Windows Event Log Forwarding
Solution 1
For Windows Vista, 7 and 2008:
The Windows-Eventcollector service (wecsvc) on the source-computers, which forwards the events to the collector-computer(s) if you are using Source-initiated Subscription, runs as "Network Service" account. But the Network-Service account does not have access to the Security event log. The local group "Event Log Readers" has access to all logs. That means on each source-computer you need to add the "Network Service" account to the local "Event Log Readers" group so the Windows-Eventcollector service has access to the Security event log and so it can forward it to the collector-computer(s).
Using SDDL (Security Descriptor Definition Language) you can also redefine the permissions on the different event logs using wevtutil, but that is more complex, which means you could easily break something or cause unwanted effects if you don't read up on this and carefully formulate the SDDL before you do anything.
Solution 2
Probably a permissions issue with the security event log.
Try adding the the collector computer account to the Administrators group on one of the source computers to determine if that fixes the problem.
Note that on Windows 2008 and Windows Vista/7, there is a new group Event Log Readers that makes it easier to provide this level of access.
Solution 3
Is security logging enabled on the workstations? If not then there will be nothing to forward.
Solution 4
We've just followed this guide and like yourselves, we didn't get anywhere, until we added the delegated account for the event logs gathering to the domain admins, and we're no longer in ruins.
Next step, to find a more secure way of doing this!
Solution 5
It may be that the Path attribute in the Query block is filtering it. It should work without it:
<QueryList>
<Query Id="0">
<Select Path="Application">*</Select>
<Select Path="Security">*</Select>
<Select Path="Setup">*</Select>
<Select Path="System">*</Select>
</Query>
</QueryList>
Related videos on Youtube
Lars
Lars Kumbier is an IT Consultant and builds custom IT solutions with three employees, with a specialization in business-grade web- and mobile applications. He is also a lecturer at the University of Applied Sciences in Heidelberg, Germany, an Administrator for Linux, Windows and OS-X systems in heterogeneous networks, and has a hang for psychology. Other interests include sports - especially climbing and diving - and science in general.
Updated on September 18, 2022Comments
-
Lars almost 2 years
I am currently prototyping a setup, in which a Windows Server 2008 is configured as a central logging instance for Windows XP and Windows 7 clients via source initiated event forwarding. All computers are in the same domain.
I configured everything according to this DevCenter Article, but due to problems with the provided xml for the logging configuration I simply created a new abonnement (source initiated), put in the "domain computers" group and simply added all events to it. The resulting XML looks like this:
<QueryList> <Query Id="0" Path="Application"> <Select Path="Application">*</Select> <Select Path="Security">*</Select> <Select Path="Setup">*</Select> <Select Path="System">*</Select> </Query> </QueryList>
As you can see, I want to log all events from all event loggers. However, when evaluating the logs on the logging server, all events from the security log stream are not forwarded to the central logging instance (e.g. when trying to run a program as another user and entering a wrong password). Other log streams like system or application work perfectly. I've worked through the validation-part of the article without seeing any problems. So far, I just tested the Windows 7 client, as Windows XP does not have event forwarding installed by default.
Any hints what I do wrong?
-
Massimo over 12 yearsBut then, how could System work?
-
Lars over 12 yearsgood thinking - unfortunatly, it did not solve the problem. :/
-
Lars over 12 yearsI do see the event logs of granted and denied logons on the machine itself.
-
Lars over 12 yearstried it, but no change in the behavior. I guess this would have affected the other log parts as well.
-
Lars over 12 yearsaddendum: Windows Server automatically fixed my change to include the Path=""-Part again.
-
Greg Askew over 12 yearsIt would not have affected the other logs because elevated permissions are required to access the security event log.
-
Lars over 12 yearsHm, okay. As said, I did add the Collector Computer to the Administration Group of the Event Source Computer, but that did not change the behavior. Does it need to be added to a service user or something similar instead?
-
Lars over 12 yearsI think it's already running as a Network Service, but I'll double-check when I'm at the computer again - thx!
-
lsmooth over 12 yearsYes, the collector is running as Network Service, but by default the built-in "Network Service" account does not have access to the Security event log. You need to add the account to the local "Event Log Readers" security group so it can access that log and collect the events.
-
lsmooth over 12 yearsI updated my previous answer, maybe it's a bit clearer now.
-
Lars over 12 yearsThanks for the tip - but for now, I'd rather have any working configuration at all. I'll tight it down afterwards, when I know, what the problem was. ;)
-
Lars over 12 yearsThen I understood you correctly - unfortunatly, it did not change the outcome. Could you join me in the chatroom chat.stackexchange.com/rooms/2473/… ?
-
Lars over 12 yearsAlright, the problem was a translation error. The user "BUILTIN\Network-Service" is called "Netzwerkdienst" in the German Version of Windows 7.