Troubleshooting Windows Event Collection
WEC operation in Event Viewer, Wecutil or the API throws an error or hangs
We have found that on busy WEC collectors, WEC can occasionally hang or throw a bogus error when executing an operation such as creating or changing a subscription. We recommend always re-querying the properties of the subscription before concluding there is an actual problem. In SuperCharger, we run all WEC operations in a separate process so that we can make an orderly and clean recovery if WEC throws an error or hangs. Then, in the case of a change operation we run a contingency check by comparing the new disposition of the subscription to see if the change succeeded or not. In the case of read operations, we retry the operation after a pause. This eliminates many error conditions and avoids unnecessary alert messages.
Accelerating Group Membership Changes without Rebooting Forwarders
Stalled Subscription
WEC subscriptions for some yet undiscovered reason will stall. The subscription will remain active but just stops working. The svchost.exe process running EventLog shows 0% CPU usage. Microsoft has been made aware of the issue but there is no fix for it yet. You can usually fix the problem by running: wecutil rs <subscription name>
If that doesn't work, you need to restart WECsvc.
Restarting a Stalled Event Log
Forwarder Not Sending Security Log Events Because of Permissions
If your subscription collects events from the Security Log, you must configure permissions on all forwarder computers for the WinRM service to have Read access. WinRM runs as NETWORK SERVICE so that’s who we’ll be granting access to. There are 2 ways to do this via group policy. We recommend the first so that you can avoid rebooting forwarders.
Option 1: Configure Log Access
Enter the following string into these two group policy settings: Configure log access and Configure log access (legacy). The portion in bold is what is being added to the default permissions preceding it.
O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)
https://blogs.technet.microsoft.com/janelewis/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008/
Option 2: Membership in Event Log Readers
Note: this requires reboot of the forwarder computer
Add NETWORK SERVICE to the Event Log Readers local group using Restricted Groups policy
Manage, Scale and Heal Windows Event Collection with Supercharger
Download •
Enterprise Pricing •
Ask Sales