A Windows Server 2008 R2 server is configured to collect Windows Event Logs, via a source initiated event subscription.
The subscription appears to be active but no events are collected.
On the client Microsoft-Windows-Eventlog-ForwardingPlugin/Operational has errors with event ID 105 like the following:
The forwarder is having a problem communicating with subscription
manager at address
http://<server name>:5985/wsman/SubscriptionManager/WEC.
Error code is 2150859027 and Error Message is The
WinRM client sent a request to an HTTP server and got a response
saying the requested HTTP URL was not available. This is usually
returned by a HTTP server that does not support the WS-Management
protocol. .
and
The forwarder is having a problem communicating with subscription
manager at address http://<server name>:5985/wsman/SubscriptionManager/WEC. Error code is 1311 and
Error Message is WinRM cannot process
the request. The following error with errorcode 0x80090311 occurred
while using Kerberos authentication: We can't sign you in with
this credential because your domain isn't available. Make sure
your device is connected to your organization's network and try
again. If you previously signed in on this device with another
credential, you can sign in with that credential. Possible causes
are: -The user name or password specified are invalid. -Kerberos
is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names. -The Service Principal Name (SPN) for the remote computer name and port
does not exist. -The client and remote computers are in different
domains and there is no trust between the two domains. After checking
for the above issues, try the following: -Check the Event Viewer for
events related to authentication. -Change the authentication method;
add the destination computer to the WinRM TrustedHosts configuration
setting or use HTTPS transport. Note that computers in the
TrustedHosts list might not be authenticated. -For more information
about WinRM configuration, run the following command: winrm help
config. .
and
The forwarder is having a problem communicating with subscription
manager at address http://<server name>:5985/wsman/SubscriptionManager/WEC. Error code is 2150858770
and Error Message is The client
cannot connect to the destination specified in the request. Verify
that the service on the destination is running and is accepting
requests. Consult the logs and documentation for the WS-Management
service running on the destination, most commonly IIS or WinRM. If the
destination is the WinRM service, run the following command on the
destination to analyze and configure the WinRM service: "winrm
quickconfig". .
Best Answer
The problem is the collector is returning an incorrect hostname for the events to be sent.
This appeared to be caused by an
127.0.0.1entry in thehostsfile on the collector server for a hostname where the server was not accessible.Resolution: add
127.0.0.1 localhostto the beginning of the file.Here you can see the the correct value being returned after the fix in
Microsoft-Windows-Windows Remote Management/Analytic: