NXLog search
Let's talk Start free
Let's talk Start free

agentless log forwarding error using im_wseventing module

Tags:
#1 AH_601191

Hello Guys, Im currently trialing nxlog enterprise version and specifically interested in agentless version of it. While working on it i have come across a blockade which seems to not forward logs from windows server machine to linux windows event collector(nxlog enterprise version is running).

Im running nxlog version 5.1.6133 on ubuntu. Here are the details (SERVER details w.r.t im_wseventing module documentation)

NAME="Ubuntu"
 VERSION="18.04.5 LTS (Bionic Beaver)"
 ID=ubuntu
 ID_LIKE=debian
 PRETTY_NAME="Ubuntu 18.04.5 LTS"
 VERSION_ID="18.04"

Below are client details which forwards logs to server above using agentless method

OS Name:                   Microsoft Windows Server 2019 Datacenter
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server

Im getting following error message while trying to forward logs. Seeing this error in eventviewer under eventlog forwarding plugin. I have followed the documentation and generated certs and certs seems to be valid and working.

Log Name:      Microsoft-Windows-Forwarding/Operational
Source:        Microsoft-Windows-Forwarding
Date:          10/28/2020 2:37:05 AM
Event ID:      105
Task Category: None
Level:         Error
Keywords:      
User:          NETWORK SERVICE
Computer:      computer_name
Description:
The forwarder is having a problem communicating with subscription manager at address HTTPS://private_ip_address:5986/wsman/.  Error code is 2150858819 and Error Message is 鿰柣ƴ.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Forwarding" Guid="{699e309c-e782-4400-98c8-e21d162d7b7b}" />
    <EventID>105</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2020-10-28T02:37:05.265085100Z" />
    <EventRecordID>438</EventRecordID>
    <Correlation ActivityID="{2977fa9f-ac7b-0000-d9fb-77297bacd601}" />
    <Execution ProcessID="2732" ThreadID="5668" />
    <Channel>Microsoft-Windows-Forwarding/Operational</Channel>
    <Computer>computer_name</Computer>
    <Security UserID="S-1-5-20" />
  </System>
  <EventData Name="SubscriptionManagerStatus">
    <Data Name="SubscriptionManagerAddress">HTTPS://private_ip_address:5986/wsman/</Data>
    <Data Name="ErrorCode">2150858819</Data>
    <Data Name="ErrorMessage">鿰柣ƴ</Data>
  </EventData>
</Event>

I have tried even port 5985 and it also faces similar error. I have checked whether the server which is the ubuntu is reachable or not, did GET request using postman api tool.POST request seems to not work which might be the cause which might be behind this problem.

Below is my nxlog config

<Input wseventing>
    Module          im_wseventing
    ListenAddr      0.0.0.0
    Port            5986
    Address         https://private_ip_address:5986/wsman
    HTTPSCertFile   %CERTDIR%/server-cert.pem
    HTTPSCertKeyFile %CERTDIR%/server-key.pem
    HTTPSCAFile     %CERTDIR%/ca-cert.pem
    <QueryXML>
      <QueryList>
        <Computer>*</Computer>
        <Query Id="0">
          <Select Path="Application">*</Select>
          <Select Path="Security">*</Select>
          <Select Path="Setup">*</Select>
          <Select Path="System">*</Select>
          <Select Path="ForwardedEvents">*</Select>
        </Query>
      </QueryList>
    </QueryXML>
</Input>
<Output file>
    Module  om_file
    File    "/opt/nxlog/var/log/nxlog/windows_events.log"
</Output>
<Route route_wsevents>
    Path wseventing => file
</Route>

Let me know how do i overcome this issue if possible.

Thanks.

Permalink
#2 rafDeactivated Nxlog ✓
#1 AH_601191
Hello Guys, Im currently trialing nxlog enterprise version and specifically interested in agentless version of it. While working on it i have come across a blockade which seems to not forward logs from windows server machine to linux windows event collector(nxlog enterprise version is running). Im running nxlog version 5.1.6133 on ubuntu. Here are the details (SERVER details w.r.t im_wseventing module documentation) NAME="Ubuntu" VERSION="18.04.5 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.5 LTS" VERSION_ID="18.04" Below are client details which forwards logs to server above using agentless method OS Name: Microsoft Windows Server 2019 Datacenter OS Version: 10.0.17763 N/A Build 17763 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server Im getting following error message while trying to forward logs. Seeing this error in eventviewer under eventlog forwarding plugin. I have followed the documentation and generated certs and certs seems to be valid and working. Log Name: Microsoft-Windows-Forwarding/Operational Source: Microsoft-Windows-Forwarding Date: 10/28/2020 2:37:05 AM Event ID: 105 Task Category: None Level: Error Keywords: User: NETWORK SERVICE Computer: computer_name Description: The forwarder is having a problem communicating with subscription manager at address HTTPS://private_ip_address:5986/wsman/. Error code is 2150858819 and Error Message is 鿰柣ƴ. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Forwarding" Guid="{699e309c-e782-4400-98c8-e21d162d7b7b}" /> <EventID>105</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2020-10-28T02:37:05.265085100Z" /> <EventRecordID>438</EventRecordID> <Correlation ActivityID="{2977fa9f-ac7b-0000-d9fb-77297bacd601}" /> <Execution ProcessID="2732" ThreadID="5668" /> <Channel>Microsoft-Windows-Forwarding/Operational</Channel> <Computer>computer_name</Computer> <Security UserID="S-1-5-20" /> </System> <EventData Name="SubscriptionManagerStatus"> <Data Name="SubscriptionManagerAddress">HTTPS://private_ip_address:5986/wsman/</Data> <Data Name="ErrorCode">2150858819</Data> <Data Name="ErrorMessage">鿰柣ƴ</Data> </EventData> </Event> I have tried even port 5985 and it also faces similar error. I have checked whether the server which is the ubuntu is reachable or not, did GET request using postman api tool.POST request seems to not work which might be the cause which might be behind this problem. Below is my nxlog config <Input wseventing> Module im_wseventing ListenAddr 0.0.0.0 Port 5986 Address https://private_ip_address:5986/wsman HTTPSCertFile %CERTDIR%/server-cert.pem HTTPSCertKeyFile %CERTDIR%/server-key.pem HTTPSCAFile %CERTDIR%/ca-cert.pem <QueryXML> <QueryList> <Computer>*</Computer> <Query Id="0"> <Select Path="Application">*</Select> <Select Path="Security">*</Select> <Select Path="Setup">*</Select> <Select Path="System">*</Select> <Select Path="ForwardedEvents">*</Select> </Query> </QueryList> </QueryXML> </Input> <Output file> Module om_file File "/opt/nxlog/var/log/nxlog/windows_events.log" </Output> <Route route_wsevents> Path wseventing => file </Route> Let me know how do i overcome this issue if possible. Thanks.

Hello,

First quick question - in the line ErrorMessage you have some chars that don't tell much - is it copypaste error or does it look this way by its root?

I'm asking about the line <Data Name="ErrorMessage">鿰柣ƴ</Data>.

I suppose it's for the purpose of this question, but just for clarity - the private_ip_address works correctly in your network, right?

Best regards,

Rafal
Login to see more