Windows event forwarding - it is working, but 2-3 hour latency

  • Thread starter Daniel Mercourios
  • Start date
D

Daniel Mercourios

Hi,

We have set up a windows event collector according to this article


We have had it running a couple of years now.

Lately we have noticed that two of our domain controllers are falling a couple of hours behind with their event forwarding to the event collector. It is working, the events are coming in but they are always 2-3 hours behind. We can see fresh events on the DC, just seconds old, but on the event collector the newest events are 2-3 hours old. The other domain controllers are working just fine, the events are coming in right on the second.

This is the config of the subscription.

Subscription Id: DC Audit
SubscriptionType: SourceInitiated
Description:
Enabled: true
Uri: http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
ConfigurationMode: Custom
DeliveryMode: Push
DeliveryMaxItems: 1
DeliveryMaxLatencyTime: 15
HeartbeatInterval: 900
Query: <QueryList><Query Id="0" Path="System"><Select Path="System">*</Select></Query><Query Id="2" Path="Security"><Select Path="Security">*</Select></Query></QueryList>
ReadExistingEvents: true
TransportName: HTTP
ContentFormat: Events
Locale: sv-SE
LogFile: WEC-DomainControllers
PublisherName:
AllowedIssuerCAList:
AllowedSubjectList:
DeniedSubjectList:
AllowedSourceDomainComputers: O:NSG:BAD:p(A;;GA;;;DD)S:


In powershell ConvertFrom-SddlString gives me this:

ConvertFrom-SddlString -Sddl "O:NSG:BAD:p(A;;GA;;;DD)S:"

Owner : NT AUTHORITY\NETWORK SERVICE
Group : BUILTIN\Administrators
DiscretionaryAcl : {SCB\Domain Controllers: AccessAllowed (GenericAll)}
SystemAcl : {}
RawDescriptor : System.Security.AccessControl.CommonSecurityDescriptor




We have gone through typical troubleshooting guides when event forwarding aren't working at all. Like firewall ports, winrm qc etc. But in this case it is working but falling behind.

Any thoughts on this?

Continue reading...
 
Back
Top Bottom