Remote Windows Event Log source fails to connect to the event channel

Problem:

While trying to ingest Remote Windows Event Logs, the collector reports the error on the Collector UI page

and it reports the error message in the collector's log files located in "C:\Program Files\Sumo Logic Collector\logs"

"ERROR 0x80070005: Access is denied"

Cause:

This is caused by insufficient permissions of the user account to access the events logs or with access to the remote server.

Resolution:

- Ensure that the user account specified in the source has sufficient permissions to read the event log remotely and that the firewall on the remote machine is configured to allow inbound connections for reading the event log (see help doc https://help.sumologic.com/docs/send-data/installed-collectors/sources/preconfigure-machine-collect-remote-windows-events/ for more details on configuring the Windows remote server).

- To help troubleshoot issues with remote windows event logs, the installed collector comes with an additional tool that can be leveraged to check and configure the remote machines for remote collection. This tool is a Powershell script and is located in the directory "C:\Program Files\Sumo Logic Collector\powershell\events". In addition, you can confirm that the user account is able to retrieve the Windows remote log events by logging into the Windows server that the collector is installed on as that user account and then executing the "Get-WinEvent" command in Windows Powershell. Note that the argument for -ComputerName should highlight the remote windows server name or IP address.

Example:

PS C:\Users\<USER_ACCOUNT>> Get-WinEvent -ComputerName <FQDN> -LogName "<WINDOWS_EVENT_TYPE>"

PS C:\Users\user_account> Get-WinEvent -ComputerName my_host -LogName "Security"

If the user account has sufficient permissions, then you should see a list of events that include columns like TimeCreated, Id, LevelDisplayName, and Message. The list of events confirms that you have sufficient permissions to access the remote server and the events logs. If it, instead, provides an error, then it will be necessary to troubleshoot further based on the error returned.