none
Event Log forwarding subscription is unsubscribed RRS feed

  • Question

  • I setup a source initiated event log subscription to some computer in my domain.

    The logs are collected in a collection server (windows 2012R2).

    From time to time some of the hosts appear inactive in:

    wecutil gr SubscriptionName

    When I look at the Eventlog-ForwardingPlugin log I see event id 103 "The subscription SubscriptionName is unsubscribed."

    After some time I see event id 100 "The subscription SubscriptionName is created successfully." And then the events are forwarded again. 
    Why is that keeps happening? 

    Tuesday, May 10, 2016 8:52 AM

All replies

  • Hi yoni.kibrik,

    >>When I look at the Eventlog-ForwardingPlugin log I see event id 103 "The subscription SubscriptionName is unsubscribed."

    Forwarding events using the Normal setting can take up to 15 minutes.

    The delay might be longer if either the forwarding or the collection computer has recently restarted, because the Windows Remote Management service is set to start automatically, but with a delay so that it doesn’t impact startup performance.

    The 15-minute counter doesn’t start until after the Windows Remote Management service starts.

    Please check the following services are correct configured:

    Windows Remote Management (WS-Management)

    Windows Event Collector

    Verify the port:5985(http)&5986(https) are allowed by windows firewall.

    Besides, you could use the command:winrm enumerate winrm/config/Listener to verify that the forwarding computer has the Windows Remote Management listener properly configured.

    In addition, please check if you have more intermediate CA certificates, however in the subscription group policy, only thumbprint of this CA certs is specified.

    Best regards,


    Andy_Pan

    Wednesday, May 11, 2016 8:53 AM
    Moderator
  • Hi Andy,

    The events are being forwarded most of the time, but from time to time (about once in 2-3 days) the forwarding stops and we see the 103 event id in the logs.

    Most of the time the forwarding continues after about an hour and we see the 100 event id in the logs, in some occasions the user has to run "gpupdate /force" and only then the forwarding continues.

    The collection server and the source computer are not restarted during that time and is doesn't doesn't seems like a networking issue.

    What else should I check?

    Thanks,

    Yoni

    Wednesday, May 11, 2016 2:47 PM
  • Hi Yoni,

    Sorry for the late reply.

    >>in some occasions the user has to run "gpupdate /force" and only then the forwarding continues.

    When the event forwarding stopped, you could run gpupdate /r command on the affected machines to see if these machines has correctly applied the GPO settings.

    Besides, please check if you have some discarded GPO settings that are still used.

    In addition, please check if you have any third party antivirus software caused this issue.

    Best regards,


    Andy_Pan

    Thursday, May 19, 2016 9:03 AM
    Moderator
  • Hello yoni

    Did you found the root of cause ?

    I'm facing the same problem as you 

    Thanks


    Robson Hasselhoff - Follow me @Robk9e

    Thursday, October 20, 2016 1:02 PM
  • I too am facing this issue.

    Setup:
    One server 2012 "collector" with
    -WinRM auto start
    -Windows Event Log Collector Auto Start
    -Subscription created as "Source computer initiated". Assigned to domain controllers, all 2012R2. Events to collect: 4625.

    Event logs are pushed from DCs to collector, however occasionally the DCs will go into the "inactive" state when looking at "Runtime Status" in the Subscription properties on the collector.

    When inactive, event logs are not pushed to the collector. Going to the DC and issueing a gpupdate /force will cause the Runtime Status to change to Active for that DC. There is no logical reason why the DCs go into "inactive" state, as they are still running, haven't been rebooted, and no services have changed status on either the collector or DCs.

    The reason gpupdate "fixes" it temporarily is becaue group policy is set to define the following for my DCs:

    "Computer>Policies>Admin Templates>Windows Components>Event Forwarding>Configure target subscription manager"
    Server=http://fqdnofsubscriptionserver:5985/wsman/SubscriptionManager/WEC,Refresh=60

    "Computer>Policies>Admin Templates>Windows Components>Event Log Service>Security> Configure log access"
    O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;NS)

    I can only theorize that one of the settings that the GPO applies gets overwritten occasionally. 

    Thoughts?

    Edit: One thing to check during this inactive state, is the result of this command from an elevated command prompt: wevtutil gl security - that should then not reflect the GPO addition of (A;;0x1;;NS) if the value is being overwritten and waiting to be reapplied by GPO.

    Regards,

    • Edited by JoeGomez Thursday, October 20, 2016 5:56 PM
    • Proposed as answer by JSummons Tuesday, March 6, 2018 11:44 AM
    • Unproposed as answer by JSummons Tuesday, March 6, 2018 12:08 PM
    Thursday, October 20, 2016 5:52 PM
  • Hi Robson,

    I did not found the root cause

    Saturday, February 4, 2017 7:01 PM
  • Hello yoni

    Did you found the root of cause ?

    I'm facing the same problem as you 

    Thanks


    Robson Hasselhoff - Follow me @Robk9e

    Same problem here. Very annoying.
    Monday, March 13, 2017 12:50 AM
  • Hi,

    Please post a feedback on link below:

    https://windowsserver.uservoice.com/forums/295047-general-feedback

    Best regards,

    Andy




    Monday, March 13, 2017 2:07 AM
    Moderator
  • I am experiencing the same issue. I have multiple subscriptsion (one for security log, System log....etc.) and a machine can show valid for all but one (Security it can show inactive) which a gpupdate /force can flip it back to active. However if I create a new subscription for the security log for the same inactive machine it will show as active. 

    Very annoying problem. Im guessing nobody else has figured this one out either?

    • Proposed as answer by spaz1729 Wednesday, June 7, 2017 3:26 PM
    • Unproposed as answer by spaz1729 Wednesday, June 7, 2017 3:26 PM
    Wednesday, May 10, 2017 8:24 PM
  • I have resolved this same issue for my machines. I had my Max Delievery items set to 1 to get as close to real time as we could. once I changed this to 10,000 the issue has been resolved.
    • Proposed as answer by spaz1729 Wednesday, June 7, 2017 3:26 PM
    Wednesday, June 7, 2017 3:26 PM
  • I keep trying to use Max Delivery items but it isn't listed in the standard output of wecutil. I even exported my config to XML and it isn't there.

    Is this a setting that must be added via XML only?

    David Jenkins

    Monday, August 26, 2019 3:31 PM
  • Restarting the WinRM service got my source-initiated subscriptions rolling again.  I'm still not sure why they stopped initially - or if it will happen again.
    Monday, December 30, 2019 8:41 PM