Today I saw some collector-initiated event log subscriptions that displayed a weird error, something like
Windows Event Forward plugin can't read any event from the query since the query returns no active channel. Please check channels in the query and make sure they exist and you have access to them.
The reason for this message is that WinRM can’t read the event log.
If you haven’t read my long post about Event Forwarding, you should.
The main point is that the WinRM service doesn’t perform any impersonation while reading the events. Instead, it reads the logs using it’s own security context and then verifies the client’s permissions (if there are any).
Default Windows permissions grant
Network Service or similar
SERVICE) read access to all of the event logs, but
I’ve encountered software that modifies those permissions. Although it’s
icky, you can view your current event log permissions using the command
wevtutil gl LOGNAME
channelAccess. You can repair them if necessary (carefully).
You can also manually modify them using registry.
Remember that you have to reboot the machine for those permissions to