Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Event Forwarding problems and errors...

  • Please log in to reply
3 replies to this topic

#1 mathurin68


  • Members
  • 2 posts
  • Local time:07:48 PM

Posted 02 September 2017 - 10:08 AM

OK, I have WEC up and running on our network, currently, I have it running with my laptop(windows7) and the WEF server, works great. 
I have a test laptop(windows 10), configured exactly like all the desktops on our domain, the laptop shows up as 'subscribed', but I can't get the events to pop into the WEC server, nor do they pop into the 'Evenlog-Forwarding Plugin' on the Win10 laptop.
I have it configured just like my personal laptop - 
1)  Winrm set to running but not listening.
2)  Computer>Policies>Admin Templates>Windows Components>Event Forwarding>Configure target subscription manager
This will need to be populated with the address of your collector server in this format :
3)  Added the Local Network Service to 'Event Log Readers' Group
And On the Test Laptop 
Test-NetConnection  WEFSERVER -Port 5985   - this test is successful, nothing blocking connection
But still no events in -  
Eventlog-Forwarding Plugin -> Operational  - No events in here, no error codes nothing. 
I don't see what I am missing... any thoughts?
I've even tried disabling UAC filtering for local accounts by creating the following DWORD registry entry and setting its value to 1:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] LocalAccountTokenFilterPolicy
Still nothing...hoping someone on here has some kind of suggestion. 

BC AdBot (Login to Remove)


#2 sflatechguy


  • BC Advisor
  • 2,255 posts
  • Gender:Male
  • Local time:06:48 PM

Posted 03 September 2017 - 01:04 PM

Have you added the computer account of the collector server to the event log readers group on the Windows 10 machine? You added the local network service, but you also need to add the collector computer to that group. https://technet.microsoft.com/en-us/library/cc748890

#3 mathurin68

  • Topic Starter

  • Members
  • 2 posts
  • Local time:07:48 PM

Posted 04 September 2017 - 07:38 PM

Great suggestion!  Still nothing... seems like Win 10 security is blocking something somewhere. 

#4 JohnnyJammer


  • Members
  • 1,117 posts
  • Gender:Male
  • Location:QLD Australia
  • Local time:09:48 AM

Posted 05 September 2017 - 05:27 PM

Are you just trying to email when an event is triggered in event viewer?

I do all this by a batch file and then use Task Scheduler to trigger it to execute the batch file and then email me the results.


When an authentication fails on the RAS (VPN)

del %TMP%\VPN_Failure.txt
wevtutil qe Security "/q:*[System [(EventID=6273)]]" /f:text /rd:true /c:1 > %TMP%\VPN_Failure.txt

Then create an email event that attaches the VPN_Failure.txt.


IS this what you are looking for because you dont need software for that when its all included in Windows.

EDIT: Sorry read it wrong lol.

Edited by JohnnyJammer, 05 September 2017 - 05:30 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users