Share via

Event log forwarding: source initiated subscription not working for any machines

Anonymous
2023-10-19T17:38:43+00:00

I have set up a GPO that indicates the subscription manager as the server I put the subscription on, starts the WINRM service, and adds firewall exceptions. If I go to each machine, I can see the gpo applying, but it says the local group policy is winning. If I check the local group policy in the client machines, there is no subscription manager listed. There is no change when I manually input the subscription manager.

We had this working before with PowerBroker, but since we got rid of that, we are unable to get client machines to send their event logs to the subscription manager. All of the other servers and domain controllers also aren’t sending through the source initiated subscription, but work ok collector initiated. We definitely want source initiated because it’s too much maintenance with how many computers we are adding and removing all the time

Ps: I am able to get collector initiated subscription working when a machine is at the office, but it never works for remote employees.

We also leverage Zscaler, but that doesn’t seem to affect any of the machines in the office when it’s connected.

Windows for business Windows Server User experience Remote desktop services and terminal services

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments
Accepted answer
  1. Anonymous
    2023-10-31T19:32:38+00:00

    Hi Karlie,

    Thank you for your reply. I did end up getting this to work by following this article: https://learn.microsoft.com/en-us/troubleshoot/windows-server/admin-development/events-not-forwarded-by-windows-server-collector

    I ran command prompt as admin and input the following:

    netsh http delete urlacl url=http://+:5985/wsman/

    netsh http add urlacl url=http://+:5985/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)

    netsh http delete urlacl url=https://+:5986/wsman/

    netsh http add urlacl url=https://+:5986/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)  

    Once I did that, I went back to event viewer, right clicked the "source initiated" subscription and hit "retry"

    I started seeing computers pop in there and I also got a new event: 10154 "The WinRM service failed to create the following SPNs"

    I found this article: https://igorpuhalo.wordpress.com/2019/02/14/event-10154-the-winrm-service-failed-to-create-the-following-spns-wsman-dcname-domain-tld-wsman-dcname/

    Once I did that, the error went away.

    I am still monitoring and don't see any domain controllers yet, but I would like to give this some time to make sure those show up.

    0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-10-23T03:07:20+00:00

    Hello KfreemanIT

    Any error messages or warnings in the event logs on both the source computers and the collector server?

    Ensure that the source computers can reach the collector server over the network and the specified ports (5985 for HTTP or 5986 for HTTPS) are open and accessible.

    If you are using HTTPS, double-check the certificate configuration. Ensure that the certificates are correctly issued and not expired. Confirm that the source computers trust the collector's certificate and that the encryption settings (SSL/TLS version, encryption algorithms) match on both ends.

    Regards,

    Karlie

    1 person found this answer helpful.
    0 comments
  2. Anonymous
    2023-10-23T20:20:31+00:00

    Thank you for your response, Karlie.

    This is the event ID 10128 from the server that is setup to receive the event logs:

    When I do "netsh http show iplisten" in command prompt on that server, it's blank under "IP addresses present on in the IP listen list"

    I have created firewall rules via GPO that allow port 5985 on the clients and I can see that successfully applying to all client machines. This has been set like this for months, but still no event logs on the client machines for the source initiated subscription.

    If I do the collector initiated subscription, I can see clients on the office network sending their logs.

    The goal is to use the source initiated subscription.

    Thank you,

    0 comments
  3. Anonymous
    2023-10-27T06:02:19+00:00

    Hello KfreemanIT

    The event is about WinRM client is unable to listen for incoming events because it's encountering an issue with connecting to a specific URL, and that issue is related to access permissions ("Access Denied").

    You could follow the event's user action recommendation and use the 'netsh http' command to check the Access Control List (ACL) for the specified URL.

    Netsh commands for HTTP - Win32 apps | Microsoft Learn

    Regards,

    Karlie

    0 comments
  4. Anonymous
    2024-12-09T13:16:15+00:00

    Just like the code from the source page which you linked, when I copy/paste your code, the add urlacl commands fail due to syntax error (missing ")", so it says in PowerShell and/or CMD... Any idea why it's not working for me but clearly was for you?

    0 comments