Eventlog-Forwarding ERROR with HTTPS

Jonathan Jacquotot 6 Reputation points
2021-03-11T12:04:35.627+00:00

Hello

I have 2 servers:

  • Collector who is in a domain
  • Forwarder that is outside the domain (standard workgroup)

On my collector
I created a certificate in Certificates (Local Computer> Personnal> Certificates

76794-screenshot664.jpg

I configured winRM over HTTPS with my Certificat Thumbprint

76795-screenshot665.jpg

At the end, i configured my Subscription

76714-screenshot668.jpg
76797-screenshot669.jpg
76725-screenshot670.jpg

On my forwarder i 've configured the target

76802-screenshot666.jpg

Server=https://HOSTNAME.DOMAIN:5986/wsman/SubscriptionManager/WEC,Refresh=60,IssuerCA=Certificat Thumbprint

When I apply the changes I get this error message on Forwarder side

76782-screenshot667.jpg

Can you help me ?

Thank you

Jonathan

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,776 questions
{count} vote

4 answers

Sort by: Most helpful
  1. Carl Fan 6,836 Reputation points
    2021-03-12T07:20:33.42+00:00

    Hi,
    Have you removed IssuerCA=<Thumb print of the client authentication certificate> from event forwarding policy?
    If you remove "IssuerCA=<Thumb print of the client authentication certificate>" it will works with Kerberos, not with HTTPS.
    Meanwhile, please refer to the information below:
    Why do I receive error 2150858882 when manually configuring Windows Event Collector
    https://success.alienvault.com/s/article/error-2150858882-when-manually-configuring-Windows-Event-Collector
    Also I consider that you could check if the collector is returning an incorrect hostname for the events to be sent.
    Hope this helps and please help to accept as Answer if the response is useful.
    Best Regards,
    Carl

    0 comments No comments

  2. Jonathan Jacquotot 6 Reputation points
    2021-03-12T08:48:15.793+00:00

    Hi @Carl Fan

    When i changed the subscription on Collector side from HTTPS to HTTP and i removed the certificat on Forwarder side like this
    Server=http://HOSTNAME.DOMAIN:5985/wsman/SubscriptionManager/WEC,Refresh=60

    I get this error message from the Forwarder side
    77058-screenshot673.jpg

    On Collector side WINRM has been configured like this
    77179-screenshot679.jpg
    77141-screenshot674.jpg
    77060-screenshot675.jpg
    77134-screenshot676.jpg
    77070-screenshot677.jpg

    Thank you for your help
    Jonathan

    0 comments No comments

  3. Jonathan Jacquotot 6 Reputation points
    2021-03-15T08:42:57.38+00:00

    Hello,

    No one to help me

    Jonathan

    0 comments No comments

  4. Carl Fan 6,836 Reputation points
    2021-03-24T06:03:41.793+00:00

    Hi Jonathan,
    Thank you for your posting.
    I'm sorry to see your message when I just came back from vacation.
    I consider that still we could check your configuration steps.
    Setting up a source initiated subscription where the event sources are not in the same domain as the event collector computer
    https://learn.microsoft.com/en-us/windows/win32/wec/setting-up-a-source-initiated-subscription
    As far as I know, if you configure a subscription to use the HTTPS protocol by using the HTTPS option in Advanced Subscription Settings , you must also set corresponding Windows Firewall exceptions for port 443.
    Install a certificate for the server along with its private key. This can easily be done using an Enterprise CA in AD.
    The signing CA of the server certificate must be trusted by the forwarder computers​.
    Make sure permission on the private key allow WinRM to access it.
    Create a firewall exception rule to allow data over port 5986.
    You may have to run "winrm qc - transport:https". This would have to be ran after the cert is installed and configured.
    Hope this helps and please help to accept as Answer if the response is useful.
    Best Regards,
    Carl

    0 comments No comments