Share via

Problem with WEC

Михаил Андросов 476 Reputation points
2024-09-28T19:37:09.6866667+00:00

Hi everybody!

In the infrastructure, I need to configure the SYSMON utility event collector server.

The collector server runs on Windows Server 2019. I configure according to the Microsoft documentation according to the Collector Initiated Subscription rule:

https://learn.microsoft.com/en-us/windows/win32/wec/creating-an-event-collector-subscription

To collect using a dedicated account, I added an account to the Event Log Readers on the source servers. I also added a NETWORK SERVICE account to this log.

I check the operation of the configured system by creating a subscription to collect Application logs. The logs are collected normally.

I added Microsoft-Windows-Sysmon/Operational log to my subscription. But events from this log are not collected.

If I disable the collection of the Application log in the subscription, then the subscription stops working. And the Runtime Status on the server gives the following error status:

(0x138C): <f:ProviderFault provider="Event Forwarding Plugin" path="C:\Windows\system32\wevtfwd.dll" xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault"><t:ProviderError xmlns:t="http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog">Windows Event Forward plugin can't read any event from the query since the query returns no active channel. Please check channels in the query and make sure they exist and you have access to them.</t:ProviderError></f:ProviderFault>

I launched the wevtutil utility on the source server:

C:\Windows\system32>wevtutil gl /r:localhost "Microsoft-Windows-Sysmon/Operation

al"

name: Microsoft-Windows-Sysmon/Operational

enabled: true

type: Operational

owningPublisher: Microsoft-Windows-Sysmon

isolation: Custom

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;BO)(A;;0x1;;;SO

)(A;;0x1;;;S-1-5-32-573)

logging:

logFileName: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Sysmon%4Opera

tional.evtx

retention: false

autoBackup: false

maxSize: 67108864

publishing:

fileMax: 1

I see in channelAccess S-1-5-32-573 , which corresponds to the Event Log Readers group.

The source servers are running Windows Server 2016.

I'm asking for help. I can't understand why SYSMON logs aren't being collected.

Windows for business | Windows Server | Devices and deployment | Set up, install, or upgrade
Windows for business | Windows Server | User experience | Other
0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.