Share via

The description for Event ID 111 from source Microsoft-Windows-EventForwarder cannot be found.

Kamran Ahmed 271 Reputation points
2020-11-03T23:19:18.627+00:00

I have source initiated subscription method of Event Log Forwarding. I'm trying to forward existing/historic SMBServer event ID 3000 logs.

Error from Event Log Forwarding setup: The description for Event ID 111 from source Microsoft-Windows-EventForwarder cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted.

I have Windows Server 2012 R2 Domain Controllers which are the source.

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,598 questions
0 comments
Accepted answer
  1. Kamran Ahmed 271 Reputation points
    2020-11-09T09:09:00.257+00:00

    Finally got this working, there are two ways to centralise logs with the two subscription types:

    1. Collector Initiated - The collector computer contacts the selected source computers
    2. Source computer initiated - source computers in the selected groups are configured via a GPO to send data to the collector.

    I agree if you opt for option 2 then only future event IDs will be forwarded and event ID 111 is acceptable, however if you want historic event logs forwarding then you need to configure option 1. In my case i only wanted SMBAudit logs and for this to work I have to give specific permissions to the audit log by running the following command on the source servers. This grants the Event log Readers group Network services access.

    wevtutil set-log Microsoft-Windows-SMBServer/Audit /ca:O:BAG:SYD:(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

    You must run the command on the source servers before configuring the subscription, otherwise you will need to deselect the event log in the subscription and then reselect.

    I then wanted to export specific information from the event log into a CSV file, i created the following script: 

    Add-Content -Value “computername,server,TimeCreated” -Path c:SMBv1.csv
$Events = Get-WinEvent -LogName ForwardedEvents
# Parse out the event message data
ForEach ($Event in $Events) {
# Convert the event to XML
[xml]$xmlEvent = $event.ToXml()
$computername = $xmlevent.Event.EventData.Data.'#text'
$server = $Event.MachineName
$TimeCreated = $Event.TimeCreated
Add-Content -Value “$computername,$server,$TimeCreated” -Path c:SMBv1.csv
}

    Hope this helps others trying to achieve this.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jenny Yan-MSFT 9,336 Reputation points
    2020-11-04T06:24:42.143+00:00

    Hi,
    Kindly check the conclusions quoted from users with similar error message:
    1.This is just the initial bookmark event that Event forwarding plugin uses to mark the beginning of a subscription; it can be ignored.

    2.If the event id is 111, it could be just saying it starts forwarding the specific event you've defined in the subscription.
    If the event id is other than 111, it could be permission issue on the source machine. However, I found it does not resolve all these issues by adding proper permissions to the Source machine. It's a bug on the Collector machine I found. It's just simplify couldn't display the correct information in the General tab of Event Properties.

    Reference link:
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/93cd6c41-c502-48bc-9db7-077405fff829/error-from-event-log-forwarding-setup-the-description-for-event-id-111-from-source?forum=winserverManagement

    Hope this helps and please help to accept as Answer if the response is useful.

    Thanks,
    Jenny

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.