0

I have got 3 Domain Controllers fowarding events and 1 collector collecting Security events from those 3 source machines, they are all on the same Domain.

However after restarting Windows Event Collector, I go to the Collector machine -> Event Viewer -> Subscriptions -> right click the name of the subscripion -> select Runtime Status, I will see all those 3 source machines are inactive.

I don't know how to bring them up immediately, although I still have some some client machines generating events and sending to those 3 DC. But they will eventually turn on, say after half an hour also.

gugo
  • 237
  • 2
  • 7
  • 17

1 Answers1

1

Was event forwarding working before and just stopped working or are you still trying to set it up? I think you just have to be patient and wait for them to connect. Are you frequently rebooting the event collector station? Also, just because it says "inactive" doesn't mean there's a problem. I find servers will occasionally be listed as inactive, but there are no issues with them forwarding events.

Are you using source initiated event forwarding? If so confirm the syntax in the GPO- make sure you've got the FQDN and no spaces: enter image description here

red888
  • 27,709
  • 55
  • 204
  • 392