Events aren’t forwarded to a WEC server running Windows Server 2016 or Windows Server 2019
You receive error messages like this:
Log Name: Microsoft-Windows-Forwarding/Operational Event ID: 105 Task Category: None User: NETWORK SERVICE Description: The forwarder is having a problem communicating with subscription manager at address http://W19SRV.contoso.com:5985/wsman/SubscriptionManager/WEC. Error code is 2150859027 and Error Message is The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. </f:Message></f:WSManFault>.
Problem
This behaviour occurs when Windows Server is expecting the Windows Remote Management and Windows Event Collector services to be on the same machine, using an svchost process registered to the machine collecting the event logs. The default access control lists block access to any other svchost processes.
Solution
To fix the service permissions issue, replace the access control lists so that the remote svchost service can access the event logs.