HomeSupercharger KBGetting StartedTroubleshooting a Problem Forwarder

2.7. Troubleshooting a Problem Forwarder

Problem: A computer shows up in the Current Forwarders tab for your subscription but is shown as None in the WEC column.

This means that your subscription’s policy’s health assessment basis is Deterministic and that the group(s) you’ve assigned in Allowed Forwarders include this computer as a member. Therefore we expect it to be forwarding events. Yet, WEC has never seen that computer for this subscription and therefore Supercharger reports Absent.

Here are the possible reasons why, with tips on how to investigate



Action on Forwarder

Collector targeting

Forwarder is not targeted at collector

Run a Group Policy Results report for that computer

  • Check “Configure target subscription manager”
  • Search that html report for "WinRM". Look for settings that may cause WinRM to not function correctly.
  • Check that "Allow remote server management through WinRM" setting is either "Not configured" or "Enabled".

Collector string for “Configure target subscription manager” is incorrect

Are other computers successfully targeting this collector via the same group policy object?

Check Microsoft-Windows-Forwarding/Operational (Microsoft-Windows-Eventlog-ForwardingPlugin/Operational) on forwarder for errors (see below)

Group policy recently updated and forwarder has not applied or GPO has not replicated

Run gpupdate on forwarder and verify with Group Policy Results report “GPRESULT /H GPReport.html” and check “Configure target subscription manager”


Connectivity problem

Use this command with the DNS name in your collector string “winrm identify -r:http://winrm_server:5985” (or “winrm identify -r:https://winrm_server:5986”)

WinRM on Forwarder

Check these event logs for errors:

  • Microsoft-Windows-Forwarding/Operational 
    • Microsoft-Windows-Eventlog-ForwardingPlugin/Operational
  • Microsoft-Windows-WinRM/Operational
    • Microsoft-Windows-Windows Remote Management/Operational

Event ID 102 with error 5004 can mean

  • Forwarder does not have access to the source log. This usually happens on the Security Log but we've also seen it on the Sysmon log. Does this subscription select events from the Security Log or Sysmon?  See Granting Permissions for Security Log Forwarding and for Sysmon you will need to run wevtutil sl /ca: and the appropriate permissions in SDDL format.  For example, you may need to run this command in an elevated CMD prompt:
    wevtutil sl Microsoft-Windows-Sysmon/Operational /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;BO)(A;;0x1;;;SO)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)
  • Event filter Xpath is invalid. In this case all forwarders assigned to this subscription will be logging the event. Try copying the xpath query from the subscription and using it as an XML filter in EventViewer. Observe whether EventViewer complains that the filter is invalid.

Event ID 105 with error 2150859027 with full message "The forwarder is having a problem communicating with subscription manager at address http://COLLECTOR:5985/wsman/SubscriptionManager/WEC. Error code is 2150859027 and Error Message is <f:WSManFault xmlns:f="" Code="2150859027" Machine="FORWARDER"><f:Message>The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. </f:Message></f:WSManFault>.

  • There is an issue with the URL ACL. Follow the two commands in this article.

WinRM service not running on forwarder


WinRM has not been configured on forwarder

Run “winrm qc”


Collector side problem

Check following logs

  • Microsoft-Windows-WinRM/Operational
  • Microsoft-Windows-EventCollector/Operational
 WinRM issue on Collector

Run "winrm get winrm/config". In the results of this cmd is "AllowRemoteAccess = true".

Check HKLM\Software\Policies\Microsoft\Windows\WinRM\Service

  • Does this key exist?  If not, good.
  • If this key does exist is there a DWORD named AllowAutoConfig. If so, is it set to 1 or 0. WEC requires it set to 1. A setting of 0 will not allow WinRM to communicate properly.

Active Directory

Computer was recently added/removed from group and Supercharger collector and source computer are talking to different domain controllers

Force replication between domain controller if practical

Computer has not been rebooted since being added to the group



Run this command on the forwarder:

klist -lh 0 -li 0x3e4 purge

This purges the Kerberos ticket cache and the computer will pick up the new group when it obtains a new ticket.  See this article for steps to perform this.

This page was: Helpful | Not Helpful