Windows Event Forwarding and Log Collection on Windows 2022 Server not working simultaneously.

nk 1 Reputation point
2023-05-23T17:16:53.6466667+00:00

Currently, we are using windows event forwarding to collect logs via HTTP from domain connected devices on to an intermediate windows server (collector) which then forwards all the collected logs to the final windows server collector via HTTPS. We have successfully implemented this setup with Windows Server 2012, 2016 and 2019 servers.

See below for Data Flow:

Source Windows Machines (forwards) -> Windows Server (collector, this intermediate server collects and forwards) -> Windows Server (Final Collector of all windows logs)

Recently, we started installing Windows Server 2022. And we found that it can forward its windows event logs via HTTP or, HTTPS to it subscription target without any issue. And we found that it can collect logs via subscription from other windows sources without any issue as well. However, when we configure the Intermediate Windows server to collect and forward logs using windows event forwarding, it only collects logs. And it fails to forward any logs, and continues to subscribe and unsubscribe continuously to its subscription target.

Error message: The forwarder is having a problem communicating with subscription manager at address. Error code is 2150859046 and Error Message is <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859046". WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. </f:Message></f:WSManFault>.

It seems like a WinRM bug on Windows 2022 server because once we disable the collector subscription on the intermediate Windows server 2022, it starts to forward logs again to its subscription target. Once, we enable the collector subscription again, it only collects logs and stops forwarding logs.

Need help to identify whether there is bug on Windows Server 2022 that prevents it from collecting windows event forwarded logs and then forward the logs simultaneously to another windows server.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,312 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,431 Reputation points
    2023-05-24T10:54:28.47+00:00

    Hello there,

    This behavior is caused by the permissions that are configured for the following URLs:

    http://+:5985/wsman/

    http://+:5986/wsman/

    On the event collector computer, both the Windows Event Collector service (WecSvc) and the Windows Remote Management service (WinRM) use these URLs. However, the default access control lists (ACLs) for these URLs allow access for only the svchost process that runs WinRM.

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/admin-development/events-not-forwarded-by-windows-server-collector

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.