Configuring which interface to use for Eventlog's event forwarding feature RRS feed

  • Question

  • I configured event forwarding between Windows Server 2008 R2 servers in a domain environment. I chose the push model, and it more or less worked.

    The central machine where the logs are forwarded to has two network interfaces. One is a public interface, the other is an internal one that is connected to the other servers. On the public interface there is no WinRM listener configured. The problem is that if I disable the WinRM port in the firewall for the pubic interface, event subscription stops working. The UI gives the following error:

    "The WinRM client could not create a push subscription because there are no listeners configured that match the specified hostname or transport, or because there is no enabled firewall exception on the port used by the selected listener...". The subscription turns into inactive, with a status code 0x802280AA.

    If I readd the exception to the public interface also, it starts to work again. However, this firewall exception is not needed, thus it should not be an error if it is not present. Is there a way to tell event forwarding which network interface should it use for its checks?

    Thanks for the help,


    Friday, April 30, 2010 12:51 PM

All replies

  • Hi,
    This sounds like it could be a DNS issue. How is resolution for the IP
    address of the second interface set up on the server that you are trying
    to configure the push subscription to?
    An example
 server.domain.com (call this public) server-pvt.domain.com (call this private)
    If you enter server.domain.com, then the public interface is hit, if the
    server-pvt name is specified, then the private interface will be hit.

    -- Mike Burr
    Friday, June 18, 2010 7:31 PM
  • The setup is the following:

    • central machine: - server.internal.local, public IP - server.domain.com (each interface has a separate DNS server set, in adapter and bindings the internal is the first, thus all DNS queries are sent over there first) 
    • servers sending the events - 10.0.0.* serverX.internal.local, and they are configured to connect server.internal.local via Group Policy.

    But the problem in my opinion is not related to DNS, as clients have not made yet any attempt to send events. The problem is I think in the logic which checks firewall rules when a new subscription is added: it unnecessarily checks all interfaces, even those interfaces which could not participate in event forwarding as there are no WinRM listeners there.


    Saturday, June 19, 2010 3:08 PM