2

We are trying to set up Windows Event Forwarding (WEF) in our environment and we are running into a few issues. We have a GPO set up (shown below) to enable the forwarding of events to a local collection server and we have the connection server configured. The collector machine is showing as subscribed correctly but the other machine that we are testing on does not connect to the collection server.

On the source machine that cannot forward logs we see the following error under Application and Services Logs -> Microsoft -> Windows -> Eventlog ForwardingPlugin

The forwarder is having a problem communicating with subscription manager at address 
http://Collector.corp.company.com:5985/wsman/SubscriptionManager/WEC.  
Error code is 5 and Error Message is 
<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="5"
Machine="SourceMachine.corp.company.com"><f:Message>Access is denied. </f:Message></f:WSManFault>.

On the collector machine we see the following error under Application and Services Logs -> Microsoft -> Windows -> Windows Remote Managment -> Operational

The authorization of the user failed with error 5

More Detail on the collector server error:

Source: Windows Remote Managment
Event ID: 192
Level: Information       Task Category: User Authorization
User: Network Service    Keywords: Security,Server
OpCode: Informational    Computer: Collector.corp.company.com

GPO Being Applied: GPO Image 1 GPO Image 2 GPO Image 3

Jack
  • 121
  • 1
  • 1
  • 5
  • Are the Firewalls configured to allow WinRM through? – Davidw May 20 '20 at 02:57
  • Yes the GPO above handles the clients firewall and there is a firewall rule configured on the collector server to allow WinRM in, the firewall rule was copied from a known good server as well so I am fairly confident that is not the issue. – Jack May 20 '20 at 02:59
  • What's the status of the Powershell script execution policy? – Davidw May 20 '20 at 03:03
  • Undefined for everything except for local machine it is restricted – Jack May 20 '20 at 03:08
  • According to About_Execution_Policy, the effective policy is restricted under those settings. You might try setting it to Remote Signed or Bypass. – Davidw May 20 '20 at 04:46

3 Answers3

0

Ok after a lot of reading and research I seem to have found something that worked. Specifically the issue was with the Channel Access Token that was being used. The value of this token should be: 

O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;BO)(A;;0x1;;;SO)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

This value should be set for Computer Configuration -> Administrative Templates -> Windows Components -> Event Log Service -> Security. In our case I used that same value in the registry setting shown above.

The key with that is adding (A;;0x1;;;S-1-5-20) to the end as opposed to (A;;0x1;;;NS)

Here are some helpful links I found/used to get this working:

Hopefully this will help some other people as it was a pain for us.

Jack
  • 121
  • 1
  • 1
  • 5
0

We had the exact same behavior and error msg (... failed with error 5), but our solution was the Wildcard under Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management -> WinRM Service -> Allow remote server mgmnt through WinRM. we just put an asterisk (*) there as is described in most articles and this has worked perfectly for over a year, but after Microsoft Patching on July 2020, it stopped working. I manually put in the subnets we used and restarted the Winrm service on the collector and things started flowing again.

Weegs
  • 1
0

I was referring this So I first made sure my Winrm configuration is setup correctly Ref: https://learn.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/configure-winrm-for-https Then I checked the WEC servers where the events are forwarded Under the subscription my servers were missing. Added it and issue resolved

Sandeep
  • 1