none
Missing events on Event Subscription

    Question

  • Hello! I have a problem with some missing events on Event Source Initiated Subscription. Subscription created on standalone Windows Server 2012 r2, client(Win10) configured by GPO. Subscriptions works and collected security logs from client workstation. But after comparsion with local copy of logs I see that some small parts are missing (eg. 2 second range ~ 10 events). In the collector event viewer I found events related with WinRM service - WSMan operation Identify failed, error code 2150859027(13:13:50), on local - WSMan operation EventDelivery failed, error code 2150859027(13:16:26), but at this all events keep fine. Missing events occured hours ago.


    Thursday, September 21, 2017 1:33 PM

All replies

  • Hi mr.oleg12,

    Please check if the windows Event log and dependency Services are started.

    1. Press Windows key + R, Type Services.msc and press ENTER.
    2. Locate Windows Event log in the Services listed.
    3. Verify if the Status is started. If the Status column is blank, Right click on Windows Event log Service and select Start.
    4. Open Windows Event log Service, Select Dependencies. In Dependencies select the Windows Event Collector and click on ok to start the service.
    5. Also check the Dependencies in the Windows Event Collector and start the dependencies Services by clicking OK

    Run the command of sfc /scannow to repair system file.

    In addition,you might use the following command to enable firewall rule:

    netsh firewall add portopening TCP 443 "Winrm HTTPS Remote Management"

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 22, 2017 2:46 AM
    Moderator
  • Hi mr.oleg12,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

                       

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 26, 2017 6:17 AM
    Moderator