Share via

Windows Event Forwarding

shotaemon 0 Reputation points
2025-03-13T04:38:36.7433333+00:00

I am trying to configure Windows Event Forwarding -source initiated event forwarding- using two Windows Server 2016 Version 1607 computers(Source) and Windows Server 2019 Version 1809. I completed the following steps, but it seems collector server doesn't connect to source computer. It shows that the source computer is 0 on the event viewer window. Could you tell me why this problem occurs?

▶Source Computer(Winndows Event Forwarding)

ⅰ. I have already configured group policy object that configure Subscription Manager.

▶Log Collecting Computer(Windows Event Collector)

ⅰ. I have already configure the Subscription Manager to collect the log from Source Computer.

Using command, wecutil qc, I confirmed that WinRM is properly setup.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,970 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 31,056 Reputation points Microsoft External Staff
    2025-03-14T03:24:39.43+00:00

    Hello shotaemon,

    Thank you for posting in Q&A forum.

    Here are a few things you can check to troubleshoot this problem:

    1. Ensure that the firewall on both the source and collector computers is configured to allow the necessary traffic. You need to allow inbound and outbound traffic on port 5985 (HTTP) or 5986 (HTTPS) for Windows Remote Management (WinRM).
    2. Verify that WinRM is properly configured and running on both the source and collector computers. You can check the WinRM service status by running the following command in an elevated Command Prompt:

    winrm quickconfig

    1. sure that the Group Policy settings for event forwarding are correctly configured. You need to configure the Configure target Subscription Manager policy on the source computers to point to the collector server. The policy path is:

    Computer Configuration > Administrative Templates > Windows Components > Event Forwarding > Configure target Subscription Manager

    1. Double-check the subscription configuration on the collector server. Ensure that the subscription is set to Source initiated and that the source computers are correctly specified.
    2. Ensure that there is no network connectivity issues between the source and collector computers. You can test connectivity by using the ping command to verify that the source computers can reach the collector server and vice versa.
    3. Verify that the account used for event forwarding has the necessary permissions to read the event logs on the source computers and to write to the event logs on the collector server.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.