none
Source-Initiated Event Subscription Does Not Forward Events to the Collector

    Question

  • Source-Initiated Event Subscription does not forward events to the Collector.

    Below are the settings I used and the steps I took to troubleshoot the issue.

    Source Computer Settings (OS: Windows Server 2012 R2):

    1. Configured Windows Remote Management

    winrm qc –q

    2. Configured the Event Collector service

    wecutil qc /q

    3. Added the collector’s address to the registry or through the Group Policy Editor

    Server=http://<Collector’s FQDN>:5985/wsman/SubscriptionManager/WEC

    4. Apply Group Policy Settings

    gpupdate /force

    Collector Computer Settings (OS: Windows 7):

    5. Configured Windows Remote Management

    winrm qc –q

    6. Configured the Event Collector service

    wecutil qc /q

    7. Enable the HTTP Compatibility Listener

    winrm set winrm/config/Service @{EnableCompatibilityHttpListener="true"}

    8. Apply Group Policy Settings

    gpupdate /force

    9. Create the subscription

    wecutil cs Subscription.xml

    <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
      <SubscriptionId>NotificationSubscription</SubscriptionId>
      <SubscriptionType>SourceInitiated</SubscriptionType>
      <Description>Alert subscription</Description>
      <Enabled>true</Enabled>
      <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>

      <!-- Use Normal (default), Custom, MinLatency, MinBandwidth -->
      <ConfigurationMode>Custom</ConfigurationMode>

      <Delivery Mode="Push">
        <Batching>
          <MaxItems>1</MaxItems>
          <MaxLatencyTime>1000</MaxLatencyTime>
        </Batching>
        <PushSettings>
          <Heartbeat Interval="60000"/>
        </PushSettings>
      </Delivery>

      <Query>
        <![CDATA[
                <QueryList>
                    <Query Path="Notification">
                        <Select Path="Notification">*</Select>
                    </Query>
                </QueryList>
            ]]>
      </Query>

      <ReadExistingEvents>true</ReadExistingEvents>
      <TransportName>http</TransportName>
      <ContentFormat>RenderedText</ContentFormat>
      <Locale Language="en-US"/>
      <LogFile>ForwardedEvents</LogFile>
      <AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
      <AllowedSourceDomainComputers>O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)</AllowedSourceDomainComputers>
    </Subscription>


    10. Apply Group Policy Settings on the source computer (gpupdate /force). This causes the source computer to show up on the subscription in the Event Viewer Subscription with the green check-mark. Sometimes this works and sometimes the source computer is not even listed in the source computer list.

    11. With events in the Notifications log on the source computer, and new log entries being generated there, events are failing to appear in the ForwardedEvents log on the collector computer.

    I have ran the following commands on the collector and have found no issues:

    • winrm id /r:<Source Computer> /a:none
    • winrm id /r:<Source Computer> /u:<username> /p:<password>
    • wecutil gr <subscription name>

    Sometimes I see the following Warning in the Collector’s System event log:

    "The WinRM service is not listening for WS-Management requests. 

     User Action 
     If you did not intentionally stop the service, use the following command to see the WinRM configuration: 

     winrm enumerate winrm/config/listener"

    Can someone tell me why this isn’t working?

    Thanks!




    • Edited by jlss4e Tuesday, December 22, 2015 5:47 PM
    • Moved by Fred Bao Wednesday, December 23, 2015 2:28 AM window server related
    Tuesday, December 22, 2015 5:42 PM

Answers

  • Hi Jlss4e,

    According to your description, it may be event ID 10149, you could check it on Event Viewer.

    If it is, to fix the problem, you could run the command line winrm quickconfig to create a listener for the WinRM service.

    For more information, please refer to the article below.

    Event ID 10149 — Listener Availability

    https://technet.microsoft.com/en-us/library/dd363600%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    If the problem persists, please check if any related Event Errors are encountered and post it for us further research.

     

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 25, 2015 8:54 AM
    Moderator

All replies

  • Hello jlss4e,

    From your description, this issue is related with windows server configuration, so I help moved to server forum for getting better help.

