0

I have successfully set up 2 subscriptions for collector initiated and they are fowarding events. Now I am attempting to add a 3rd subscription to get the logs for all my desktops, so due to the number of them, I'm using source initiated to use groups. I'm assuming I can have both collector and source initiated? Going through many troubleshooting articles and forums, I have checked that the services (WinRM, Event Forwarding) are pushed down through a GPO on my test desktop. The services (Win Event log collector) is on the collector server. It looks like the windows firewall rules are on all computers, even though the firewalls are turned off. The GPO for Subscription manager looks good. My subscriptions are all active with green check marks.

My main test is to run: EventCreate /T ERROR /ID 101 /L APPLICATION /SO TEST /D "This is a synthetic transaction test only. Disregard this event."

I've run it from servers and I see it(collector initiated), I've run it on both a Win7 and Win10 desktop. Neither desktop can forward an event. I saw in another forum someone talked about stack 2.0 and 3.0 depending on whether the collector was server 2008 or server 2012. I am using server 2012. I ran winrm id on both desktops and the win7 is stack 2.0 and win10 is stack 3.0. As neither desktop can forward an event, I'm assuming that isn't the issue.

I've run winrm id -remote:computername -auth:none from the collector server and got a response. Is there any troubleshooting steps I'm missing? Are there any commands I can run to check the communication from either machine? Is there a test to run from the desktop to the collector?

Attempting to run winrm qc on the collector server 2012 gives the result:C:\Users\richard>winrm qc WinRM service is already running on this machine. WSManFault Message = The client cannot connect to the destination specified in the requ est. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig". Error number: -2144108526 0x80338012 The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".

AB_MS3
  • 1
  • 2
  • 4
  • As suggested in another website: I ran netsh http show iplist if loopback isn't there 127.0.0.1, it said to add it Ran netsh http add iplisten 127.0.0.1 and now the error doesn't come up and I can run winrm successfully now. But source computers aren't showing up yet. This is on a physical server. I created a VM to test on another server and the forwarding works. Continuing to troubleshoot this physical box. – AB_MS3 Oct 26 '16 at 17:58

1 Answers1

0

In the end , scanning the port 5985 found the server listening for this port on the loopback IP '127.0.0.1' only not on all interfaces as it should. And running the command 'netsh http show iplisten' show the loopback IP address in the Listen Address of HTTP: IP addresses present in the IP listen list: ------------------------------------------- 127.0.0.1 So the server was listening for HTTP requests on the loopback interface only. So I ran the command 'netsh http delete iplisten 127.0.0.1' to delete it. After that it all started working.

AB_MS3
  • 1
  • 2
  • 4