coltwanger

Unable to collect Forwarded Events log

Discussion created by coltwanger on Jul 11, 2014

I have a test 2008R2 server that I am using to test forwarding local workstation logs into EnVision. The goal is to accomplish the following:

 

Event fires in local workstation log > Source-initiated subscription sends log to 2008R2 server via Windows Event Collection Service > EnVision picks up said workstation event from 2008R2 event log

 

I've got the collection working fine from workstation > standalone server, but haven't been successful with EnVision picking up the event from the Forwarded Events log. The Event Viewer shows regular 606329 events:

 

%NIC-6-606329: AgentlessWindows, Agentless Windows Process, -, -, -, -, Detail: 5276: x.x.x.x, Forwarded Events: Safety check: Next record is 0; not writing to POS

 

The Security log comes over fine in Envision. I can change the Subscription to forward the events to the System event log and then configure the device to collect the System log, and the workstation events get pulled into Envision without issue. I don't want to collect the System logs though, just the Forwarded Events log.

 

The steps I have taken are as follows:

 

  1. Configure WINRM service on both the Windows 2K8R2 collector and the source workstation
  2. Configure subscription on the Windows collector as Source-Initiated from the source workstation
  3. Point events to the Forwarded Events log
  4. Initiate task on local workstation to fire off event and verify successful transmission to the Forwarded Event log
  5. Add "Forwarded Events" to Envision under Manage Windows Logs
  6. Add server as a device and include the Forwarded Events log
  7. Initiate task to fire off event, verify transmission to the Forwarded Events log, check for collection in Envision -- nothing (606329 message)

 

I've also attempted to change the name of the log in Envision from "Forwarded Events" to "ForwardedEvents", but received the same 606329 message. The service account is in the Event Log Readers group and the Security log still comes over fine, just not this one Forwarded Events log.

 

Currently running enVision 4.1 SP1 EA, appliances are all up to date on patches and ESU.

 

Am I missing something in this process?

 

Thanks!

Outcomes