Share via

I have already configured a Windows Event Forwarding (WEF) server but logs are not arriving.

Md. Nasir Uddin 20 Reputation points
2025-08-19T04:42:27.8366667+00:00

In Active Directory I got this error .

Event id : 105.

The forwarder is having a problem communicating with subscription manager at address http://ADDS-02.mylab.local:5985/wsman/SubscriptionManager/WEC. Error code is 2150859027 and Error Message is <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859027" Machine="AD01.mylab.local"><f:Message>The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. </f:Message></f:WSManFault>.

And collector server, I didn't get log from AD server.

Windows development | Internet Information Services
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tom Tran (WICLOUD CORPORATION) 525 Reputation points Microsoft External Staff
    2025-08-19T06:57:25.2466667+00:00

    Hi Md. Nasir Uddin,

    Thanks for sharing the details. Based on the error you provided:

    Event ID: 105 
The forwarder is having a problem communicating with subscription manager at address http://ADDS-02.mylab.local:5985/wsman/SubscriptionManager/WEC. 
Error code: 2150859027 
Message: The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available.

    This means the forwarder cannot reach the Windows Event Collector (WEC) endpoint over WinRM. The error usually occurs when:

    • The collector does not have a proper WinRM listener for HTTP (5985) or HTTPS (5986).
    • The subscription URL in the GPO is incorrect.
    • The Windows Event Collector service is not running.
    • Firewall or GPO is blocking WinRM traffic.

    I managed to find a few solutions:

    Verify WinRM Listener on Collector

    Run this on the collector server:

    winrm enumerate winrm/config/listener
    • You should see an HTTP listener on port 5985 or HTTPS on 5986.
    • If missing, create one:
    winrm quickconfig

    Check WEC Service

    Ensure the Windows Event Collector service is running:

    Get-Service Wecsvc

    If not running:

    Start-Service Wecsvc

    Validate Subscription

    Check if the subscription exists and is active:

    wecutil gs <SubscriptionName>

    Test Connectivity from Forwarder

    On the forwarder (AD server):

    winrm id -r:http://ADDS-02.mylab.local:5985
    • If this fails, the issue is network/firewall or listener configuration.

    Firewall & GPO

    • Enable Windows Remote Management (HTTP-In) rule on the collector.
    • If using HTTPS, ensure the certificate is valid and trusted.
    • Confirm the GPO for WEF is applied:
    gpresult /r

    Restart Services

    After fixing configuration:

    Restart-Service Wecsvc

    The error occurs because the forwarder cannot reach the WEC endpoint over WinRM. By ensuring:

    • WinRM listener exists,
    • WEC service is running,
    • Firewall allows traffic,
    • Subscription URL is correct,

    you restore communication between forwarder and collector.

    For more detail, you can check these links out when you have the time:

    I know this is a lot of steps but please do try them out when you get the chance.

    Let me know if you still see Event ID 105 after these steps or if logs start arriving at the collector.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.