question

JonathanJacquotot-3025 avatar image
0 Votes"
JonathanJacquotot-3025 asked CarlFan-MSFT answered

Eventlog-Forwarding ERROR with HTTPS

Hello

I have 2 servers:

  • Collector who is in a domain

  • Forwarder that is outside the domain (standard workgroup)

On my collector
I created a certificate in Certificates (Local Computer> Personnal> Certificates

76794-screenshot664.jpg

I configured winRM over HTTPS with my Certificat Thumbprint

76795-screenshot665.jpg

At the end, i configured my Subscription

76714-screenshot668.jpg
76797-screenshot669.jpg
76725-screenshot670.jpg

On my forwarder i 've configured the target

76802-screenshot666.jpg

Server=https://HOSTNAME.DOMAIN:5986/wsman/SubscriptionManager/WEC,Refresh=60,IssuerCA=Certificat Thumbprint

When I apply the changes I get this error message on Forwarder side

76782-screenshot667.jpg

Can you help me ?

Thank you

Jonathan


windows-server-security
screenshot664.jpg (21.7 KiB)
screenshot665.jpg (39.0 KiB)
screenshot666.jpg (35.2 KiB)
screenshot667.jpg (51.6 KiB)
screenshot668.jpg (74.9 KiB)
screenshot669.jpg (86.0 KiB)
screenshot670.jpg (44.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CarlFan-MSFT avatar image
0 Votes"
CarlFan-MSFT answered

Hi,
Have you removed IssuerCA=<Thumb print of the client authentication certificate> from event forwarding policy?
If you remove "IssuerCA=<Thumb print of the client authentication certificate>" it will works with Kerberos, not with HTTPS.
Meanwhile, please refer to the information below:
Why do I receive error 2150858882 when manually configuring Windows Event Collector
https://success.alienvault.com/s/article/error-2150858882-when-manually-configuring-Windows-Event-Collector
Also I consider that you could check if the collector is returning an incorrect hostname for the events to be sent.
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JonathanJacquotot-3025 avatar image
0 Votes"
JonathanJacquotot-3025 answered JonathanJacquotot-3025 edited

Hi @CarlFan-MSFT

When i changed the subscription on Collector side from HTTPS to HTTP and i removed the certificat on Forwarder side like this
Server=http://HOSTNAME.DOMAIN:5985/wsman/SubscriptionManager/WEC,Refresh=60

I get this error message from the Forwarder side
77058-screenshot673.jpg

On Collector side WINRM has been configured like this
77179-screenshot679.jpg
77141-screenshot674.jpg
77060-screenshot675.jpg
77134-screenshot676.jpg
77070-screenshot677.jpg

Thank you for your help
Jonathan



screenshot673.jpg (59.0 KiB)
screenshot674.jpg (33.0 KiB)
screenshot675.jpg (8.4 KiB)
screenshot676.jpg (20.0 KiB)
screenshot677.jpg (21.4 KiB)
screenshot679.jpg (35.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JonathanJacquotot-3025 avatar image
0 Votes"
JonathanJacquotot-3025 answered

Hello,

No one to help me

Jonathan

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CarlFan-MSFT avatar image
0 Votes"
CarlFan-MSFT answered

Hi Jonathan,
Thank you for your posting.
I'm sorry to see your message when I just came back from vacation.
I consider that still we could check your configuration steps.
Setting up a source initiated subscription where the event sources are not in the same domain as the event collector computer
https://docs.microsoft.com/en-us/windows/win32/wec/setting-up-a-source-initiated-subscription
As far as I know, if you configure a subscription to use the HTTPS protocol by using the HTTPS option in Advanced Subscription Settings , you must also set corresponding Windows Firewall exceptions for port 443.
Install a certificate for the server along with its private key. This can easily be done using an Enterprise CA in AD.
The signing CA of the server certificate must be trusted by the forwarder computers​.
Make sure permission on the private key allow WinRM to access it.
Create a firewall exception rule to allow data over port 5986.
You may have to run "winrm qc - transport:https". This would have to be ran after the cert is installed and configured.
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.