with the events?
Md Mahfuzur Rahman 20 Reputation points

2024-12-02T23:57:17.5666667+00:00

I haven't used any cmdlets in addition to configuring Collector Initiated Events forwarding for DNSServer/Analytical. After set up, I just watch, but don't see new DNS queries in Forwarded Events until click Refresh in Windows Event Viewer subscription section.

From a C# program I am trying to see the DNS queries being sent to the domain controllers by using EventLogReader.
Rich Matheisen 47,901 Reputation points

2024-12-03T22:49:13.4866667+00:00

I don't have a DNS server so I'm pretty much useless at this point.

You might find this helpful: https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/secrets-from-the-deep-%E2%80%93-the-dns-analytical-log-%E2%80%93-part-1/1875094

And: https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/secrets-from-the-deep-%e2%80%93-the-dns-analytical-log-%e2%80%93-part-2/1898454

There may be additional information on the blog, but I haven't looked over all 2000+ articles.

Share via

Windows event subscription creation issue, error: Windows Event Forward plugin can't read any event from the query since the query returns no active channel

0 additional answers

Your answer