Events logs are not collected but event collection subscriptions are active

A Windows Server 2008 R2 server is configured to collect Windows Event Logs, via a source initiated event subscription.

The subscription appears to be active but no events are collected.

On the client Microsoft-Windows-Eventlog-ForwardingPlugin/Operational has errors with event ID 105 like the following:

The forwarder is having a problem communicating with subscription manager at address http://<server name>:5985/wsman/SubscriptionManager/WEC. Error code is 2150859027 and Error Message is The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. .

and

The forwarder is having a problem communicating with subscription manager at address http://<server name>:5985/wsman/SubscriptionManager/WEC. Error code is 1311 and Error Message is WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using Kerberos authentication: We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential. Possible causes are: -The user name or password specified are invalid. -Kerberos is used when no authentication method and no user name are specified. -Kerberos accepts domain user names, but not local user names. -The Service Principal Name (SPN) for the remote computer name and port does not exist. -The client and remote computers are in different domains and there is no trust between the two domains. After checking for the above issues, try the following: -Check the Event Viewer for events related to authentication. -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated. -For more information about WinRM configuration, run the following command: winrm help config. .

and

The forwarder is having a problem communicating with subscription manager at address http://<server name>:5985/wsman/SubscriptionManager/WEC. Error code is 2150858770 and Error Message is The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig". .

The problem is the collector is returning an incorrect hostname for the events to be sent.

This appeared to be caused by an 127.0.0.1 entry in the hosts file on the collector server for a hostname where the server was not accessible.

Resolution: add 127.0.0.1 localhost to the beginning of the file.

Here you can see the the correct value being returned after the fix in Microsoft-Windows-Windows Remote Management/Analytic: