WEC permission error

Question

Hello,

I have configured a WEC server that collects logs from some servers in the environment, I recently went to add a new server to WEC to collect its logs, but the subscription is showing a permission error, but the user configured to make the connection has access permission, I made the Windows Forwarding GPO settings as explained by Microsoft learning, but the logs are not being forwarded and the WEC continues without collection permission.

Detail: The windows that will forward the logs is a Windows Server 2022.

Answer 1

Hello there,

This behaviour is caused by the permissions that are configured for the following URLs:

http://+:5985/wsman/

http://+:5986/wsman/

On the event collector computer, both the Windows Event Collector service (WecSvc) and the Windows Remote Management service (WinRM) use these URLs. However, the default access control lists (ACLs) for these URLs allow access for only the svchost process that runs WinRM.

This article helps fix an issue that occurs when you use source-initiated event forwarding to send events to a Microsoft Windows Server event collector. https://learn.microsoft.com/en-us/troubleshoot/windows-server/admin-development/events-not-forwarded-by-windows-server-collector

Troubleshoot connecting computers to the server in Windows Server Essentials https://learn.microsoft.com/en-us/windows-server-essentials/support/troubleshoot-connecting-computers-to-the-server-in-windows-server-essentials

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer–