Microsoft-Windows-Forwarding

8 events across 1 channel

Event ID	Title	Channel
100	The subscription %1 is created successfully.	Operational
101	The subscription %1 is created, but one or more channels in the query could not …	Operational
102	The subscription %1 can not be created.	Operational
103	The subscription %1 is unsubscribed.	Operational
104	The forwarder has successfully connected to the subscription manager at address …	Operational
105	The forwarder is having a problem communicating with subscription manager at …	Operational
106	Subscription policy has changed.	Operational
107	A subscription policy contains invalid configuration.	Operational

Event ID 100 — The subscription %1 is created successfully.

Provider: Microsoft-Windows-Forwarding
Channel: Operational

Message

The subscription %1 is created successfully.

Fields

Name	Description
`Id`	—
`Query`	—

Event ID 101 — The subscription %1 is created, but one or more channels in the query could not be read at this time.

Provider: Microsoft-Windows-Forwarding
Channel: Operational

Message

The subscription %1 is created, but one or more channels in the query could not be read at this time.

Fields

Name	Description
`Id`	—
`Query`	—
`Status`	—

Event ID 102 — The subscription %1 can not be created.

Provider: Microsoft-Windows-Forwarding
Channel: Operational

Message

The subscription %1 can not be created. The error code is %3.

Fields

Name	Description
`Id`	—
`Query`	—
`ErrorCode`	—

Event ID 103 — The subscription %1 is unsubscribed.

Provider: Microsoft-Windows-Forwarding
Channel: Operational

Message

The subscription %1 is unsubscribed.

Fields

Name	Description
`Id`	—

Event ID 104 — The forwarder has successfully connected to the subscription manager at address %1.

Provider: Microsoft-Windows-Forwarding
Channel: Operational

Message

The forwarder has successfully connected to the subscription manager at address %1.

Fields

Name	Description
`SubscriptionManagerAddress`	—
`ErrorCode`	—
`ErrorMessage`	—

Event ID 105 — The forwarder is having a problem communicating with subscription manager at address %1.

Provider: Microsoft-Windows-Forwarding
Channel: Operational

Message

The forwarder is having a problem communicating with subscription manager at address %1.  Error code is %2 and Error Message is %3.

Fields

Name	Description
`SubscriptionManagerAddress`	—
`ErrorCode`	—
`ErrorMessage`	—

Event ID 106 — Subscription policy has changed.

Provider: Microsoft-Windows-Forwarding
Channel: Operational
Level: 4
Samples: 1

Message

Subscription policy has changed.  Forwarder is adjusting its subscriptions according to the subscription manager(s) in the updated policy.

Fields

Name	Description
`Name`	—

Example Event

system:
  provider: Microsoft-Windows-Forwarding
  guid: 699E309C-E782-4400-98C8-E21D162D7B7B
  event_source_name: ''
  event_id: 106
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T17:34:38.286788+00:00'
  event_record_id: 7
  correlation:
    ActivityID: E0AAB88C-4A9F-0001-35B9-AAE09F4AD801
  execution:
    process_id: 2416
    thread_id: 1084
  channel: Microsoft-Windows-Forwarding/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-20
event_data:
  Name: SubscriptionPolicyChanged
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 107 — A subscription policy contains invalid configuration.

Provider: Microsoft-Windows-Forwarding
Channel: Operational

Message

A subscription policy contains invalid configuration.  Description of policy is %1.

Fields

Name	Description
`PolicyDescription`	—