Troubleshooting Windows Event Collection

WEC operation in Event Viewer, Wecutil or the API throws an error or hangs

We have found that on busy WEC collectors, WEC can occasionally hang or throw a bogus error when executing an operation such as creating or changing a subscription.  We recommend always re-querying the properties of the subscription before concluding there is an actual problem.  In SuperCharger, we run all WEC operations in a separate process so that we can make an orderly and clean recovery if WEC throws an error or hangs.  Then, in the case of a change operation we run a contingency check by comparing the new disposition of the subscription to see if the change succeeded or not.  In the case of read operations, we retry the operation after a pause.  This eliminates many error conditions and avoids unnecessary alert messages. 

Accelerating Group Membership Changes without Rebooting Forwarders

Stalled Subscription

WEC subscriptions for some yet undiscovered reason will stall. The subscription will remain active but just stops working. The svchost.exe process running EventLog shows 0% CPU usage. Microsoft has been made aware of the issue but there is no fix for it yet.  You can usually fix the problem by running: wecutil rs <subscription name>

If that doesn't work, you need to restart WECsvc.

Restarting a Stalled Event Log

Forwarder Not Sending Security Log Events Because of Permissions

If your subscription collects events from the Security Log, you must configure permissions on all forwarder computers for  the WinRM service to have Read access. WinRM runs as NETWORK SERVICE so that’s who we’ll be granting access to. There are 2 ways to do this via group policy. We recommend the first so that you can avoid rebooting forwarders.

Option 1: Configure Log Access

Enter the following string into these two group policy settings: Configure log access and Configure log access (legacy). The portion in bold is what is being added to the default permissions preceding it.

O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)

A screenshot of a computer

Description automatically generated

https://blogs.technet.microsoft.com/janelewis/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008/

Option 2: Membership in Event Log Readers

Note: this requires reboot of the forwarder computer

Add NETWORK SERVICE to the Event Log Readers local group using Restricted Groups policy

A screenshot of a computer menu

Description automatically generated


Manage, Scale and Heal Windows Event Collection with Supercharger
DownloadEnterprise PricingAsk Sales