Windows EventLog Forwarding

While playing with Windows Eventlog Forwarding (WEF) and a Source Initiated Subscription I got an error 5004 on the forwarder after I tried to do some filtering on the Event IDs.

EventLog-ForwardingPlugin_Event_102

All machines involved where Windows Server 2012 and 2012R2. Did some furter testing from my laptop (Win 10 10240 ent)

I’ve written a small script that creates an event in the System Eventlog for each of the Event IDs I needed to collect.

$Count=0
$EventsIDs=Get-Content D:\Events.txt
$Total=$EventsIDs.Count
$RunID=get-date -Format yyyymmddTHHmmss
$EventsIDs|ForEach-Object {
    $Count++
    Start-Sleep -Milliseconds 500
    $Pct=[MATH]::Round($Count/$Total*100)
    Write-EventLog -LogName System -Source System -EventId $_ -EntryType Error -Message "This is a TEST event with ID: $_ to check the subscription. Message $Count - $Total :: $Pct % - Run: $RunID"   
}

But nothing got forwarded.

The Event 102 is got a little more descriptive when I looked at the XML behind the event:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
  <Provider Name="Microsoft-Windows-Forwarding" Guid="{699E309C-E782-4400-98C8-E21D162D7B7B}" /> 
  <EventID>102</EventID> 
  <Version>1</Version> 
  <Level>2</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8000000000000000</Keywords> 
  <TimeCreated SystemTime="2016-06-15T07:28:51.902138600Z" /> 
  <EventRecordID>569</EventRecordID> 
  <Correlation ActivityID="{D0B805AD-C621-0003-D42A-B8D021C6D101}" /> 
  <Execution ProcessID="976" ThreadID="11644" /> 
  <Channel>Microsoft-Windows-Forwarding/Operational</Channel> 
  <Computer>myworkstation.example.com</Computer> 
  <Security UserID="S-1-5-20" /> 
 </System>
<EventData Name="SubscribeFailure">
  <Data Name="Id">My-SubScription-Windows-ForwardedEvents</Data> 
  <Data Name="Query"><QueryList><Query Id="0"><Select Path="Security">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and ( (EventID &gt;= 512 and EventID &lt;= 513) or EventID=517 or (EventID &gt;= 519 and EventID &lt;= 521) or (EventID &gt;= 528 and EventID &lt;= 540) or (EventID &gt;= 551 and EventID &lt;= 552) or (EventID &gt;= 560 and EventID &lt;= 567) or (EventID &gt;= 576 and EventID &lt;= 578) or (EventID &gt;= 592 and EventID &lt;= 593) or (EventID &gt;= 601 and EventID &lt;= 602) or (EventID &gt;= 608 and EventID &lt;= 609) or (EventID &gt;= 612 and EventID &lt;= 616) or (EventID &gt;= 621 and EventID &lt;= 622) or (EventID &gt;= 624 and EventID &lt;= 668) or (EventID &gt;= 671 and EventID &lt;= 678) or EventID=680 or (EventID &gt;= 682 and EventID &lt;= 683) or (EventID &gt;= 687 and EventID &lt;= 697) or (EventID &gt;= 806 and EventID &lt;= 809) or (EventID &gt;= 848 and EventID &lt;= 861) or (EventID &gt;= 1100 and EventID &lt;= 1104) or EventID=1108 or (EventID &gt;= 4608 and EventID &lt;= 4612) or EventID=4616 or EventID=4618 or (EventID &gt;= 4624 and EventID &lt;= 4627) or EventID=4634 or (EventID &gt;= 4648 and EventID &lt;= 4674) or (EventID &gt;= 4688 and EventID &lt;= 4691) or (EventID &gt;= 4697 and EventID &lt;= 4702) or (EventID &gt;= 4704 and EventID &lt;= 4707) or (EventID &gt;= 4709 and EventID &lt;= 4710) or EventID=4713 or (EventID &gt;= 4715 and EventID &lt;= 4720) or (EventID &gt;= 4722 and EventID &lt;= 4735) or (EventID &gt;= 4737 and EventID &lt;= 4764) or (EventID &gt;= 4767 and EventID &lt;= 4801) or EventID=4817 or (EventID &gt;= 4820 and EventID &lt;= 4824) or (EventID &gt;= 4865 and EventID &lt;= 4867) or (EventID &gt;= 4907 and EventID &lt;= 4908) or (EventID &gt;= 4944 and EventID &lt;= 4950) or EventID=4954 or (EventID &gt;= 4956 and EventID &lt;= 4958) or (EventID &gt;= 4960 and EventID &lt;= 4965) or (EventID &gt;= 4976 and EventID &lt;= 4984) or (EventID &gt;= 5024 and EventID &lt;= 5049) or (EventID &gt;= 5136 and EventID &lt;= 5159) or (EventID &gt;= 5451 and EventID &lt;= 5453) or EventID=5712 or (EventID &gt;= 6272 and EventID &lt;= 6280) or EventID=6416 or EventID=7030 or EventID=7045)]]</Select><Select Path="System">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and ( (EventID &gt;= 512 and EventID &lt;= 513) or EventID=517 or (EventID &gt;= 519 and EventID &lt;= 521) or (EventID &gt;= 528 and EventID &lt;= 540) or (EventID &gt;= 551 and EventID &lt;= 552) or (EventID &gt;= 560 and EventID &lt;= 567) or (EventID &gt;= 576 and EventID &lt;= 578) or (EventID &gt;= 592 and EventID &lt;= 593) or (EventID &gt;= 601 and EventID &lt;= 602) or (EventID &gt;= 608 and EventID &lt;= 609) or (EventID &gt;= 612 and EventID &lt;= 616) or (EventID &gt;= 621 and EventID &lt;= 622) or (EventID &gt;= 624 and EventID &lt;= 668) or (EventID &gt;= 671 and EventID &lt;= 678) or EventID=680 or (EventID &gt;= 682 and EventID &lt;= 683) or (EventID &gt;= 687 and EventID &lt;= 697) or (EventID &gt;= 806 and EventID &lt;= 809) or (EventID &gt;= 848 and EventID &lt;= 861) or (EventID &gt;= 1100 and EventID &lt;= 1104) or EventID=1108 or (EventID &gt;= 4608 and EventID &lt;= 4612) or EventID=4616 or EventID=4618 or (EventID &gt;= 4624 and EventID &lt;= 4627) or EventID=4634 or (EventID &gt;= 4648 and EventID &lt;= 4674) or (EventID &gt;= 4688 and EventID &lt;= 4691) or (EventID &gt;= 4697 and EventID &lt;= 4702) or (EventID &gt;= 4704 and EventID &lt;= 4707) or (EventID &gt;= 4709 and EventID &lt;= 4710) or EventID=4713 or (EventID &gt;= 4715 and EventID &lt;= 4720) or (EventID &gt;= 4722 and EventID &lt;= 4735) or (EventID &gt;= 4737 and EventID &lt;= 4764) or (EventID &gt;= 4767 and EventID &lt;= 4801) or EventID=4817 or (EventID &gt;= 4820 and EventID &lt;= 4824) or (EventID &gt;= 4865 and EventID &lt;= 4867) or (EventID &gt;= 4907 and EventID &lt;= 4908) or (EventID &gt;= 4944 and EventID &lt;= 4950) or EventID=4954 or (EventID &gt;= 4956 and EventID &lt;= 4958) or (EventID &gt;= 4960 and EventID &lt;= 4965) or (EventID &gt;= 4976 and EventID &lt;= 4984) or (EventID &gt;= 5024 and EventID &lt;= 5049) or (EventID &gt;= 5136 and EventID &lt;= 5159) or (EventID &gt;= 5451 and EventID &lt;= 5453) or EventID=5712 or (EventID &gt;= 6272 and EventID &lt;= 6280) or EventID=6416 or EventID=7030 or EventID=7045)]]</Select></Query></QueryList></Data> 
  <Data Name="ErrorCode">5004</Data> 
 </EventData>
</Event>

It showed that the entire Event ID filter was downloaded succesfully. (See Data Name=”Query”) part of the event XML.

I started a Google search and only got to Technet – Windows Event Forwarding – WinRM issues and ars technica – Windows event log forwarding but adding “NT AUTHORITY\Network Service” to the “Event Log Readers” group didn’t help.

