Event ID 1 — Event Source Activation

Applies To: Windows Server 2008

An event source failing to activate or a source becoming inactive does not invalidate an event subscription, but no events are received from the inactive source.

Event Details

Product: Windows Operating System
ID: 1
Source: Microsoft-Windows-EventCollector
Version: 6.0
Symbolic Name: EVTCOLL_EVENT_SOURCE_UNAVAILABLE
Message: The Subscription %1 could not be activated on target machine %2 due to communication error. Error Code is %3. All retries have been performed before reaching this point and so the subscription will remain inactive on this target until subscription is resubmitted / reset. Additional fault message:%4

Diagnose

There are multiple possible causes for the Event Collector service to publish an event with an identifier equal to 1. Based on the likelihood of the causes, follow the steps, in the order listed, to resolve the problem:

1. Start the event source computer.

2. Set the authentication credentials for connecting to the event source.

3. Restore the WS-Management connection to the event source.

Resolve

To resolve this issue, use the resolution that corresponds to the cause you identified in the Diagnose section. After performing the resolution, see the Verify section to confirm that the feature is operating properly

Cause

Resolution

Event Source Connectivity

Restore the WS-Management connection

Event Source Down

Start the event source computer

Event Source Authentication

Set the authentication credentials to connect to the event source

Restore the WS-Management connection

An event source fails to activate or becomes inactive because the event collector computer cannot connect to the event source computer. Such connectivity issues will affect all consumers of the WS-Management protocol, and to resolve the problem, the steps required to restore connectivity of the WS-Management connection must be taken.

Start the event source computer

The event source computer is inoperable or not connected to the network. The connection to the event source is retried based on the subscription retry logic and becomes active again when the target computer restarts and/or connects to the network. To resolve the problem, verify that the remote computer is on and that it can communicate to other computers on the network (joined to a domain in domain environments).

The event source is automatically disabled after it is retried unsuccessfully a number of times based on the subscription retry configuration. When the source is believed to be active and connected again, the following command must be run on the event collector computer from a command prompt that is run with administrator privileges (right-click the command prompt executable and select Run as administrator):

wecutil ss SubscriptionID /esa:SourceAddress /ese

In the previous command, the SubscriptionID is the name of the subscription to which the event source belongs, and the SourceAddress is a valid resolvable name of the event source computer or its IP address.

Set the authentication credentials to connect to the event source

The credentials used to connect to the event source are not valid. A subscription can use specific credentials per event source, or it can use common credentials for all sources.

If current source uses specific credentials, use the following command from a command prompt that is run with administrator privileges (right-click the command prompt executable and select Run as administrator) to reset the credentials:

wecutil ss SubscriptionID /esa:SourceAddress /ese /un:UserName /up:Password

In the command above, the SubscriptionID is the name of the subscription to which the source belongs, the SourceAddress is a valid resolvable name of the event source computer or its IP address, and the UserName and Password are the credentials that are used to connect to the event source computer.

The subscription to which the current source belongs may use common credentials for all event sources that are part of the subscription. Such common credentials are often used in the domain environment and they are the credentials of a domain user. When these credentials are incorrect, all sources of the subscription will be come inactive. When this happens, the following command can be run from a command prompt run with administrator privileges to reset the common credentials:

wecutil ss SubscriptionID /cun:UserName /cup:Password

In the previous command, the SubscriptionID is the name of the subscription to which the source belongs, and the UserName and Password are the credentials that are used to connect to the event source computer.

Verify

To gather information about the activation status of an event source, enter the following command from a command prompt that is run with administrator privileges (right-click the command prompt executable and select Run as administrator):

wecutil gr Subscription ID

In the previous command, the Subscription ID is the name of the subscription to which the event source belongs. The command will provide information about the subscription status and will display the activation status of the event source.

Event Source Activation

Management Infrastructure