Two systems not showing in Windows Event Collector

I built a Windows Event Collector for the first time in our domain. The Collector server is Windows Server 2022. All the systems forwarding to it are Server 2019. The subscription is specifically for AppLocker logs (I plan to expand this in the future, but this is where I started). The collection is source initiated. I have 11 systems showing up in the source computers under the subscriptions, and confirm 11 systems when I run "wecutil gr <subscription_name>". I have two computers that are not that I feel should be. On server1, I log in and in the Eventlog-ForwardingPlugin log, it shows event 104 - The forwarder has successfully connected... But server1 isn't listed in the wecutil output. Server1 does have recent AppLocker events that should be forwarding. There are no recent errors in the Windows Remote Management log on Server1 either. Not sure why it isn't listed.

The second server is the server running WEC. I want it to also put its AppLocker logs in the forwarded events (so I can query all AppLocker events in one place). In this server's Eventlog-ForwardingPlugin log, it shows event 105 with error code 2150859027. Searching this shows a change to make to the WSMAN URL ACL, which I've done twice. And I don't think all the other systems would connect normally if that was a problem still.

Any help is greatly appreciated.

You're going to want to verify in the Eventlog-forwardingPlugin/Operational log of the WEF client you see an event indicating the client created the subscription successfully (Event ID 100), and no further Event ID 103 unsubscribe events. If the Event Forwarding target subscription manager was deployed with Group Policy, then running gpupdate /force on the WEF client will cause the system to re-evaluate the event subscriptions and you should see new events appear in the Eventlog-forwardingPlugin/Operational log. This is handy for verifying changes you made without waiting for the normal check-in cycle to initiate.

You'll also want to confirm the NETWORK SERVICE account is in the local Event Log Readers group of the client. It is preferred to deploy this using a Group Policy Preference to your WEF clients. For Domain Controllers, the NETWORK SERVICE account would need to be added to the "Builtin/Event Log Readers" domain group. This is the account used to read and send events to the Windows Event Collector server. Another troubleshooting step is to use the wevtutil.exe utility to confirm the Network Service account has channel access to your logs you intend to collect (ex. wevtutil get-log security).

The client will connect to the WEC server and then apply any subscriptions you have given it access to. Verify the subscription permissions include this client or a group the client is a member of. If the client was recently added to this group, then reboot it to refresh its Kerberos token. I have seen clients fail to stay subscribed in some cases, and they would immediately unsubscribe for no apparent reason. Deleting the clients bookmark registry key on the WEC server resolved this. The key can be found at "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\EventCollector\Subscriptions<subscription name>\EventSources" on the WEC server.

This page covers the entire process for setting up event forwarding and provides more information you'll be able to use when taking Event Forwarding to the next level:

https://learn.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection

Here is another good resource with step-by-step instructions for setting up a source computer initiated subscription.

https://adamtheautomator.com/windows-event-collector/

Regarding your seconds issue of the WEC server not forwarding events for itself, there is an open issue on this posted to the palantir GitHub repository:

https://github.com/palantir/windows-event-forwarding/issues/37