DocumentationAPI ReferenceRelease Notes
Documentation

Troubleshooting event collections

Suggest Edits

If the events are not appearing on the event collector, perform the following troubleshooting steps:

Test Event Forwarding

If all of the event forwarding components are functioning (and there's minimal network latency), a test event created on the source computer should arrive in the event collector's Forwarded Events log within 60 seconds.

On the source computer, create an Endpoint Privilege Management event. Alternatively, if you've configured the subscription to capture all events from the application log, use the following command to create a test event:

  1. On the source computer, open a command prompt.
  2. Type:
eventcreate /id 999 /t error /l application /d "Test event."
  1. This event should appear on the event collector.

📘

The syntax above creates an event that may not match the criteria in the existing subscription. Ensure your subscription will forward this event.

Troubleshoot Log Locations

Event forwarding and WinRM have operational logs that can be viewed in Event Viewer or via the wevtutil.exe CLI.

Relevant Windows Logs

  • Down-level clients:
    Windows Forwarding/Operational
  • Vista and later:
    Application and Services Logs > Microsoft > Windows
    • EventLog-Forwarding Plugin (log)
    • Windows Remote Management (log)
    • Event Collector (log)

WinRM logs all activities to Microsoft-Windows-Forwarding/Operational on Windows XP.

Query Forwarding Log via CLI

wevtutil qe "\<PATH_TO_LOG>" /c:1 /rd:true /q:"\<XPATH_QUERY>"

If PATH_TO_LOG is not within %SYSROOT%\system32\Winevt\Logs, use /lf:true. The /rd option cannot be used on .EVT files.

To view wevtutil help:

wevtutil /?

Check you can ping the event collector’s FQDN

ping Server1.BeyondTrustlab.com

Check policy is applied to the source computer

gpupdate /force

Check WinRM service on source computer

Open services.msc, ensure WinRM is: Running and Set to Automatic

Check the collector can reach the source computer using WinRM

winrm id /r:<Source Computer> /a:none

Check the source computer has successfully subscribed

On the collector, verify the source computer has subscribed by checking the subscription status.

Check the collector is using the right credentials (Collector-Initiated Only)

winrm id /r:<Source Computer> /u:<username> /p:<password>

Credentials must belong to Event Log Readers or Administrators group on the source computer.

Check the source computer has registered with the collector

wecutil gr <subscription name>

This lists all registered source computers, their state, and last heartbeat.

Check the Windows forwarding/operational event log on the source computer for errors

Check Windows Forwarding Logs

Look for Event ID 105 for communication errors due to Windows Firewall on the event collector.

Ensure these are accepting inbound connections:

  • Port 5985 – HTTP-In
  • Port 80 – Compatibility Mode
  • Port 5986 – HTTPS-In

Enumerate the active WinRM listener

winrm enumerate winrm/config/listener

View WinRM Configuration

winrm get winrm/config

These two commands display the configuration for both WinRM client and service.

winrm get winrm/config/client/auth

winrm get winrm/config/service/auth

View remote machine details

winrm id –remote:TARGET

Use –auth:none to test unauthenticated queries.

View WinRM Service Info

winrm get wmi/root/cimv2/Win32_Service?Name=WinRM

Restore WinRM Defaults

winrm invoke restore winrm/config @{}

View Error Code Details

winrm helpmsg ERRORCODE

For example, 0x80070005 means Access Denied.

View authentication help

winrm help auth

Example error: The WinRM client cannot process the request. Negotiate authentication is currently disabled...

Recommended:

winrm get winrm/config –remote:ABCD

Access Denied Errors

Error Example:
WSManFault

Message = Access is denied.

Error number: -2147024891 0x80070005

Access id denied.

Possible Causes:

  • User needs to be part of local administration group, WinRMRemoteWMIUsers__, or domain administrator.
    The administrator password cannot be blank.
  • Incorrect user name or password.
  • WMI operations need permissions to allow secure connections.
  • Windows Firewall service needs to be running (this will result in the subscription set to inactive).

Event collector subscription is inactive

The Event Collector Subscription status is Inactive when a retry is initiated. You may receive an access denied error.

The root cause of this problem is related to an unspecified dependency on the Windows Firewall Service. Please ensure the service is installed and started, you will then be able to start the subscription.

Ensure the WinRM firewall ports are open

If using third-party firewalls, ensure these ports are open:

  • HTTP (v2.0): 5985
  • HTTPS (v2.0): 5986
  • HTTP (v1.1): 80
  • HTTPS (v1.1): 443

Configure Windows Firewall via CLI:

netsh advfirewall firewall set rule name="Windows Remote Management – Compatibility Mod (HTTP-In)" new enable=yes

netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=yes

Large Kerberos token sizes may cause event forwarding to fail

If your organization has large Kerberos token sizes, you may experience issues with event forwarding.

Determine WinRM Version

Refer to Microsoft's documentation on Windows Remote Management versions.

Errors When Creating Subscriptions

Common subscription creation errors:

wecutil cs Subscriptions\\Logons.xml

Error Example 1

Error: 0x3ae8 – Subscription fails to activate.

The subscription is saved successfully, but it cannot be activated at this time. Use retry-subscription command to retry the subscription. If the subscription is running, you can also use getsubscriptionruntimestatus command to get extended error status.

This error may be caused by the WinRM Firewall exception rule being disabled. The error code that is displayed is a Win32 error code. The error code’s message is shown beneath it.

Error Example 2

Failed to open subscription.

Error = 0x6b5. The interface is unknown.

This error may be caused by the Windows Event Collector not running.

Sources will create subscriptions locally after receiving a list of subscriptions applicable to them. Certain subscriptions may not be created on the sources due to permissions issues or non-existing logs. WinRM will raise an Event ID 102 with a Win32 error code of 5004 in the EventLog-ForwardingPlugin/Operational log. The error code states that a cluster resource is not available. This error code may be a result of the subscription attempting to access a log file that it does not have permissions to access.

Verify the channel’s (log file) permissions by navigating to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels and locating the channel of interest. Within the registry key of the desired channel, view the contents of the registry value named ChannelAccess to identify the permissions of the channel. This previous error is applicable to Windows Vista and later.

XPath Query Diagnostics

Event ID: 101
Log: EventLog-ForwardingPlugin > Operational

Level: Warning

OS: Windows 7+

To find XPath query errors:

  1. Locate Event ID 101.
  2. View the Details tab.
  3. Switch to XML View.
  4. Look for Status under EventData.

Example error code: 15001 – ERROR_EVT_INVALID_QUERY

Updated 6 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.