Windows Event Log Forwarding

windows-server-2008 windows-7 windows-event-log

For Windows Vista, 7 and 2008:

The Windows-Eventcollector service (wecsvc) on the source-computers, which forwards the events to the collector-computer(s) if you are using Source-initiated Subscription, runs as "Network Service" account. But the Network-Service account does not have access to the Security event log. The local group "Event Log Readers" has access to all logs. That means on each source-computer you need to add the "Network Service" account to the local "Event Log Readers" group so the Windows-Eventcollector service has access to the Security event log and so it can forward it to the collector-computer(s).

Using SDDL (Security Descriptor Definition Language) you can also redefine the permissions on the different event logs using wevtutil, but that is more complex, which means you could easily break something or cause unwanted effects if you don't read up on this and carefully formulate the SDDL before you do anything.


It may be that the Path attribute in the Query block is filtering it. It should work without it:

<QueryList>
  <Query Id="0">
    <Select Path="Application">*</Select>
    <Select Path="Security">*</Select>
    <Select Path="Setup">*</Select>
    <Select Path="System">*</Select>
  </Query>
</QueryList>

Related

On AWS why does internal DNS lookup for RDS fail in PHP page?
Can I change rabbitmq node name?
sftp server chroot initial directory
Auto mounting samba windows share in Fedora Core 15
Linux Huge Pages Usage Accounting
nginx with php-fpm downloading php files rather than executing them on mac os x (local environment)
I want to install an MSI twice
Getting "The target account name is incorrect" when accessing a share on the desktop
How do I reconfigure Exchange Autodiscover?
Using sudo inside a script
Could Puppet-reports be removed once these have been processed by Puppet-dashboard or PuppetDB?
Server 2012: change desktop background color