none
WEF (Windows Event Forwarding) RRS feed

  • Question

  • I'm attempting to setup WEF source initiated collection using a Win10 machine as the source, and Win Server 2016 as the collector. I believe I have everything setup correctly. I ran winrm quickconfig on both machines, wecutil qc on the collector, and setup up the source initiated collection on the server. I setup a group policy to configure the target server on the source

    However, each time I retry the subscription I receive warning Event ID 10149 twice, followed by information Event ID 10148 twice in the Windows System log. 

    Any help or ideas would be greatly appreciated. I ran “winrm enumerate winrm/config/listener” which returns the following.

    Listener     Address = *     Transport = HTTP     Port = 5985     Hostname     Enabled = true     URLPrefix = wsman     CertificateThumbprint     ListeningOn = 10.4.6.52, 127.0.0.1, ::1, fe80::5efe:10.4.6.52%4, e80::9452:ee53:f707:5471%2

    I also ran "netsh http show iplisten" which shows the loop back and IP addresses present. 

    Log Name:      System Source:        Microsoft-Windows-WinRM Date:          10/8/2019 12:23:25 PM Event ID:      10149 Task Category: None Level:         Warning Keywords:      Classic User:          N/A Computer:      ########### Description: The WinRM service is not listening for WS-Management requests.   User Action   If you did not intentionally stop the service, use the following command to see the WinRM configuration:   winrm enumerate winrm/config/listener

    Followed by 

    Log Name:      System Source:        Microsoft-Windows-WinRM Date:          10/8/2019 12:23:25 PM Event ID:      10148 Task Category: None Level:         Information Keywords:      Classic User:          N/A Computer:      ############# Description: The WinRM service is listening for WS-Management requests.   User Action   Use the following command to see the specific IPs on which WinRM is listening:   winrm enumerate winrm/config/listener

    Tuesday, October 8, 2019 4:51 PM

All replies

  • HI
    is there other related event log on windows server 2016 ?
    Microsoft-Windows-Forwarding/Operational
    Events are not forwarded if the collector is running Windows Server
    https://support.microsoft.com/en-us/help/4494462/events-not-forwarded-if-the-collector-runs-windows-server-2019-or-2016

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, October 9, 2019 2:01 PM
  • HI
    Is there any progress on your question?

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, October 13, 2019 7:44 AM
  • Sorry for the delayed response. The only other events are informational. This same one appears twice. 

    Log Name:      System
    Source:        Microsoft-Windows-WinRM
    Date:          10/15/2019 9:15:37 AM
    Event ID:      10148
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      #############
    Description:
    The WinRM service is listening for WS-Management requests. 

     User Action 
     Use the following command to see the specific IPs on which WinRM is listening: 

     winrm enumerate winrm/config/listener

    Tuesday, October 15, 2019 1:18 PM
  • This morning I found the following article and followed its steps, but unfortunately its still not working and I'm getting the same errors. 

    https://adamtheautomator.com/windows-event-log-forwarding/

    Tuesday, October 15, 2019 4:06 PM