Wondering if my filter was to blame I started to cut it down. Eventually it started to work. So I created three subsciptions, each with a smaller filter. But I couldn’t find an exact maximum of the lenght of the string, nor the amount of Event IDs being included:

First the entire string:

512-513,517,519-521,528-540,551-552,560-567,576-578,592-593,601-602,608-609,612-616,621-622,624-668,671-678,680,682-683,687-697,806-809,848-861,1100-1104,1108,4608-4612,4616,4618,4624-4627,4634,4648-4674,4688-4691,4697-4702,4704-4707,4709-4710,4713,4715-4720,4722-4735,4737-4764,4767-4801,4817,4820-4824,4865-4867,4907-4908,4944-4950,4954,4956-4958,4960-4965,4976-4984,5024-5049,5136-5159,5451-5453,5712,6272-6280,6416,7030,7045 (String Length: 429 characters, total number of EventIDs: 365)

The strings that seem to work are these:

512-513,517,519-521,528-540,551-552,560-567,576-578,592-593,601-602,608-609,612-616,621-622,624-668,671-678,680,682-683,687-697,806-809,848-861,1100-1104,1108 (String Length 131 characters, total number of EventIDs: 159)
4608-4612,4616,4618,4624-4627,4634,4648-4674,4688-4691,4697-4702,4704-4707,4709-4710,4713,4715-4720,4722-4735,4737-4764,4767-4801,4817,4820-4824,4865-4867,4907-4908 (String Length 140 EventIDs, characters, total number of EventIDs: 165)
4944-4950,4954,4956-4958,4960-4965,4976-4984,5024-5049,5136-5159,5451-5453,5712,6272-6280,6416,7030,7045 (String Length 94 EventIDs, total number of EventIDs: 105)

The magic number seems be lay around 165 characters it does not seem to be related to the number of EventIDs, since adding “4608-4612” (5 EventIDs to the first string resulted in Error 5004, while 131 + 5 = 136, which still is smaller than 140 (second string) which proves to work.

