Menu

Search

LOGbinder Support


3. Troubleshooting a Problem Forwarder


bjvista
How To

Problem: A computer shows up in the Current Forwarders tab for your subscription but is shown as None in the WEC column.

This means that your subscription’s policy’s health assessment basis is Deterministic and that the group(s) you’ve assigned in Allowed Forwarders include this computer as a member. Therefore we expect it to be forwarding events. Yet, WEC has never seen that computer for this subscription and therefore Supercharger reports Absent.

Here are the possible reasons why, with tips on how to investigate

Category

Problem

Action on Forwarder

Collector targeting

Forwarder is not targeted at collector

Run a Group Policy Results report for that computer and check “Configure target subscription manager”

Collector string for “Configure target subscription manager” is incorrect

Are other computers successfully targeting this collector via the same group policy object?

Check Microsoft-Windows-Forwarding/Operational on forwarder

Group policy recently updated and forwarder has not applied or GPO has not replicated

Run gpupdate on forwarder and verify with Group Policy Results report “GPRESULT /H GPReport.html” and check “Configure target subscription manager”

Connectivity

Connectivity problem

Use this command with the DNS name in your collector string “winrm identify -r:http://winrm_server:5985”

WinRM on Forwarder

Check Microsoft-Windows-Forwarding/Operational and Microsoft-Windows-WinRM/Operational event logs for errors

Event ID 102 with error 5004 can mean

  • Forwarder does not have access to the source log. This usually happens on the Security Log but we've also seen it on the Sysmon log. Does this subscription select events from the Security Log or Sysmon?  See Granting Permissions for Security Log Forwarding and for Sysmon you will need to run wevtutil sl /ca: and the appropriate permissions in SDDL format. See https://forum.logbinder.com/Topic136-2.aspx
  • Event filter Xpath is invalid. In this case all forwarders assigned to this subscription will be logging the event. Try copying the xpath query from the subscription and using it as an XML filter in EventViewer. Observe whether EventViewer complains that the filter is invalid.

Event ID 105 with error 2150859027 with full message "The forwarder is having a problem communicating with subscription manager at address http://COLLECTOR:5985/wsman/SubscriptionManager/WEC. Error code is 2150859027 and Error Message is <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859027" Machine="FORWARDER"><f:Message>The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. </f:Message></f:WSManFault>.

  • There is an issue with the URL ACL. Follow the two commands in this article.

WinRM service not running on forwarder

WinRM has not been configured on forwarder

Run “winrm qc”

Collector

Collector side problem

Check following logs

  • Microsoft-Windows-WinRM/Operational
  • Microsoft-Windows-EventCollector/Operational

Active Directory

Computer was recently added/removed from group and Supercharger collector and source computer are talking to different domain controllers

Force replication between domain controller if practical

Computer has not been rebooted since being added to the group

Reboot

or

Run this command on the forwarder:

klist -lh 0 -li 0x3e4 purge

This purges the Kerberos ticket cache and the computer will pick up the new group when it obtains a new ticket.  See this article for steps to perform this.


On a scale of 1-5, please rate the helpfulness of this article


Not Helpful
Very Helpful
Optionally provide private feedback to help us improve this article...

Thank you for your feedback!


Still have questions - Submit a new ticket