Event forwarding error Code (0x138C) RRS feed

  • Question

  • I'm trying to configure Windows event forwarding on domain controllers to a subscription on a different server. I'm getting the following error message.

    I'm running the following command which gives it the correct permissions but for this to work i have to restart the domain controller, i have tested this for one and after the reboot the error is gone however i would like to avoid this. Is there a serviceI can restart to address this issue without rebooting the domain controller?

    wevtutil set-log Microsoft-Windows-SMBServer/Audit /ca:O:BAG:SYD:(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)

    servername Error - Last retry time: 02/11/2020 22:03:58. Code (0x138C): <f:ProviderFault provider="Event Forwarding Plugin" path="C:\Windows\system32\wevtfwd.dll" xmlns:f=""><t:ProviderError xmlns:t="">Windows Event Forward plugin can't read any event from the query since the query returns no active channel. Please check channels in the query and make sure they exist and you have access to them.</t:ProviderError></f:ProviderFault>  Next retry time: 02/11/2020 22:08:58.

    Monday, November 2, 2020 10:11 PM

All replies