none
R2 and Source Initiated Event Forwarding

    Question

  • Hello all,

    I get a message similar to this:

    The description for Event ID (number) from source EventCreate cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event:

    When I set up source initiated Event Forwarding on a new lab domain environment (Windows 2008 R2)

    I've actually setup a "self" subscription where my DC is forwarding events to itself - I think this is the most simple test I can think of yet I still get the message above.

    I can fix the problem by running a "wecutil ss (subname) /cf:events" but an product under evaluation then experiences issues.

    Is there a known issue with Server R2 and event forwarding.....?

    Thanks v much for any advice

    Carl

    Monday, November 07, 2011 2:43 PM

All replies

  • I might be talking to myself here but anyway...

    Its appears to be an issue with Server 2008 and regional settings - I've built my server for use in England (en-gb) and experience the issue - if I replicate the same configuration but build my DC with 2008 R2 for US (en-us I guess) then Event Forwarding works as expected.

    I'm in the process of raising this with Microsoft UK so will post back what is discovered. 

    Tuesday, November 08, 2011 10:53 AM
  • Again expecting a massive echo in the room when I say this but anyway...it's there for future reference:

    On your DC change the regional settings - on the formats tab change this to English (United States) and Event Forwarding with the format of renderedtext will work correctly.

    This change is obviously only suitable for environments that are pre-production/test labs

    Hoping to hear from MS regarding a workaround - will post back....

    Tuesday, November 08, 2011 3:47 PM
  • Hi,

     

    Would you please list the detailed steps of how to reproduce this issue?

     

    I will follow your steps to check if the issue can be reproduced. If I have the same issue with you, I will report this issue.

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, November 10, 2011 7:05 AM
  • Hello Arthur,

    Yes all you have to do is:

    Install Windows 2008 R2 Server - when prompted choose "United Kingdom" regional settings

    Create an AD Domain with this one server as the DC

    Set up event forwarding on the DC (winrm qc, wecutil qc)

    In Local Group Policy (or domain GP if you prefer) configure the WinRM service and client (details can be found on Technet)

    Setup a "source computer initiated" subscription in Event Viewer on the DC, so that the Domain controller is both the collector and the source computer (this is the most simple test model I could come up with).

    Check the forwaded events log for the message I mention in my first post

    The incorrect rendering of events can be corrected by running "wecutil ss (nameofsubscription) /cf:events" however there is no need to do this for the same server/domain configuration but where the DC is setup to use US Regional Settings....a product we are hoping to use cannot currently be made to run with this format of forwarded events.

    Pleas let me know if you need further info and thanks very much for responding

    Carl

    Friday, November 11, 2011 1:57 PM
  • Worth noting that the problem appears to effect only 2008 R2 and Windows 7 clients - changing the regional settings to US on the machine setup to collect events will fix the issue - so no need to re-configure regional settings on your DCs....unless of course they are set up to collect events.

    Tuesday, November 15, 2011 1:50 PM
  • MS have listed this as a bug and arranged for it to be raised against their Windows 8 bug database.

    My call with MS has been closed so not expecting any further updates


    Carl Barrett | Twitter: @Mosquat

    Tuesday, February 21, 2012 4:07 PM