Now I wanted to know if this issue is related to the length of the string, or maybe the result of this string in XML format. While looking at the query XML, it appears that the contents of each Query tag was little under 1KB in size. The total XML was little beyond 2 KB, so this rules out the max size of the entire XML of 2KB. I decided to try to add all queries manually in separated queries within the same query list:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and ( (EventID &gt;= 512 and EventID &lt;= 513)  or EventID=517 or  (EventID &gt;= 519 and EventID &lt;= 521)  or  (EventID &gt;= 528 and EventID &lt;= 540)  or  (EventID &gt;= 551 and EventID &lt;= 552)  or  (EventID &gt;= 560 and EventID &lt;= 567)  or  (EventID &gt;= 576 and EventID &lt;= 578)  or  (EventID &gt;= 592 and EventID &lt;= 593)  or  (EventID &gt;= 601 and EventID &lt;= 602)  or  (EventID &gt;= 608 and EventID &lt;= 609)  or  (EventID &gt;= 612 and EventID &lt;= 616)  or  (EventID &gt;= 621 and EventID &lt;= 622)  or  (EventID &gt;= 624 and EventID &lt;= 668)  or  (EventID &gt;= 671 and EventID &lt;= 678)  or EventID=680 or  (EventID &gt;= 682 and EventID &lt;= 683)  or  (EventID &gt;= 687 and EventID &lt;= 697)  or  (EventID &gt;= 806 and EventID &lt;= 809)  or  (EventID &gt;= 848 and EventID &lt;= 861)  or  (EventID &gt;= 1100 and EventID &lt;= 1104)  or EventID=1108)]]</Select>
    <Select Path="System">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and ( (EventID &gt;= 512 and EventID &lt;= 513)  or EventID=517 or  (EventID &gt;= 519 and EventID &lt;= 521)  or  (EventID &gt;= 528 and EventID &lt;= 540)  or  (EventID &gt;= 551 and EventID &lt;= 552)  or  (EventID &gt;= 560 and EventID &lt;= 567)  or  (EventID &gt;= 576 and EventID &lt;= 578)  or  (EventID &gt;= 592 and EventID &lt;= 593)  or  (EventID &gt;= 601 and EventID &lt;= 602)  or  (EventID &gt;= 608 and EventID &lt;= 609)  or  (EventID &gt;= 612 and EventID &lt;= 616)  or  (EventID &gt;= 621 and EventID &lt;= 622)  or  (EventID &gt;= 624 and EventID &lt;= 668)  or  (EventID &gt;= 671 and EventID &lt;= 678)  or EventID=680 or  (EventID &gt;= 682 and EventID &lt;= 683)  or  (EventID &gt;= 687 and EventID &lt;= 697)  or  (EventID &gt;= 806 and EventID &lt;= 809)  or  (EventID &gt;= 848 and EventID &lt;= 861)  or  (EventID &gt;= 1100 and EventID &lt;= 1104)  or EventID=1108)]]</Select>
  </Query>
  <Query Id="1" Path="Security">
    <Select Path="Security">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and ( (EventID &gt;= 4608 and EventID &lt;= 4612)  or EventID=4616 or EventID=4618 or  (EventID &gt;= 4624 and EventID &lt;= 4627)  or EventID=4634 or  (EventID &gt;= 4648 and EventID &lt;= 4674)  or  (EventID &gt;= 4688 and EventID &lt;= 4691)  or  (EventID &gt;= 4697 and EventID &lt;= 4702)  or  (EventID &gt;= 4704 and EventID &lt;= 4707)  or  (EventID &gt;= 4709 and EventID &lt;= 4710)  or EventID=4713 or  (EventID &gt;= 4715 and EventID &lt;= 4720)  or  (EventID &gt;= 4722 and EventID &lt;= 4735)  or  (EventID &gt;= 4737 and EventID &lt;= 4764)  or  (EventID &gt;= 4767 and EventID &lt;= 4801)  or EventID=4817 or  (EventID &gt;= 4820 and EventID &lt;= 4824)  or  (EventID &gt;= 4865 and EventID &lt;= 4867)  or  (EventID &gt;= 4907 and EventID &lt;= 4908) )]]</Select>
    <Select Path="System">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and ( (EventID &gt;= 4608 and EventID &lt;= 4612)  or EventID=4616 or EventID=4618 or  (EventID &gt;= 4624 and EventID &lt;= 4627)  or EventID=4634 or  (EventID &gt;= 4648 and EventID &lt;= 4674)  or  (EventID &gt;= 4688 and EventID &lt;= 4691)  or  (EventID &gt;= 4697 and EventID &lt;= 4702)  or  (EventID &gt;= 4704 and EventID &lt;= 4707)  or  (EventID &gt;= 4709 and EventID &lt;= 4710)  or EventID=4713 or  (EventID &gt;= 4715 and EventID &lt;= 4720)  or  (EventID &gt;= 4722 and EventID &lt;= 4735)  or  (EventID &gt;= 4737 and EventID &lt;= 4764)  or  (EventID &gt;= 4767 and EventID &lt;= 4801)  or EventID=4817 or  (EventID &gt;= 4820 and EventID &lt;= 4824)  or  (EventID &gt;= 4865 and EventID &lt;= 4867)  or  (EventID &gt;= 4907 and EventID &lt;= 4908) )]]</Select>
  </Query>
  <Query Id="2" Path="Security">
    <Select Path="Security">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and ( (EventID &gt;= 4944 and EventID &lt;= 4950)  or EventID=4954 or  (EventID &gt;= 4956 and EventID &lt;= 4958)  or  (EventID &gt;= 4960 and EventID &lt;= 4965)  or  (EventID &gt;= 4976 and EventID &lt;= 4984)  or  (EventID &gt;= 5024 and EventID &lt;= 5049)  or  (EventID &gt;= 5136 and EventID &lt;= 5159)  or  (EventID &gt;= 5451 and EventID &lt;= 5453)  or EventID=5712 or  (EventID &gt;= 6272 and EventID &lt;= 6280)  or EventID=6416 or EventID=7030 or EventID=7045)]]</Select>
    <Select Path="System">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and ( (EventID &gt;= 4944 and EventID &lt;= 4950)  or EventID=4954 or  (EventID &gt;= 4956 and EventID &lt;= 4958)  or  (EventID &gt;= 4960 and EventID &lt;= 4965)  or  (EventID &gt;= 4976 and EventID &lt;= 4984)  or  (EventID &gt;= 5024 and EventID &lt;= 5049)  or  (EventID &gt;= 5136 and EventID &lt;= 5159)  or  (EventID &gt;= 5451 and EventID &lt;= 5453)  or EventID=5712 or  (EventID &gt;= 6272 and EventID &lt;= 6280)  or EventID=6416 or EventID=7030 or EventID=7045)]]</Select>
  </Query>
</QueryList>

And now it works with a single subscription.

Query_Filter_Window

However the query can now no longer be editted on the Filter tab, only in XML.

Error_Cannot_Switch_Filter_Tab

But hey; the events are comming in!

ForwardedEventsReceived

	Brian on kubernetes “volume X alr…
	Rocky on Remove Inaccessible datastore…
	Joe R on kubernetes “volume X alr…
	George Leslie Parker on Remove Inaccessible datastore…
	Angel on The Quest for VMware Horizon V…

vmninja

Category Archives: Windows EventLog Forwarding

Windows Eventlog Forwarding – Error 5004