Event log subscription returns error code (0x138C)


I have been battling getting event log subscriptions to work on my Server 2012 R2 domain controllers. I have created the collector-initiated-subscription using the GUI and selecting the defaults whenever possible. I selected my desired events and tried using the machine account, and several domain admin accounts.

At first I ran into access denied errors in the runtime status, but after much research I added the user accounts and the machine accounts to the AD Builtin group Event Log Readers. Ran GPUPDATE /Force, restarted Winrm and now I get Code (0x138C). Researching that error pretty much points at WinRM problems but I have verified WINRM functionality on both computers.

To summarize:

  • Created subscriptions using both computer account and domain admin accounts
  • Verified WINRM is functioning
  • Added computer account and user account to the Event Log Readers group
  • Gpupdate, restart services, still I get:

Error – Last retry time: 3/10/2016 1:17:37 PM. Code (0x138C): Windows Event Forward plugin can't read any event from the query since the query returns no active channel. Please check channels in the query and make sure they exist and you have access to them. Next retry time: 3/10/2016 1:57:37 PM.

Here is the result of the wevtutil as taken of the source machine from the collector machine.

C:\Windows\system32>wevtutil gl /r:server1 security 

name: security
enabled: true
type: Admin
isolation: Custom
channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)
  logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx
  retention: false
  autoBackup: false
  maxSize: 134217728
  fileMax: 1

As you can see, the Event Log Readers group (S-1-5-32-573) has Allow Read (A;;0x1) to the security log.

Firewalls are off. Both machines are on the same subnet. My google fu keeps sending me down the same rabbit holes.

Can anybody show me a new tact to try?

Best Answer

The solution is to add the “channel access permissions” for the security log.

• Ensure the computer account of the collector is in the “Event Log Readers” builtin local security group. • Configure Event Collection on the computer to be monitored - Add the SID (S-1-5-20) of the Network Service account to the Channel Access permissions of the Security Event Log. - From an elevated command prompt:

wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;s-1-5-20)

After approximately 20 minutes you should start to see events in the Forwarded Events

Reference: https://rockyprogress.wordpress.com/2011/12/04/security-event-log-collection-from-a-domain-controller/