I'm trying to set up event forwarding on Windows Server 2008R2/2012. The runtime status on the collector shows the following error: "Code (0x80338095): The connectivity test from the push subscription source to the client failed."
Details that might be relevant:
- I've been using this: http://blogs.technet.com/b/wincat/archive/2008/08/11/quick-and-dirty-large-scale-eventing-for-windows.aspx as my primary reference
- The collector is 2008R2 SP1 running as a VM under Win Server 2012 Hyper-V. The two subscribers are Server 2012, one virtual, one physical. I've also tried using a 2012 Server as the collector, but with the same result. The functional domain level is 2008R2.
- Collector initiated
- Group Policy setup for WinRM, HTTP port 5985
- Using a domain user account that is a local admin on all machines in question.
- I've verified WinRM firewall rules exist and services (WinRM, Win Event Collector) are running.
- When creating the Subscription on the Collector, the Select Computers -> Test button reports success for all computers
When I run the troubleshooting steps in the linked article, the results are as follows:
winrm id /r:<Source Computer> /a:none
IdentifyResponse
ProtocolVersion =
http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor = Microsoft Corporation
ProductVersion = OS: 0.0.0 SP: 0.0 Stack: 3.0
winrm id /r:<Source Computer> /u:<username> /p:<password>
IdentifyResponse
ProtocolVersion =
http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor = Microsoft Corporation
ProductVersion = OS: 6.2.9200 SP: 0.0 Stack: 3.0
SecurityProfiles
SecurityProfileName =
http://schemas.dmtf.org/wbem/wsman/1/wsman/secprof
ile/http/spnego-kerberos,
http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/
https/spnego-kerberos
wecutil gr <subscription name>
Subscription: FileAuditing
RunTimeStatus: Active
LastError: 0
EventSources:
<subscriber1 FQDN>
RunTimeStatus: Trying
LastError: -2144108395
ErrorMessage: <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault"
Code="2150858901" Machine="<subscriber1 FQDN>"><f:Message>The connectivity test from the push subscription source to the client failed. This can happen if the client machine initiating the push subscription is unreachable from the server
machine where the event source is located. Possible reasons include firewall or some other network boundary. Modify subscription to use Pull based subscription. </f:Message></f:WSManFault>
ErrorTime: 2012-12-05T15:27:32.474
NextRetryTime: 2012-12-05T15:37:32.474
<subscriber2 FQDN>
RunTimeStatus: Trying
LastError: -2144108395
ErrorMessage: <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault"
Code="2150858901" Machine="<subscriber1 FQDN>"><f:Message>The connectivity test from the push subscription source to the client failed. This can happen if the client machine initiating the push subscription is unreachable from the server
machine where the event source is located. Possible reasons include firewall or some other network boundary. Modify subscription to use Pull based subscription. </f:Message></f:WSManFault>
ErrorTime: 2012-12-05T15:27:33.443
NextRetryTime: 2012-12-05T15:37:33.443
--------------------------------
Win RM listener configuration on one of the subscribers:
Listener [Source="GPO"]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.1.10.103, 10.1.11.103, 10.3.0.20, 127.0.0.1
Listener
Address = *
Transport = HTTPS
Port = 5986
Hostname = <subscriber1 FQDN>
Enabled = true
URLPrefix = wsman
CertificateThumbprint = <thumbprint>
ListeningOn = 10.1.10.103, 10.1.11.103, 10.3.0.20, 127.0.0.1
Listener [Source="Compatibility"]
Address = *
Transport = HTTPS
Port = 443
Hostname = <subscriber1 FQDN>
Enabled = true
URLPrefix = wsman
CertificateThumbprint = <thumbprint>
ListeningOn = 10.1.10.103, 10.1.11.103, 10.3.0.20, 127.0.0.1
--------------
About the only other things I can think of is some vagueness in the GP settings themselves:
- Event Forwarding -> Configure target Subscription Manager -> Subscription Managers, I just have "server=collector.domain.local." I tried adding port a number, but that didn't make any difference.
- Event Forwarding -> Configure forwarder resource usage: Not configured
- WinRM Client -> Trusted Hosts: *
- WinRM Client -> (all others): Not configured
- WinRM Service -> Allow remote server management through WinRM - IPv4: *, IPv6:[empty]
- WinRM Service -> (all others): Not configured
I've noticed that most guides suggest you configure the WinRM property "Allow automatic configuration of listeners." I don't see this specific item available.