Hi,
Have you removed IssuerCA=<Thumb print of the client authentication certificate> from event forwarding policy?
If you remove "IssuerCA=<Thumb print of the client authentication certificate>" it will works with Kerberos, not with HTTPS.
Meanwhile, please refer to the information below:
Why do I receive error 2150858882 when manually configuring Windows Event Collector
https://success.alienvault.com/s/article/error-2150858882-when-manually-configuring-Windows-Event-Collector
Also I consider that you could check if the collector is returning an incorrect hostname for the events to be sent.
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl
Eventlog-Forwarding ERROR with HTTPS
Hello
I have 2 servers:
- Collector who is in a domain
- Forwarder that is outside the domain (standard workgroup)
On my collector
I created a certificate in Certificates (Local Computer> Personnal> Certificates
I configured winRM over HTTPS with my Certificat Thumbprint
At the end, i configured my Subscription
On my forwarder i 've configured the target
Server=https://HOSTNAME.DOMAIN:5986/wsman/SubscriptionManager/WEC,Refresh=60,IssuerCA=Certificat Thumbprint
When I apply the changes I get this error message on Forwarder side
Can you help me ?
Thank you
Jonathan
4 answers
Sort by: Most helpful
-
Carl Fan 6,851 Reputation points
2021-03-12T07:20:33.42+00:00 -
Jonathan Jacquotot 6 Reputation points
2021-03-12T08:48:15.793+00:00 Hi @Carl Fan
When i changed the subscription on Collector side from HTTPS to HTTP and i removed the certificat on Forwarder side like this
Server=http://HOSTNAME.DOMAIN:5985/wsman/SubscriptionManager/WEC,Refresh=60I get this error message from the Forwarder side
On Collector side WINRM has been configured like this
Thank you for your help
Jonathan -
Jonathan Jacquotot 6 Reputation points
2021-03-15T08:42:57.38+00:00 Hello,
No one to help me
Jonathan
-
Carl Fan 6,851 Reputation points
2021-03-24T06:03:41.793+00:00 Hi Jonathan,
Thank you for your posting.
I'm sorry to see your message when I just came back from vacation.
I consider that still we could check your configuration steps.
Setting up a source initiated subscription where the event sources are not in the same domain as the event collector computer
https://learn.microsoft.com/en-us/windows/win32/wec/setting-up-a-source-initiated-subscription
As far as I know, if you configure a subscription to use the HTTPS protocol by using the HTTPS option in Advanced Subscription Settings , you must also set corresponding Windows Firewall exceptions for port 443.
Install a certificate for the server along with its private key. This can easily be done using an Enterprise CA in AD.
The signing CA of the server certificate must be trusted by the forwarder computers.
Make sure permission on the private key allow WinRM to access it.
Create a firewall exception rule to allow data over port 5986.
You may have to run "winrm qc - transport:https". This would have to be ran after the cert is installed and configured.
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl