none
Error with Source initiated collector

    Question

  • I am trying to setup event forwarding to my domain controller. I have group polices  designating my domain controller to be the collection server. I also have group policies turning on the Winrm services according to rsop.msc the group policies are being applied. I used the domain computers as the group in the event subscription. I cannot seem to get it to work I am getting the following error when I run wecutil gr Test on my source servers.

    Failed to get RuntimeStatus Active Property. Error = 0x2

    the system cannot find the file specified

    The status of the subscription is showing active in event viewer on my domain controller and I added the domain controller's machine account to the Event Viewers group in the domain builtin groups

    any help is appreciated 

    Monday, September 19, 2016 4:59 PM

Answers

  • Hi detthcythe,

    Have you got any progress?

    As a workaround, if you still can't solve the event forwarder issue. You may use a powershell script to get the related logs, then use task schedule to sent to log to the dedicated computer that you want to collect the log.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Wednesday, September 28, 2016 9:16 AM
    Moderator
  • Yeah I had misspelled the ip or left something along those lines in the  Policies>Administrative Templates> Windows Component/event forwarding after correcting that error I was able to get it to work. Also as a side note when I had configured it I was only configuring  it for windows 2012 servers which by default is setup to allow remote management. My windows 10, and 7 machines had to have additional gpo settings configured namely setting adding a firewall rule through gpo to allow winrm as well as configure the gpo to startup the winrm service 
    • Marked as answer by deathcythe272 Tuesday, December 27, 2016 6:55 PM
    Tuesday, December 27, 2016 6:55 PM

All replies

  • Hi deathcythe,

    Please read the following articles to check if all configurations are all correct:

    Configure Computers to Forward and Collect Events:

    https://msdn.microsoft.com/en-us/library/cc748890(v=ws.11).aspx

    Create a New Subscription:

    https://msdn.microsoft.com/en-us/library/cc722010(v=ws.11).aspx

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Todd Heron Tuesday, September 20, 2016 9:47 AM
    Tuesday, September 20, 2016 9:32 AM
    Moderator
  • Anne,

    thanks for the response and help I checked those settings and they are matching the articles I am testing one server with my domain controller right now. I've tried adding just that computer to the subscription instead of the domain computers group. My domain controller was added to that computers local event log viewer group as well. Any other ideas?

    thanks 

    Tuesday, September 20, 2016 1:40 PM
  • Also as a note in event viewer under subscriptions the subscription is active but it shows 0 source computers and the runtime status says Active -: No additional status
    Tuesday, September 20, 2016 1:56 PM
  • Hi deathcythe,

    I'm still trying to find out some other information about this issue. I'll feed back as soon as I got any useful information.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 23, 2016 9:40 AM
    Moderator
  • Hi detthcythe,

    Have you got any progress?

    As a workaround, if you still can't solve the event forwarder issue. You may use a powershell script to get the related logs, then use task schedule to sent to log to the dedicated computer that you want to collect the log.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Wednesday, September 28, 2016 9:16 AM
    Moderator
  • Hello,

    All thanks for the help ideas and recommendations glad to see the help is out there turns out it was a typo in my gpo when I listed out the subscription manager. Thanks to all that responded !

    Wednesday, October 19, 2016 5:26 PM
  • Hi deathcythe,

    I have exactly the same problem as you describe  - all is configured correctly but I get "the subscription is active but it shows 0 source computers and the runtime status says Active -: No additional status"

    What gpo did you have the typo in?

    hopefully my problem is similar but I have only used winrm, wevutil etc. no gpo

    Thursday, December 15, 2016 12:51 PM
  • Never mind - I see you're using a Source subscription while I was using a Collector subscription.

    Anyway I managed to get the Source subscription working and I see the gpo you mean in windows components-Event Forwarding

    Thursday, December 15, 2016 1:51 PM
  • Yeah I had misspelled the ip or left something along those lines in the  Policies>Administrative Templates> Windows Component/event forwarding after correcting that error I was able to get it to work. Also as a side note when I had configured it I was only configuring  it for windows 2012 servers which by default is setup to allow remote management. My windows 10, and 7 machines had to have additional gpo settings configured namely setting adding a firewall rule through gpo to allow winrm as well as configure the gpo to startup the winrm service 
    • Marked as answer by deathcythe272 Tuesday, December 27, 2016 6:55 PM
    Tuesday, December 27, 2016 6:55 PM