Share via

Windows Event Forwarding: Windows Server 2022 does not register security-events forwarded by Windows 11-Systems

Christian Adam 20 Reputation points
2023-09-01T14:52:36.1433333+00:00

Hello.

We forward events from Windows 10- and Windows 11-Systems (both Education) to a Windows Server 2022 (Standard-Edition). While the forwarding basically seems to work, security-events from Windows 11-Systems do not register on the server.

The forwarding is push-based (source initiated), the subscription includes events from the Security Event log.

Source-machines are configured by group policy (same for Windows 10 and Windows 11):

Computer Configuration / Policies Administrative Templates / Windows Components/Event Forwarding /Configure target Subscription Manager Enabled

Preferences / Control Panel Settings / Local Users and Groups / Group (Name: Event Log Readers (built-in)) / Add members BUILTIN\NETWORK SERVICE S-1-5-20

Preferences / Control Panel Settings / Services / Service (Name WinRM) / Action: Start service, Startup Type: Automatic

  • All Systems are part of the same Active Directory-Domain.
  • Events from Windows 10 to Windows Server 2022 are registered correctly.
  • The Windows 11 machine is shown as active in the subscription and events from other sources (System, Application etc.) are forwarded correctly, only events from the Security-log seem to be missing.
  • The forwarding works from Windows 11 to a Windows Server 2012R2 (same setup).

(It is not https://learn.microsoft.com/en-us/troubleshoot/windows-server/admin-development/events-not-forwarded-by-windows-server-collector)

What am I missing?

Thanks

Windows for business Windows Server User experience Other
Windows for business Windows Client for IT Pros User experience Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,746 Reputation points
    2023-09-05T10:52:10.1333333+00:00

    Hello there,

    This behavior is caused by the permissions that are configured for the following URLs:

    http://+:5985/wsman/

    http://+:5986/wsman/

    On the event collector computer, both the Windows Event Collector service (WecSvc) and the Windows Remote Management service (WinRM) use these URLs. However, the default access control lists (ACLs) for these URLs allow access for only the svchost process that runs WinRM. In the default configuration of Windows Server 2016, a single svchost process runs both WinRM and WecSvc. Because the process has access, both services function correctly.

    This article helps fix an issue that occurs when you use source-initiated event forwarding to send events to a Microsoft Windows Server event collector. https://learn.microsoft.com/en-us/troubleshoot/windows-server/admin-development/events-not-forwarded-by-windows-server-collector

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer–

  2. Christian Adam 20 Reputation points
    2023-10-13T12:55:19.53+00:00

    The problem is fixed with the latest update (KB5031354), Windows 11 is now correctly forwarding security events.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.