agentless log forwarding error using im_wseventing module
Hello Guys, Im currently trialing nxlog enterprise version and specifically interested in agentless version of it. While working on it i have come across a blockade which seems to not forward logs from windows server machine to linux windows event collector(nxlog enterprise version is running).
Im running nxlog version 5.1.6133 on ubuntu. Here are the details (SERVER details w.r.t im_wseventing module documentation)
NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
Below are client details which forwards logs to server above using agentless method
OS Name: Microsoft Windows Server 2019 Datacenter
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
Im getting following error message while trying to forward logs. Seeing this error in eventviewer under eventlog forwarding plugin. I have followed the documentation and generated certs and certs seems to be valid and working.
Log Name: Microsoft-Windows-Forwarding/Operational
Source: Microsoft-Windows-Forwarding
Date: 10/28/2020 2:37:05 AM
Event ID: 105
Task Category: None
Level: Error
Keywords:
User: NETWORK SERVICE
Computer: computer_name
Description:
The forwarder is having a problem communicating with subscription manager at address HTTPS://private_ip_address:5986/wsman/. Error code is 2150858819 and Error Message is 鿰柣ƴ.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Forwarding" Guid="{699e309c-e782-4400-98c8-e21d162d7b7b}" />
<EventID>105</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-10-28T02:37:05.265085100Z" />
<EventRecordID>438</EventRecordID>
<Correlation ActivityID="{2977fa9f-ac7b-0000-d9fb-77297bacd601}" />
<Execution ProcessID="2732" ThreadID="5668" />
<Channel>Microsoft-Windows-Forwarding/Operational</Channel>
<Computer>computer_name</Computer>
<Security UserID="S-1-5-20" />
</System>
<EventData Name="SubscriptionManagerStatus">
<Data Name="SubscriptionManagerAddress">HTTPS://private_ip_address:5986/wsman/</Data>
<Data Name="ErrorCode">2150858819</Data>
<Data Name="ErrorMessage">鿰柣ƴ</Data>
</EventData>
</Event>
I have tried even port 5985 and it also faces similar error. I have checked whether the server which is the ubuntu is reachable or not, did GET request using postman api tool.POST request seems to not work which might be the cause which might be behind this problem.
Below is my nxlog config
<Input wseventing>
Module im_wseventing
ListenAddr 0.0.0.0
Port 5986
Address https://private_ip_address:5986/wsman
HTTPSCertFile %CERTDIR%/server-cert.pem
HTTPSCertKeyFile %CERTDIR%/server-key.pem
HTTPSCAFile %CERTDIR%/ca-cert.pem
<QueryXML>
<QueryList>
<Computer>*</Computer>
<Query Id="0">
<Select Path="Application">*</Select>
<Select Path="Security">*</Select>
<Select Path="Setup">*</Select>
<Select Path="System">*</Select>
<Select Path="ForwardedEvents">*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output file>
Module om_file
File "/opt/nxlog/var/log/nxlog/windows_events.log"
</Output>
<Route route_wsevents>
Path wseventing => file
</Route>
Let me know how do i overcome this issue if possible.
Thanks.