| Event Id | 1 |
| Source | Microsoft-Windows-EventCollector |
| Description | The Subscription %1 could not be activated on target machine %2 due to communication error. Error Code is %3. All retries have been performed before reaching this point and so the subscription will remain inactive on this target until subscription is resubmitted / reset. Additional fault message:%4 |
| Event Information | According to Microsoft : Cause : This event is logged when the subscription could not be activated on target machine due to communication error. Diagnose : There are multiple possible causes for the Event Collector service to publish an event with an identifier equal to 1. Based on the likelihood of the causes, follow the steps, in the order listed, to resolve the problem:
To resolve this issue, use the resolution that corresponds to the cause you identified in the Diagnose section. After performing the resolution, see the Verify section to confirm that the feature is operating properly Cause :
An event source fails to activate or becomes inactive because the event collector computer cannot connect to the event source computer. Such connectivity issues will affect all consumers of the WS-Management protocol, and to resolve the problem, the steps required to restore connectivity of the WS-Management connection must be taken. Start the event source computer The event source computer is inoperable or not connected to the network. The connection to the event source is retried based on the subscription retry logic and becomes active again when the target computer restarts and/or connects to the network. To resolve the problem, verify that the remote computer is on and that it can communicate to other computers on the network (joined to a domain in domain environments). The event source is automatically disabled after it is retried unsuccessfully a number of times based on the subscription retry configuration. When the source is believed to be active and connected again, the following command must be run on the event collector computer from a command prompt that is run with administrator privileges (right-click the command prompt executable and select Run as administrator): wecutil ss SubscriptionID /esa:SourceAddress /ese In the previous command, the SubscriptionID is the name of the subscription to which the event source belongs, and the SourceAddress is a valid resolvable name of the event source computer or its IP address. Set the authentication credentials to connect to the event source The credentials used to connect to the event source are not valid. A subscription can use specific credentials per event source, or it can use common credentials for all sources. If current source uses specific credentials, use the following command from a command prompt that is run with administrator privileges (right-click the command prompt executable and select Run as administrator) to reset the credentials: wecutil ss SubscriptionID /esa:SourceAddress /ese /un:UserName /up:Password In the command above, the SubscriptionID is the name of the subscription to which the source belongs, the SourceAddress is a valid resolvable name of the event source computer or its IP address, and the UserName and Password are the credentials that are used to connect to the event source computer. The subscription to which the current source belongs may use common credentials for all event sources that are part of the subscription. Such common credentials are often used in the domain environment and they are the credentials of a domain user. When these credentials are incorrect, all sources of the subscription will be come inactive. When this happens, the following command can be run from a command prompt run with administrator privileges to reset the common credentials: wecutil ss SubscriptionID /cun:UserName /cup:Password In the previous command, the SubscriptionID is the name of the subscription to which the source belongs, and the UserName and Password are the credentials that are used to connect to the event source computer. Verify : To gather information about the activation status of an event source, enter the following command from a command prompt that is run with administrator privileges (right-click the command prompt executable and select Run as administrator): wecutil gr Subscription ID In the previous command, the Subscription ID is the name of the subscription to which the event source belongs. The command will provide information about the subscription status and will display the activation status of the event source. |
| Reference Links | Event ID 1 from Microsoft-Windows-EventCollector |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.