windows event log forwarding permission
A restart is needed because WinRM is run inside an existing svchost process.
If we run Sc config WinRM type= own and restart WinRm service it will create a new svchost process and a restart can be avoided.
Related videos on Youtube
![How to Set up Windows Event Log Forwarding [Step-by-Step]](https://i.ytimg.com/vi/urRWkyzRI78/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBoCx5v8X3PgWjOZkeWm_rN0OeYwA)
05 : 45
08 : 00
05 : 30
28 : 59
01 : 28
yoni
Updated on September 18, 2022Comments
-
yoni over 1 year
I am trying to set up an event log collector server in a Domain.
I flowed the steps described here: http://zenshaze.com/wp/?p=57
I have added the NETWORK SERVICE to the Event Log Readers group to allow WinRM to read the event logs. In the source computer I am getting the following error in the Applications and Services Logs -> Microsoft -> Eventlog-ForwardingPlugin logs "The subscription name can not be created. The error code is 5004."
I tried restarting the WinRM services, that didn't help.
In the link it states that this error occurs because NETWORK SERVICE was not in the Event Log Readers group when the computer was started and a reboot should fix it, but I would like to avoid reboot because that means rebooting my DC as well. What can I do?