Windows Event Collector receiving TCP connections but no logs

Skye Davis

10/21/23, 4:22 AM

I have recently built a new WEC (Windows Event Collector). The subscription has been created, and the WEC has been added to the Group Policy which defines Windows Event Collectors.

The computers are definitely talking to the WEC as I can see a lot of inbound TCP connections on port 5985. The logs I am trying to forward are sysmon logs. They were previously being collected by another WEC, but I am trying to split them out to the new WEC because a single WEC was not handling the sheer amount of traffic. The sysmon logs were definitely being seen on the old WEC without issue, and the old WEC continues to collect all logs. (except sysmon which I have removed from that collection configuration).

I am not sure what would cause the endpoints to establish a TCP connection with the server on the correct port (indicating a correct configuration), but then not forward the logs as it is supposed to. Any help would be deeply appreciated.

Thanks

Skye

263

0 + 2

security

windows

Greg Askew

10/21/23, 6:03 AM

Are these source or collector initiated? If there are no events collected at all, there is likely a permission/configuration problem on the collector. You may want to start with this guide: https://learn.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem

Greg Askew

10/21/23, 6:43 AM

This guide has information on configuring WinRM for the collector: https://learn.microsoft.com/en-us/archive/blogs/jonjor/winrm-windows-remote-management-troubleshooting

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Windows Event Collector receiving TCP connections but no logs

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.