Currently, we are using windows event forwarding to collect logs via HTTP from domain connected devices on to an intermediate windows server (collector) which then forwards all the collected logs to the final windows server collector via HTTPS. We have successfully implemented this setup with Windows Server 2012, 2016 and 2019 servers.
See below for Data Flow:
Source Windows Machines (forwards) -> Windows Server (collector, this intermediate server collects and forwards) -> Windows Server (Final Collector of all windows logs)
Recently, we started installing Windows Server 2022. And we found that it can forward its windows event logs via HTTP or, HTTPS to it subscription target without any issue. And we found that it can collect logs via subscription from other windows sources without any issue as well. However, when we configure the Intermediate Windows server to collect and forward logs using windows event forwarding, it only collects logs. And it fails to forward any logs, and continues to subscribe and unsubscribe continuously to its subscription target.
Error message: The forwarder is having a problem communicating with subscription manager at address. Error code is 2150859046 and Error Message is <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859046". WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. </f:Message></f:WSManFault>.
It seems like a WinRM bug on Windows 2022 server because once we disable the collector subscription on the intermediate Windows server 2022, it starts to forward logs again to its subscription target. Once, we enable the collector subscription again, it only collects logs and stops forwarding logs.
Need help to identify whether there is bug on Windows Server 2022 that prevents it from collecting windows event forwarded logs and then forward the logs simultaneously to another windows server.