![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 73%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWH%3C/text%3E%3C/svg%3E)
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,330 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 9%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWL%3C/text%3E%3C/svg%3E)
Hello
Here are some possible solutions to your problem:
Check WinRM Configuration: Make sure that Windows Remote Management (WinRM) is properly configured on both the source and collector servers. You can check this by running the command winrm qc in the command prompt on both servers.
Check Firewall Settings: Ensure that the Windows Firewall is not blocking the necessary ports for event forwarding. The default ports for WinRM are 5985 for HTTP and 5986 for HTTPS.
Check URL Permissions: There might be an issue with the permissions configured for the WinRM URLs on the event collector computer. You can check the URL permissions by running the command netsh http show urlacl in an elevated Command Prompt. If necessary, you can fix the URL permissions by running the following commands:
- netsh http delete urlacl url=http://+:5985/wsman/
- netsh http add urlacl url=http://+:5985/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)
- netsh http delete urlacl url=https://+:5986/wsman/
Check Event Log Readers Group: Make sure that the Network Service account on each source computer is added to the respective computer’s Event Log Readers group.
[Security event log forwarding fails with Error 0x138C and 5004 in Windows Server - Windows Server | Microsoft Learn](https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fsystem-management-components%2Fsecurity-event-log-forwarding-fails-error-0x138c-5004&data=05%7C02%7Cwesleyl%40wicresoft.com%7C56b198e057ea448c15ac08dc6f7051e0%7Cb2ae8dd9097749768706861b488b1512%7C0%7C0%7C638507775489060229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=TmK659X9lh0WCJ6uwcZm0bzqVfO69O3BsMdZpSr8ia4%3D&reserved=0"原始 URL: https://learn.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/security-event-log-forwarding-fails-error-0x138c-5004。如果你信任此链接, 请单击或点击。")
Update WinRM Stack: If you’re trying to forward events from a server running a newer version of Windows Server to a server running Windows Server 2008 R2, there might be a compatibility issue with the WinRM stack. There is a Microsoft Update available to bring your 2008 R2 server to the newest version.
[Windows Server 2008 R2 Source-Initiated Event Log Forwarding: No Source Servers Reporting - Server Fault](https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fserverfault.com%2Fquestions%2F599613%2Fwindows-server-2008-r2-source-initiated-event-log-forwarding-no-source-servers&data=05%7C02%7Cwesleyl%40wicresoft.com%7C56b198e057ea448c15ac08dc6f7051e0%7Cb2ae8dd9097749768706861b488b1512%7C0%7C0%7C638507775489071158%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=YRMki2ZN0ps30CMD6GYgRawMdkZ2%2BDJS6kpkvcMzaJY%3D&reserved=0"原始 URL: https://serverfault.com/questions/599613/windows-server-2008-r2-source-initiated-event-log-forwarding-no-source-servers。如果你信任此链接, 请单击或点击。")