0

Afternoon and thanks for taking the time to read my question!

I am testing WEC and have got it where the source device sends the logs to my collector but with some strange behavior. Both the collector and source are running WS19. What I am seeing when I configure which Event IDs to monitor instead of collecting all, if there are more than two IDs in the list, the source device shows subscribing to the subscription but then immediately unsubscribes, if its less than three events(1 or 2), it stays subscribed. Now the funny thing is if I am monitoring for event 4624 which is in that filter for the unsubscribed subscription, it does forward the event, why would it send if its not subscribed and is this normal behavior?

Also, I've learned that if I put more than 22 event ids in the filter for the subscription, it will not send the events at all. I've had to create four subscriptions to accomplish what I need as I am collecting 48 events only.

Just trying to figure this out, doesn't seem to be a lot of threads out there around this and I haven't found any MS documentation about how many one can use per subscription.

Improve this question
6
  • The 22 boolean limit for event ids in the Windows query language Xpath filter has been known since at least 2009. Known limitation. Commented Sep 6, 2023 at 21:40
  • Thanks, figured it had to be something there. Found one guy saying to combine but it sounds like that wont work either. Is it normal for the client to report unsubscribed but still forward events? If it is, sounds like I can keep moving forward. Just trying to figure things out before I go to pulling in more clients. Commented Sep 6, 2023 at 22:43
  • hard to say without seeing the XML and configuration. Commented Sep 7, 2023 at 11:23
  • My preferred approach is to include all events from the target channel and then use suppress statements to tune out the noise. Then keep tuning your subscriptions over time. Commented Sep 7, 2023 at 22:51
  • Cool thought, didn't think about using that approach. Commented Sep 8, 2023 at 18:41

1 Answer 1

Reset to default
0

https://github.com/palantir/windows-event-forwarding/issues/37

This referenced the IPV6 option being disabled, just go into the collector and add the option in the registry for the ipv6.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.