---

---

---

 

 

WIN1R2.1ask2.com:

WINRM qc –q

NETSTAT –A

winrm Enumerate winrm/config/listener

DC1.1ask2.com

Create an OU and move the related computers into it

Create a GPO and link it to “WINRM OU”

Computer Configuration--Administrative Templates--Windows Components --Event Forwarding

SubscriptionManager

Pay attention to HTTP protocol. The following screenshot shows the selection. If you use a computer of Windows 2008 R2 as an event collector, the default port number is 5985 instead of 80.

 

 

 

In elevated administrator command window:

winrm qc -q

wecutil qc /q

Winrm Enumerate winrm/config/listener

Create a Source-initiated subscription on DC1.1ask2.com

On WIN1R2.1ask2.com computer:

Net Stop WINRM

Net Start WINRM

On DC1.1ask2.com computer:

 

Error

Source:        Microsoft-Windows-EventForwarder

Event ID:      111

Level:         Information

Computer:      WIN1R2.1ask2.com

Description:

The description for Event ID 111 from source Microsoft-Windows-EventForwarder cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

Check “EventLog-ForwardPlugin/Operational”

 

Log Name:      Microsoft-Windows-Forwarding/Operational

Source:        Microsoft-Windows-Forwarding

Event ID:      105

Level:         Error

User:          NETWORK SERVICE

Computer:      WIN1R2.1ask2.com

Description:

The forwarder is having a problem communicating with subscription manager at address HTTP://DC1.1ask2.com:80/wsman/subscriptionManager/WEC.  Error code is 2150859027 and Error Message is <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859027" Machine="WIN1R2.1ask2.com"><f:Message>The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol.

Make sure that event collector computer (DC1) has WINRM service configured and running.

WECUTIL GS ww

It is possible that it will take a while for the events to be collected.

I simply restart the Win1r2 computer.