Reading Time: 3 minutes

This is under construction

Commands to troubleshoot your WEC/WEF Forwardings

PS Code to get status of the Listener

winrm e winrm/config/listener

PS Code to get status of a Forwarding Channel

wecutil gr Security

Above we see only one Active source forwarding it’s logs

PS Code to get configuration of a Forwarding Channel

wecutil gs Security

Here we see no filter on source event channel Security and the list of machines allowed to Forward by HTTP transport

Want to see the real detail of the ACL ?

ConvertFrom-SddlString "O:NSG:BAD:P(A;;GA;;;S-1-5-21-2328844190-1247196310-1064123620-1000)(A;;GA;;;S-1-5-21-2328844190-1247196310-1064123620-1111)(A;;GA;;;S-1-5-21-2328844190-1247196310-1064123620-1115)S:"

Check on your client that you get your GPO with the right subscriptions

reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager

We can do a packet capture.

Here we can see that our WEC (192.168.16.24) is refusing the authentication from the client (192.168.16.4)

Check if the SPN has been set for the WEC Server

On the client (192.168.16.4)

setspn -F -Q */2019RDS.timatec.local

SPN are port based defined. We can see here that we are missing

Let’s add the missing SPN to solve the issue (one in FQDN and one without the domain name). 5985 Been my HTTP transport port.

setspn -S HTTP/2019RDS:5985 2019RDS
setspn -S HTTP/2019RDS.timatec.local:5985 2019RDS
setspn -F -Q */2019RDS.timatec.local

In the Wireshark on the server, it looks much better

Nevertheless it looks like it’s still not working fully

Let’s look at the WEF events on the server

MMC / Event Viewer

Applications and Service Logs / Microsoft / Windows /

I still error logs from Yesterday.

let’s restart the WEC

sc stop winrm
sc stop wecsvc
sc start wecsvc
sc start winrm

0