Microsoft-Windows-Forwarding

8 events across 1 channel

Event ID	Title	Channel
100	The subscription Id is created successfully.	Operational
101	The subscription Id is created, but one or more channels in the query could not …	Operational
102	The subscription Id can not be created.	Operational
103	The subscription Id is unsubscribed.	Operational
104	The forwarder has successfully connected to the subscription manager at address …	Operational
105	The forwarder is having a problem communicating with subscription manager at …	Operational
106	Subscription policy has changed.	Operational
107	A subscription policy contains invalid configuration.	Operational

Event ID 100 — The subscription Id is created successfully.

Provider: Microsoft-Windows-Forwarding
Channel: Operational

Description

The subscription Id is created successfully.

Message #

The subscription %1 is created successfully.

Fields #

Name	Description
`Id` UnicodeString	—
`Query` UnicodeString	—

Event ID 101 — The subscription Id is created, but one or more channels in the query could not be read at this time.

Provider: Microsoft-Windows-Forwarding
Channel: Operational

Description

The subscription Id is created, but one or more channels in the query could not be read at this time.

Message #

The subscription %1 is created, but one or more channels in the query could not be read at this time.

Fields #

Name	Description
`Id` UnicodeString	—
`Query` UnicodeString	—
`Status` UnicodeString	— NTSTATUS reference

Event ID 102 — The subscription Id can not be created.

Provider: Microsoft-Windows-Forwarding
Channel: Operational

Description

The subscription Id can not be created. The error code is ErrorCode.

Message #

The subscription %1 can not be created. The error code is %3.

Fields #

Name	Description
`Id` UnicodeString	—
`Query` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 103 — The subscription Id is unsubscribed.

Provider: Microsoft-Windows-Forwarding
Channel: Operational

Description

The subscription Id is unsubscribed.

Message #

The subscription %1 is unsubscribed.

Fields #

Name	Description
`Id` UnicodeString	—

Event ID 104 — The forwarder has successfully connected to the subscription manager at address SubscriptionManagerAddress.

Provider: Microsoft-Windows-Forwarding
Channel: Operational

Description

The forwarder has successfully connected to the subscription manager at address SubscriptionManagerAddress.

Message #

The forwarder has successfully connected to the subscription manager at address %1.

Fields #

Name	Description
`SubscriptionManagerAddress` UnicodeString	—
`ErrorCode` UInt32	—
`ErrorMessage` UnicodeString	—

Event ID 105 — The forwarder is having a problem communicating with subscription manager at address SubscriptionManagerAddress.

Provider: Microsoft-Windows-Forwarding
Channel: Operational

Description

The forwarder is having a problem communicating with subscription manager at address SubscriptionManagerAddress. Error code is ErrorCode and Error Message is ErrorMessage.

Message #

The forwarder is having a problem communicating with subscription manager at address %1.  Error code is %2 and Error Message is %3.

Fields #

Name	Description
`SubscriptionManagerAddress` UnicodeString	—
`ErrorCode` UInt32	—
`ErrorMessage` UnicodeString	—

Event ID 106 — Subscription policy has changed.

Provider: Microsoft-Windows-Forwarding
Channel: Operational
Level: Informational

Description

Subscription policy has changed. Forwarder is adjusting its subscriptions according to the subscription manager(s) in the updated policy.

Message #

Subscription policy has changed.  Forwarder is adjusting its subscriptions according to the subscription manager(s) in the updated policy.

Fields #

Name	Description
`Name`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Forwarding",
    "guid": "699E309C-E782-4400-98C8-E21D162D7B7B",
    "event_source_name": "",
    "event_id": 106,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T17:34:38.286788+00:00",
    "event_record_id": 7,
    "correlation": {
      "ActivityID": "E0AAB88C-4A9F-0001-35B9-AAE09F4AD801"
    },
    "execution": {
      "process_id": 2416,
      "thread_id": 1084
    },
    "channel": "Microsoft-Windows-Forwarding/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "Name": "SubscriptionPolicyChanged"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 107 — A subscription policy contains invalid configuration.

Provider: Microsoft-Windows-Forwarding
Channel: Operational

Description

A subscription policy contains invalid configuration. Description of policy is PolicyDescription.

Message #

A subscription policy contains invalid configuration.  Description of policy is %1.

Fields #

Name	Description
`PolicyDescription` UnicodeString	—