Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,709 questions
Windows Event Collector : Subscribed to only one out of 2 subscriptions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 50%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
K. SA
1
Reputation point
Hello everyone,
I have an issue with Windows Event Collector.
Context :
There are around 500 source servers (push mode), configuration is good, with 2 subscription (call A and B in this post) from the same collector (there is only 1 collector).
So the problem is :
Some servers (about 100) are subscribed to only one subscription (A). The other subscription (B) is not applied on these servers. It is applied only to others (about 400).
There is no significant difference between these 100 servers and the others.
In the "Eventlog-ForwardingPlugin" event log, we can see that the 100 source servers do receive the request for subscription A. But there is no interaction with subscription B. No error, no attempt to subscribe etc... It does not appear on any log. Even after some gpupdate
After days of investigation, there is no element of WEC configuration error.
So my question are :
- Is it possible to know where the XML queries received from a collector subscription are stored? In this way, it might be possible to force the registration of the query in the defective sources.
- Do you know a way to decrypt the HTTP traffic used by WinRM? (Encrypted thanks to Kerberos and wrapped in HTTP)
- Do you have any idea how i can solve this problem?
Thanks for reading
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 66%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBV%3C/text%3E%3C/svg%3E)
Barry Vista 0 Reputation points2023-07-04T16:35:40.0266667+00:00 Please have a look at this article at LOGbinder: https://logbinder.helpspot.com/index.php?pg=kb.page&id=67
It list almost all of the reasons and places to look when you have problem forwarders. In your case, how are you targeting the 500 servers? Are they in the same OU or AD group? Have you ran a gpresult on some of the 400 problem forwarders and verified that they have the target subscription manager in their GPO?
Sign in to comment