Share via

Problem accessing ForwardedEvents on 2025 Windows Server - worked fine on previous server

Darren Rose 311 Reputation points
2025-03-30T16:47:32.06+00:00

Hi

Have configured event log forwarding after moving to a new server and this appears to be working fine, in that I can see events in Forwarded Events for all my domain controllers.

If I run below PowerShell command then it returns all events okay:

$Query = @"

<QueryList>

<Query Id='0' Path='ForwardedEvents'>

<Select Path='ForwardedEvents'>*</Select>

</Query>

</QueryList>

"@

 

Get-WinEvent -FilterXml $Query

But if I try and filter on a date e.g.

$QueryDateTime = (Get-Date).AddDays(-1).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")

$Query = @"

<QueryList>

<Query Id='0' Path='ForwardedEvents'>

<Select Path='ForwardedEvents'>*[System[TimeCreated[@SystemTime>='$QueryDateTime']]]</Select>

</Query>

</QueryList>

"@

Get-WinEvent -FilterXml $Query

Then for some reason the Windows Event Log service crashes / stops and I get error below in PowerShell.

Get-WinEvent : The RPC server is unavailable At line:10 char:1 + Get-WinEvent -FilterXml $Query + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogException + FullyQualifiedErrorId : The RPC server is unavailable,Microsoft.PowerShell.Commands.GetWinEventCommand

Any thoughts please? have compared all settings from old server to new and can't seem to find a difference.

The query works fine on other event logs, problems just seems to be with ForwardedEvents log

Thanks

Windows for business Windows Server User experience Other

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sualisu Anwar Katari 0 Reputation points
    2025-03-30T18:38:57.9933333+00:00

    This issue seems to be related to how Get-WinEvent processes the ForwardedEvents log, especially when filtering by time.

    1. Check the Event Log Service Status

    Since the Windows Event Log service crashes, ensure it is running:

    powershell

    Get-Service -Name "EventLog"

    If it is stopped, restart it:

    powershell

    Restart-Service -Name "EventLog" Force

    Check Event Viewer(eventvwr.msc) under Windows Logs → System for errors related to EventLog or EventLog-ForwardingPlugin.

    1. Validate the Date Format in the Query

    The problem could be due to $QueryDateTime not being properly expanded inside the XML query. Try using PowerShell string interpolation to ensure the value is properly inserted:

    powershell

    $QueryDateTime = (Get-Date).AddDays(-1).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")

    $Query = @"

    <QueryList>

    <Query Id='0' Path='ForwardedEvents'>

     <Select Path='ForwardedEvents'>[System[TimeCreated[@SystemTime>='$($QueryDateTime)']]]</Select>
</Query

</QueryList
"@
Get-WinEvent -FilterXml $Query

If $QueryDateTime is not being expanded correctly, PowerShell may be passing an invalid XML structure, causing the crash.

3. Use a Different Time Format

Some versions of Windows Server may not support filtering *ForwardedEvents logs* with milliseconds (`.fZ`). Try using

powershell

$QueryDateTime = (Get-Date).AddDays(-1).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ")

Alternatively, without the "Z" (Zulu/UTC indicator):

powershell

$QueryDateTime = (Get-Date).AddDays(-1).ToString("yyyy-MM-ddTHH:mm:ss")

4. Check for Large Log Size Issues

The _ForwardedEvents_ log might be very large, and filtering directly on it could cause memory or RPC timeout issues. Try using a more specific filter, such as Event IDs:

powershell

$Query = @"

<QueryList>

<Query Id='0' Path='ForwardedEvents'>

sql
<Select Path='ForwardedEvents'>[System[(TimeCreated[@SystemTime>='$($QueryDateTime)']) and (EventID=4624)]]</Select>
</Query>

</QueryList>

"@

Get-WinEvent -FilterXml $Query

Replace 4624 with a common Event ID that exists in your log's

 5. Use Get-WinEvent with FilterHashtable

Instead of FilterXml, try using FilterHashtable to check if the issue is XML related:

powershell

$StartTime = (Get-Date).AddDays(-1)

$FilterHashTable = @{

haskell
LogName   = "ForwardedEvents"

StartTime = $StartTime
}

Get-WinEvent -FilterHashtable $FilterHashTable

If this works, then the problem is with how XML queries are being parsed.

6. Check Windows Event Forwarding (WEF) Subscription Settings

If the EventLog-ForwardingPlugin crashes, check:

powershell

wecutil es

If Windows Event Forwarding (WEF) is misconfigured, it could cause issues with ForwardedEvents. Verify:

Subscriptions are properly configured (wecutil gs to list subscriptions)

 The ForwardedEvents log is not full or corrupted (eventvwr.msc → Applications and Services Logs → Microsoft → Windows → EventLog-ForwardingPlugin).

7. Check for Windows Server 2022 Bugs

Since this is a new server, check for pending updates and patches:

 powershell

Get-WindowsUpdateLog

If issues persist, consider applying the latest Cumulative Update for Windows Server 2022.

In My Conclusion

1. Ensure theEvent Log service is running.

2. Use string interpolation for $QueryDateTime in XML.

3. Try different time. formats.(ToUniversalTime(), removing  milliseconds).

4. Use FilterHashtable instead of XML as a workaround.

5. Limit query size by adding EventID filters.

6. Check WEF settings and Windows updates for potential fixes.
    0 comments
  2. Jonathan Michael Osmena 0 Reputation points
    2025-05-06T18:28:58.9+00:00

    I'm encountering the same issue. How did you resolve it?

  3. Ihor S 0 Reputation points
    2025-06-26T16:08:18.4533333+00:00

    I am encountering the same issue with the Forwarded Events fetching on Windows Server 2025.

    Whenever I fetch an event from the Forwarded Events journal, there is an error 

    The RPC server is unavailable

    And the Windows Event Log service crashes.

    Is there a workaround or solution for this issue? Does Microsoft plan to fix this issue anytime soon?

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.