Event ID 4 — Event Subscription Activation

Applies To: Windows Server 2008

Each event subscription can deliver events from multiple sources. Each subscription may also have an expiration date. When a subscription is activated and the subscription expiration date is still in the future, the subscription will attempt to receive events by connecting to the remote sources. As long as the subscription can connect to at least one source, it becomes active.

Event Details

Product: Windows Operating System
ID: 4
Source: Microsoft-Windows-EventCollector
Version: 6.0
Symbolic Name: EVTCOLL_SUBSCRIPTION_FIRSTFAILURE
Message: The Subscription %1 could not be activated on target machine %2 due to communication error. Error Code is %3. The subscription will be in retrying state until the subscription becomes active or all retries have been performed. Additional fault message:%4

Resolve

Reactivate the event subscription

Use the Event Viewer to read the System log.

If an event with an identifier equal to 3 is found, then the subscription has expired. This is a normal condition. The subscription should be deleted if it is no longer required, or a new expiration date must be set using the following command from a command prompt run with administrator privileges:

wecutil ss SubscriptionID /ex: new expiration /e

In the previous command, the SubscriptionID is the name of the subscription. The new expiration specifies the new expiration date of the subscription.

If an event with an identifier equal to 4 is found in the System log, then reactivate the event subscription to resolve the problem. The Event Collector service publishes an event with an identifier equal to 4 when all of the event sources of the subscription become inactive. After this occurs, the subscription tries to reconnect to all the sources. If the retries to connect to the sources fail, you can activate each event source separately by ensuring that the event source computers have started, setting the correct credentials to connect to each source computer, and if needed, restoring the WS-Management connection to each source.

The Event Collector service publishes event 2 after all retries to connect to the event sources are exhausted, in which case the subscription becomes inactive. After issues with all sources are resolved, enter the following command from a command prompt that is run with administrator privileges (right-click the command prompt executable and select Run as administrator) to reactivate the subscription:

wecutil ss SubscriptionID /e

In the previous command, the SubscriptionID parameter is the name of the subscription you want to reactivate.

Verify

Use the Event Viewer to check the System log for an event with an identifier equal to 5. This event indicates that a subscription has been activated.

In addition, enter the following command from a command prompt that is run with administrator privileges (right-click the command prompt executable and select Run as administrator):

wecutil gr Subscription ID

In the previous command, the SubscriptionID is the name of the subscription for which the problem belongs. The command will provide information about the subscription status and will display the activation status of the source. Verify that the subscription is active.

Event Subscription Activation

Management Infrastructure