Let's Talk
Let's Talk

agentless log forwarding error using im_wseventing module

View thread
AH_601191

Hello Guys, Im currently trialing nxlog enterprise version and specifically interested in agentless version of it. While working on it i have come across a blockade which seems to not forward logs from windows server machine to linux windows event collector(nxlog enterprise version is running).

Im running nxlog version 5.1.6133 on ubuntu. Here are the details (SERVER details w.r.t im_wseventing module documentation)

NAME="Ubuntu"
 VERSION="18.04.5 LTS (Bionic Beaver)"
 ID=ubuntu
 ID_LIKE=debian
 PRETTY_NAME="Ubuntu 18.04.5 LTS"
 VERSION_ID="18.04"

Below are client details which forwards logs to server above using agentless method

OS Name:                   Microsoft Windows Server 2019 Datacenter
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server

Im getting following error message while trying to forward logs. Seeing this error in eventviewer under eventlog forwarding plugin. I have followed the documentation and generated certs and certs seems to be valid and working.

Log Name:      Microsoft-Windows-Forwarding/Operational
Source:        Microsoft-Windows-Forwarding
Date:          10/28/2020 2:37:05 AM
Event ID:      105
Task Category: None
Level:         Error
Keywords:      
User:          NETWORK SERVICE
Computer:      computer_name
Description:
The forwarder is having a problem communicating with subscription manager at address HTTPS://private_ip_address:5986/wsman/.  Error code is 2150858819 and Error Message is 鿰柣ƴ.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Forwarding" Guid="{699e309c-e782-4400-98c8-e21d162d7b7b}" />
    <EventID>105</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2020-10-28T02:37:05.265085100Z" />
    <EventRecordID>438</EventRecordID>
    <Correlation ActivityID="{2977fa9f-ac7b-0000-d9fb-77297bacd601}" />
    <Execution ProcessID="2732" ThreadID="5668" />
    <Channel>Microsoft-Windows-Forwarding/Operational</Channel>
    <Computer>computer_name</Computer>
    <Security UserID="S-1-5-20" />
  </System>
  <EventData Name="SubscriptionManagerStatus">
    <Data Name="SubscriptionManagerAddress">HTTPS://private_ip_address:5986/wsman/</Data>
    <Data Name="ErrorCode">2150858819</Data>
    <Data Name="ErrorMessage">鿰柣ƴ</Data>
  </EventData>
</Event>

I have tried even port 5985 and it also faces similar error. I have checked whether the server which is the ubuntu is reachable or not, did GET request using postman api tool.POST request seems to not work which might be the cause which might be behind this problem.

Below is my nxlog config

<Input wseventing>
    Module          im_wseventing
    ListenAddr      0.0.0.0
    Port            5986
    Address         https://private_ip_address:5986/wsman
    HTTPSCertFile   %CERTDIR%/server-cert.pem
    HTTPSCertKeyFile %CERTDIR%/server-key.pem
    HTTPSCAFile     %CERTDIR%/ca-cert.pem
    <QueryXML>
      <QueryList>
        <Computer>*</Computer>
        <Query Id="0">
          <Select Path="Application">*</Select>
          <Select Path="Security">*</Select>
          <Select Path="Setup">*</Select>
          <Select Path="System">*</Select>
          <Select Path="ForwardedEvents">*</Select>
        </Query>
      </QueryList>
    </QueryXML>
</Input>
<Output file>
    Module  om_file
    File    "/opt/nxlog/var/log/nxlog/windows_events.log"
</Output>
<Route route_wsevents>
    Path wseventing => file
</Route>

Let me know how do i overcome this issue if possible.

Thanks.