Security log forwarding failed

Spellbound vfx 6 Reputation points
2020-12-09T06:13:11.853+00:00

The forwarder is having a problem communicating with subscription manager at address http://**********:5985/wsman/SubscriptionManager/WEC. Error code is 2150859046 and Error Message is <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859046" Machine="***********"><f:Message>WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. </f:Message></f:WSManFault>.

I have configured event log forwarding and received the above error.

I have two networks 192.168.0.0 and 192.168.30.0

The windows server(which is the Domain controller and acts as a collector) lies in the network 192.168.0.0 and it is fetching logs from all machines in the network(Source initiated)

But it is not fetching logs from the other network machines ie 192.168.30.0. I have tried disabling the firewall and all steps but nothing helps. When I checked the event log forwarder plugin log I found the error which I stated previously

Kindly help in rectifying it.
Thanks in advance.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,030 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Jenny Yan-MSFT 9,316 Reputation points
    2020-12-11T02:01:57.547+00:00

    Hi,
    1.Which kind of event forwarding that you've deployed? Source initiated or collector initiated?

    2.Is there any guidance link that you've followed? Below are links from windows docs, you could go through and verify if any missing.
    Setting up a Source Initiated Subscription
    https://learn.microsoft.com/en-us/windows/win32/wec/setting-up-a-source-initiated-subscription
    Creating a Collector Initiated Subscription
    https://learn.microsoft.com/en-us/windows/win32/wec/creating-an-event-collector-subscription

    3.Kindly check if port 5985 has been occupied by other service or process, which shall be configured for Windows Remote Management listener.
    https://learn.microsoft.com/zh-cn/archive/blogs/technet/mspfe/setting-up-security-event-log-subscriptions-with-windows-server-20032008


    Hope this helps and please help to accept as Answer if the response is useful.

    Thanks,
    Jenny

    0 comments No comments