none
Remove PCs from Source-Initiated Windows Event Forwarding? RRS feed

  • Question

  • Advice given here was not useful: https://social.technet.microsoft.com/Forums/windowsserver/en-US/199b0333-0bda-4616-b7a9-49f2fffd9069/remove-computers-from-wef-subscription?forum=winserver8gen

    I have a few workstations that have be decommissioned and are showing as "Inactive". I'd like to remove them from the subscription to minimize the appearance of errors. Is there any advice you guys could give on the topic?
    Monday, April 30, 2018 4:24 PM

Answers

  • Got an answer.

    Delete keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\EventCollector\Subscriptions<SubscriptionName> for PCs that are no longer active. I think this is the first time this question has ever been answered on the internet!
    Wednesday, May 2, 2018 2:53 PM

All replies

  • Hi,

    Thanks for your question.

    Have you tried to remove the source computers from group policy part and see if it works?

    In the GPO part, we create a GPO, link it to your OU where the forwarding computers are sitting. So in this case, if PCs locate in domain you want to remove from WEF, you could remove the source computers from that OU and gpupdate /force.

    If PCs are non-domain computer you want to remove from WEF, you could also set its local group policy to disable this computer’s service.

    In addition, if you are coming through check the server location in group policy and also make sure that you have not configure too many filtering options in the subscription preventing any events from being transfer from the forwarder to the collector.

    Reference link:

    Removing an Event Source from a Collector Initiated Subscription

    https://msdn.microsoft.com/en-us/library/bb513657(v=vs.85).aspx

    Hope above information can help you.

    Highly appreciate your effort and time. If you have any questions and concerns, please feel free to let me know.

    Best regards, 

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, May 1, 2018 6:13 AM
    Moderator
  • Hi Michaelsoft,

    So the issue I'm facing is that the PC I'm trying to "remove" is completely decommissioned and NO LONGER IN ACTIVE DIRECTORY, but still appears as "Inactive" when running "wecutil gr <subscription name>". I can't remove/disable a GPO from a PC that is no longer in AD.

    The link that you referenced is for a COLLECTOR-INITIATED subscription, but for craps and cackles I tried
    wecutil ss SubscriptionName /esa:EventSourceAddress /res
    with no change. There is no error but the device is still listed as "Inactive".


    Any advice?
    Tuesday, May 1, 2018 2:13 PM
  • Identical issue here.
    Tuesday, May 1, 2018 11:31 PM
  • Got an answer.

    Delete keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\EventCollector\Subscriptions<SubscriptionName> for PCs that are no longer active. I think this is the first time this question has ever been answered on the internet!
    Wednesday, May 2, 2018 2:53 PM
  • Hi,

    I'm very pleased to hear that this issue is resolved by yourself successfully. Your technics is very appreciated. Thank you very much for your solution in the forum as it would be helpful to anyone who encounters similar issues.

    Have a nice day!

    Best regards,

    Michael 


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, May 3, 2018 1:08 AM
    Moderator