Setting up Windows Event Forwarding...
OK, I have WEF up and running on our network, currently, I have it running with my laptop and the WEF server, works great.
I have a test laptop, configured exactly like all the desktops on our domain but I can’t get the events to pop into the WEF server, it shows in the list of ‘active’ subscriptions.
I have it configured just like my personal laptop –
1) Winrm set to running but not listening.
2) Computer>Policies>Admin Templates>Windows Components>Event Forwarding>Configure target subscription manager
This will need to be populated with the address of your collector server in this format :
3) Added the Local Network Service to ‘Event Log Readers’ Group
But on the WEF Server test laptop is listed as ‘active’ in the subscriptions.
And On the Test Laptop
Test-NetConnection WEFSERVER -Port 5985 – this test is successful, nothing blocking connection
But still no events in –
Eventlog-Forwarding Plugin -> Operational – No events in here
I don’t see what I am missing… any thoughts?
*it’s windows 10, I don’t know if that makes a difference or not.
*also, I started the winrm from services.msc because I don’t want the listener turned on, not sure if that makes a difference.