The Windows Event Collector (WEC) errors when it is attempting to access a remote computer

WEC uses the following process to read remote event logs.
 

1. Connect to the remote computer using the provided username and password
   • Error messages will have "WNetAddConnection2 failed with error: <error>"
2. Connect to the remote registry
   • Error messages will have "eventLogRegistryKeyCheck: <error>"
   • Note: The Remote Registry service must be running on the remote computer.
3. Check if the event log is present by opening the event log's registry key.
   • Error messages will have "eventLogRegistryKeyCheck: <error>"
4. Open the Event log
   • Error messages will have "OpenEventLog: <error>"
5. Read the Event Log entries.

Common scenarios with the error message.

Unable to connect to the remote computer due to network issue:

ERROR [Time] [Sensor] [Machine]:[Event Log] Source:Application Error in EventLogReader initialization ex=com.symantec.cas.ucf.sensors.OpenDeviceException: ERROR_CODE[1203]. WNetAddConnection2 failed with error: No network provider accepted the given network path.

This error is usually caused by an networking/connectivity problem between the Collector machine and machine and the log host (target) machine. To resolve this problem, resolve the underlying network issue and the collector should start working normally.

Unable to connect to the remote computer due to incorrect credentials:

ERROR [Time] [Sensor] [Machine]:[Event Log] Source:Application Error in EventLogReader initialization ex=com.symantec.cas.ucf.sensors.OpenDeviceException: ERROR_CODE[1326]. WNetAddConnection2 failed with error: Logon failure: unknown user name or bad password.

or

ERROR_CODE[1312]. WNetAddConnection2 failed with error: A specified logon session does not exist. It may already have been terminated.

These errors are usually resolved by entering correct credentials into the sensor configuration.

Note: You may need to set the Monitored Host Account Name to <Computer IP>\<username> or <Computer Name>\<username>.
Note: If you continue to receive this error but you are confident the credentials are correct please contact support.

If the Remote Registry service is not running or is not accessible:
 

ERROR [Time] [Sensor] [Machine]:[Event Log] Source:Application Error in EventLogReader initialization ex=com.symantec.cas.ucf.sensors.OpenDeviceException: ERROR_CODE[53]. eventLogRegistryKeyCheck failed with error: The network path was not found. 
WARN [Time] [Sensor] [Machine]:[Event Log] Source:System Source:System Reopenning eventlog failed with exception: ERROR_CODE[1726]. OpenEventLog failed with error: The remote procedure call failed.

Note: The event log registry key is: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\<Event log name>
This error can be caused by the following problems:


• The Event Log registry entry is not present.
  Contact Microsoft support if you find the registry key is missing.
   
• The Event Log registry key is not readable due to a permission issue.
  Adjust permissions for the user that you have configured in your sensor settings to allow them access to the event log registry key. For assistance with this permissions issue please contact Microsoft support.
   
• If you are running Microsoft Windows Server 2003 Service Pack 1 you may need to upgrade to Service Pack 2. Please see Microsoft KB article 906570:
  A custom program that uses the RegConnectRegistry function can no longer access the registry of a remote computer http://support.microsoft.com/kb/906570
   
• The WEC Sensor configuration has listed the Host name incorrectly.
  Try listing a simple hostname instead of FQDN, or vice versa. The correct entry varies depending on your DNS or Hosts file entries.
   
• The user is not in the local administrator group.
  Unless the target machine is a Domain Controller, the user that you enter into the sensor configuration must be in the local administrators group even if the user is a domain admin. For assistance adding a user to the Local Administrators group please contact Microsoft Support.
   
• Be sure the Remote Registry service is running on the remote computer.
   

ERROR [Time] [Sensor] [Machine]:[Event Log] Source:EventLogNotPresent Error in EventLogReader initialization ex=com.symantec.cas.ucf.sensors.OpenDeviceException: ERROR_CODE[997]. eventLogRegistryKeyCheck failed with error: Overlapped I/O operation is in progress.

The registry is corrupt or damaged:
 

WARN [Time] [Sensor] [Machine]:[Event Log] Source:Security Reader failed to open device with error: ERROR_CODE[1500]. EventLog.read
failed with error: El archivo de registro de sucesos está dañado. Trying to reopen...

The collector is trying to pull down the events, however the event log is damaged or corrupted and needs to be deleted. Follow these steps on how to delete the corrupted log file.
In this example we will use the security log.

1. Click on the start button and select Administrative Tools.
    
2. Next, click on Event Viewer
    
3. Right click on Security log and select Clear All Events.
    
4. When asked to save your security log, click on Yes. Fill in a name for the folder, then click Save.
    
5. The log is now removed from the affected system.
    
6. Restart the agent and observe the event flow.
   
    

If the user has permissions to connect remotely, but does not have permissions to other services

User does not have permission's to the registry:
Application Reader can not access registry on target box. Make sure user [Username] has permission's to access registry on [Computer Name].

User does not have permission's to resources (can be caused by trust relationship on domain, or the user is not a member of the domain):
Application Reader failed to login into target box. Make sure sensor configuration has correct credentials and user [Username] has permission's to access [Computer Name].