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, December 23, 2015 2:24 AM
  • Hi Jlss4e,

    According to your description, it may be event ID 10149, you could check it on Event Viewer.

    If it is, to fix the problem, you could run the command line winrm quickconfig to create a listener for the WinRM service.

    For more information, please refer to the article below.

    Event ID 10149 — Listener Availability

    https://technet.microsoft.com/en-us/library/dd363600%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    If the problem persists, please check if any related Event Errors are encountered and post it for us further research.

     

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 25, 2015 8:54 AM
    Moderator
  • Hi Jay,

    Thanks for your help. I was able to resolve the issue by executing the original steps on another machine. I'm still not sure what was causing the issue, but it is working now.

    Now I have another issue. I'm trying to setup event forwarding to use HTTPS. I temporarily set it up between 2 domain computers, but the source computer fails to appear in the collector's "Source Computers" list in the Event Viewer Subscription. I have followed all the steps at "https://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx" in the "Setting up a source initiated subscription where the event sources are not in the same domain as the event collector computer" section, including creating Client & Server Authentication certificates. I also configured the Trusted Hosts for the collector "*".

    When I run the following commands from the source computer, everything looks good:

    • Test-WSMan -ComputerName <collector FQDN> -Port 5986 -UseSSL
    • New-PSSession -ComputerName <collector FQDN> -Authentication Default -Port 5986 -UseSSL
    • netstat | findstr "5986" shows the connection is "ESTABLISHED"

    Any ideas?

    Thanks.

    Monday, January 4, 2016 10:45 PM
  • Hi Jlss4e,

     I was able to resolve the issue by executing the original steps on another machine. I'm still not sure what was causing the issue, but it is working now.

    >>> If you intend to specify an event delivery optimization of Minimize Bandwidth or Minimize Latency , then you must also run the above command on the collector computer.

    For a subscription that uses Normal (PULL mode) delivery optimization, you must set the exception only on the source computers. For a subscription that uses either Minimize Bandwidth or Minimize Latency (PUSH mode) delivery optimizations, you must set the exception on both the source and collector computers.

    Now I have another issue. I'm trying to setup event forwarding to use HTTPS. I temporarily set it up between 2 domain computers, but the source computer fails to appear in the collector's "Source Computers" list in the Event Viewer Subscription. I have followed all the steps at "https://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx" in the "Setting up a source initiated subscription where the event sources are not in the same domain as the event collector computer" section, including creating Client & Server Authentication certificates. I also configured the Trusted Hosts for the collector "*".

    >>>Do you run the command line below with 443?

    netsh firewall add portopening TCP 443 "Winrm HTTPS Remote Management"

    Specifies the ports that the client will use for either HTTP or HTTPS.

    WinRM 1.1 and earlier:  The default HTTP port is 80, and the default HTTPS port is 443.

    WinRM 2.0:  The default HTTP port is 5985, and the default HTTPS port is 5986.

    If you configure a subscription to use the HTTPS protocol by using the HTTPS option in Advanced Subscription Settings , you must also set corresponding Windows Firewall exceptions for port 443(WinRm 1.1  and earlier) or port 5986(WinRM 2.0).

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 5, 2016 5:15 AM
    Moderator
  • Hi Jay,

    I previously ran the following command on the collector to add a port opening/firewall exception for port 5986:

    • netsh advfirewall firewall add rule name="Winrm HTTPS Remote Management" dir=in localport=5986 protocol=TCP action=allow

    The source & collector are both using WinRM 2.0. I am still unable to see the source computer in the collector's "Source Computers" list in the Event Viewer Subscription.

    Thanks,

    Jlss4e

    Tuesday, January 5, 2016 3:50 PM
  • Hi Jlss4e,

    Based on my research, here are a similar thread and an official article for your reference.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/a517dbfd-5582-4993-b587-54f0df8fe1b4/sourceinitiated-push-mode-in-workgroup?forum=winservermanager

    Configure Computers to Forward and Collect Events

    https://technet.microsoft.com/en-us/library/cc748890.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 11, 2016 5:54 AM
    Moderator