Problem with WEC

Михаил Андросов 396 Reputation points
2024-09-28T19:37:09.6866667+00:00

Hi everybody!

In the infrastructure, I need to configure the SYSMON utility event collector server.

The collector server runs on Windows Server 2019. I configure according to the Microsoft documentation according to the Collector Initiated Subscription rule:

https://learn.microsoft.com/en-us/windows/win32/wec/creating-an-event-collector-subscription

To collect using a dedicated account, I added an account to the Event Log Readers on the source servers. I also added a NETWORK SERVICE account to this log.

I check the operation of the configured system by creating a subscription to collect Application logs. The logs are collected normally.

I added Microsoft-Windows-Sysmon/Operational log to my subscription. But events from this log are not collected.

If I disable the collection of the Application log in the subscription, then the subscription stops working. And the Runtime Status on the server gives the following error status:

(0x138C): <f:ProviderFault provider="Event Forwarding Plugin" path="C:\Windows\system32\wevtfwd.dll" xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault"><t:ProviderError xmlns:t="http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog">Windows Event Forward plugin can't read any event from the query since the query returns no active channel. Please check channels in the query and make sure they exist and you have access to them.</t:ProviderError></f:ProviderFault>

I launched the wevtutil utility on the source server:

C:\Windows\system32>wevtutil gl /r:localhost "Microsoft-Windows-Sysmon/Operation

al"

name: Microsoft-Windows-Sysmon/Operational

enabled: true

type: Operational

owningPublisher: Microsoft-Windows-Sysmon

isolation: Custom

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;BO)(A;;0x1;;;SO

)(A;;0x1;;;S-1-5-32-573)

logging:

logFileName: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Sysmon%4Opera

tional.evtx

retention: false

autoBackup: false

maxSize: 67108864

publishing:

fileMax: 1

I see in channelAccess S-1-5-32-573 , which corresponds to the Event Log Readers group.

The source servers are running Windows Server 2016.

I'm asking for help. I can't understand why SYSMON logs aren't being collected.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,809 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,529 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,289 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
553 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.