Share via

Source Initiated Windows Event Forwarding WSMFault Access Denied Error Code: 5

Darel USGS 1 Reputation point
2020-12-15T18:01:27.17+00:00

Followed “Setting up a Source Initiated Subscription”( Setting up a Source Initiated Subscription - Win32 apps | Microsoft Learn), “Creating a Source Initiated Subscription”( Creating a Source Initiated Subscription - Win32 apps | Microsoft Learn) and “Spotting the Adversary with Windows Event Log Monitoring”( Spotting the Adversary with Windows Event Log Monitoring (nsa.gov))

Collector: Windows Server 2016 1607 Standard
Source: Windows 10 1809
Environment: Active Directory

Appended (A;;0x1;;;S-1-5-20) to Application and System logs and (A;;0x1;;;NS)(A;;0x1;;;S-1-5-20) to Security log

Collected events are forward to third-party application for analysis. Vendor requested all events in Application, Security and System logs be forwarded.

Eventlog-ForwardingPlugin/Operational

  • <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  • <System>
    <Provider Name="Microsoft-Windows-Forwarding" Guid="{699e309c-e782-4400-98c8-e21d162d7b7b}" />
    <EventID>105</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2020-12-15T15:56:39.653090300Z" />
    <EventRecordID>2764</EventRecordID>
    <Correlation ActivityID="{a4919054-d2f0-0004-f890-91a4f0d2d601}" />
    <Execution ProcessID="5872" ThreadID="620" />
    <Channel>Microsoft-Windows-Forwarding/Operational</Channel>
    <Computer>SOURCE</Computer>
    <Security UserID="S-1-5-20" />
    </System>
  • <EventData Name="SubscriptionManagerStatus">
    <Data Name="SubscriptionManagerAddress">http://collector/wsman/SubscriptionManager/WEC</Data>
    <Data Name="ErrorCode">5</Data>
    <Data Name="ErrorMessage"><f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="5" Machine="SOURCE"><f:Message>Access is denied. </f:Message></f:WSManFault></Data>
    </EventData>
    </Event>

Windows Remote Management\Operational
User authentication

  • <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  • <System>
    <Provider Name="Microsoft-Windows-WinRM" Guid="{a7975c8f-ac13-49f1-87da-5a984a4ab417}" />
    <EventID>162</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>7</Task>
    <Opcode>0</Opcode>
    <Keywords>0x400000000000000a</Keywords>
    <TimeCreated SystemTime="2020-12-15T17:34:17.343906000Z" />
    <EventRecordID>63155</EventRecordID>
    <Correlation ActivityID="{a4919054-d2f0-0003-15db-91a4f0d2d601}" />
    <Execution ProcessID="5872" ThreadID="15732" />
    <Channel>Microsoft-Windows-WinRM/Operational</Channel>
    <Computer>SOURCE</Computer>
    <Security UserID="S-1-5-20" />
    </System>
    <EventData />
    </Event>
    Response handling
  • <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  • <System>
    <Provider Name="Microsoft-Windows-WinRM" Guid="{a7975c8f-ac13-49f1-87da-5a984a4ab417}" />
    <EventID>142</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>10</Task>
    <Opcode>2</Opcode>
    <Keywords>0x4000000000000002</Keywords>
    <TimeCreated SystemTime="2020-12-15T17:34:17.344070800Z" />
    <EventRecordID>63156</EventRecordID>
    <Correlation ActivityID="{a4919054-d2f0-0004-f890-91a4f0d2d601}" />
    <Execution ProcessID="5872" ThreadID="15732" />
    <Channel>Microsoft-Windows-WinRM/Operational</Channel>
    <Computer>SOURCE</Computer>
    <Security UserID="S-1-5-20" />
    </System>
  • <EventData>
    <Data Name="operationName">Enumeration</Data>
    <Data Name="errorCode">5</Data>
    </EventData>
    </Event>

Subscription Configuration
Subscription Id: LogRythem-SM004
SubscriptionType: SourceInitiated
Description:
Enabled: true
Uri: http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
ConfigurationMode: MinLatency
DeliveryMode: Push
DeliveryMaxLatencyTime: 30000
HeartbeatInterval: 3600000
Query: <QueryList><Query Id="0"><Select Path="Application">[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]</Select><Select Path="Security">[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]</Select><Select Path="System">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]</Select></Query></QueryList>
ReadExistingEvents: false
TransportName: HTTP
ContentFormat: RenderedText
Locale: en-US
LogFile: ForwardedEvents
PublisherName: Microsoft-Windows-EventCollector
AllowedIssuerCAList:
AllowedSubjectList:
DeniedSubjectList:
AllowedSourceDomainComputers: O:NSG:BAD:P(A;;GA;;;S-1-5-21-3697291689-1161744426-439199626-114941)(A;;GA;;;S-1-5-21-3697291689-1161744426-439199626-347877)S:

From Collector to Source
winrm id -r:<source computer>
IdentifyResponse
ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor = Microsoft Corporation
ProductVersion = OS: 10.0.17763 SP: 0.0 Stack: 3.0
SecurityProfiles
SecurityProfileName = http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/spnego-kerberos
From Source to Collector
winrm id r:<collector computer>
IdentifyResponse
ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor = Microsoft Corporation
ProductVersion = OS: 10.0.14393 SP: 0.0 Stack: 3.0
SecurityProfiles
SecurityProfileName = http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/spnego-kerberos
wecutil gr LogRythem-SM004
Subscription: LogRythem-SM004
Failed to get RunTimeStatusActive property. Error = 0x2.
The system cannot find the file specified.

If additional information is need please let me know

Thanks

Windows for business | Windows Server | User experience | Other
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jenny Yan-MSFT 9,356 Reputation points
    2020-12-16T07:57:42.21+00:00

    Hi,
    1.Could you please confirm that if any error messages or details of behavior when you got the issue? Whether it occurred during your setup of the WEF or the validation period in below link.
    https://learn.microsoft.com/en-us/windows/win32/wec/setting-up-a-source-initiated-subscription#to-validate-that-the-subscription-works-correctly

    2.If you have successfully configured the WEF but there is no event records have been forwarded when checking collector computer, you could follow below KB to check further:
    Troubleshooting a Problem Forwarder
    https://support.logbinder.com/SuperchargerKB/50119/3-Troubleshooting-a-Problem-Forwarder

    3.According to the "WSMFault Access Denied Error Code: 5", here is a similar thread provided the resolution is related to the channel access.
    https://serverfault.com/questions/1017872/access-denied-winrm-error-code-5

    Note: You could verify the Channel Access of security log(for example) by running "wevtutil get-log security)" with PS admin.
    48606-image.png

    Reference link:
    Security Event Log Forwarding on Domain Controllers
    https://petri.com/configure-event-log-forwarding-windows-server-2012-r2

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Hope this helps and please help to accept as Answer if the response is useful.

    Thanks,
    Jenny

    0 comments
  2. Darel USGS 1 Reputation point
    2020-12-16T22:04:09.767+00:00

    Thanks for your response JennyYan-MSFT

    I must have failed in explaining where the problem is.

    The Source is aware of the Subscription however when it requests the file from the collector access is denied.

    0 comments
  3. Sandeep Lal 6 Reputation points
    2023-07-26T07:55:13.59+00:00

    I was referring this So I first made sure my Winrm configuration is setup correctly Ref: https://learn.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/configure-winrm-for-https Then I checked the WEC servers where the events are forwarded Under the subscription my servers were missing. Added it and issue resolved

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.