Share via

Windows Event Forwarding: Collector initiated event forwarding forwards events initially, but doesn't pull the events periodically after that

Anonymous
2025-01-17T17:04:27+00:00

I created a collector initiated event forwarding which looks like the following:

PS C:\Users\Administrator.AD.000> wecutil gs pull2
Subscription Id: pull2
SubscriptionType: CollectorInitiated
Description: Something
Enabled: true
Uri: http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
ConfigurationMode: MinLatency
DeliveryMode: Push
DeliveryMaxLatencyTime: 30000
HeartbeatInterval: 3600000
Query: <QueryList><Query Id="0" Path="Microsoft-Windows-DNSServer/Analytical"><Select Path="Microsoft-Windows-DNSServer/Analytical">*[System[(EventID=261)]]</Select></Query></QueryList>
ReadExistingEvents: true
TransportName: HTTP
ContentFormat: RenderedText
Locale: en-US
LogFile: ForwardedEvents
PublisherName: Microsoft-Windows-EventCollector
CredentialsType: Default
EventSource[0]:
        Address: msad-server.ad.infoblox.com
        Enabled: true

The security descriptor of Microsoft-Windows-DNSServer/Analytical channel is:

PS C:\Users\Administrator> $logName = "Microsoft-Windows-DNSServer/Analytical"
PS C:\Users\Administrator> $sd = (Get-WinEvent -ListLog $logName).SecurityDescriptor
PS C:\Users\Administrator> echo $sd
O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)(A;;0x1;;;S-1-5-21-3009059077-3318646759-3922541403-1103)(A;;0x1;;;S-1-5-21-3009059077-3318646759-3922541403-1000)

When I initially created the subscription, it pulls the DNS events from the Microsoft-Windows-DNSServer/Analytical channel as expected and I can see the following event in source machine at location, Event Viewer -> Applications and Services Logs -> Microsoft -> Windows -> Eventlog-ForwardingPlugin -> Operational :

The subscription pull2 is created successfully.

Since the ConfigurationMode is MinLatency, it is supposed to pull the events every 5 minutes, but is not pulling any events any further. We can see the following unsubscribe event just around 5 minute in source machine without making any changes to pull2 subscription:

The subscription pull2 is unsubscribed.

I think this event is preventing the collector machine from pulling the events periodically. However, if I manually click Retry on pull2 subscription sometimes it works and pulls all the events including the previously fetched ones. But after 5 minutes, we again see the unsubscribe events:

The subscription pull2 is unsubscribed.

Can you please help me to resolve the issue so that pull2 subscription can periodically pull events as expected?

If I create pull subscription for Windows default logs, e.g. Application Logs, it works without any issue and pulls events every 5 minutes. For example, the following subscription periodically pull events every 5 minutes:

PS C:\Users\Administrator.AD.000>wecutil gs pull-security
Subscription Id: pull-security
SubscriptionType: CollectorInitiated
Description:
Enabled: true
Uri: http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
ConfigurationMode: MinLatency
DeliveryMode: Push
DeliveryMaxLatencyTime: 30000
HeartbeatInterval: 3600000
Query: <QueryList><Query Id="0"><Select Path="Application">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0)]]</Select></Query></QueryList>
ReadExistingEvents: false
TransportName: HTTP
ContentFormat: RenderedText
Locale: en-US
LogFile: ForwardedEvents
PublisherName: Microsoft-Windows-EventCollector
CredentialsType: Default
EventSource[0]:
        Address: msad-server.ad.infoblox.com
        Enabled: true

In this case, we only see the following event in source machine at location, Event Viewer -> Applications and Services Logs -> Microsoft -> Windows -> Eventlog-ForwardingPlugin -> Operational :

The subscription pull-security is created successfully.

However, we don't see unsubscribe event after 5 minutes in this case.

Can you please help me to understand the different between the built-in Windows events and DNS Analytical events? How can I make the periodic events pulling works for DNS Analytical events?

Windows Server Networking

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-01-20T15:19:55+00:00

    Hello,

    Thank you for posting in Microsoft Community forum.

    Based on your description, this issue is beyond the scope of our support.

    To be able to get a quick and effective handling of your issue, I recommend that you repost your question in the Q&A forum, where there will be a dedicated engineer to give you a professional and effective reply.

    Here is the link for Q&A forum.

    Questions - Microsoft Q&A

    Click the "Ask a Question" button in the upper right corner to post your question and select tags related to your products.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards

    Zunhui

    0 comments
  2. Anonymous
    2025-01-20T16:35:07+00:00
    0 comments
  3. Anonymous
    2025-02-04T10:19:16+00:00

    We have the same problem with our source-initiated subscriptions on Windows 11. Our Windows 11 clients are constantly subscribing and unsubscribing. The Windows 10 clients are working fine with the exact same GPO configuration. We checked all low hanging fruits like network connectivity, authentication...

    0 comments