I am currently prototyping a setup, in which a Windows Server 2008 is configured as a central logging instance for Windows XP and Windows 7 clients via source initiated event forwarding. All computers are in the same domain.
I configured everything according to this DevCenter Article, but due to problems with the provided xml for the logging configuration I simply created a new abonnement (source initiated), put in the "domain computers" group and simply added all events to it. The resulting XML looks like this:
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*</Select>
<Select Path="Security">*</Select>
<Select Path="Setup">*</Select>
<Select Path="System">*</Select>
</Query>
</QueryList>
As you can see, I want to log all events from all event loggers. However, when evaluating the logs on the logging server, all events from the security log stream are not forwarded to the central logging instance (e.g. when trying to run a program as another user and entering a wrong password). Other log streams like system or application work perfectly. I've worked through the validation-part of the article without seeing any problems. So far, I just tested the Windows 7 client, as Windows XP does not have event forwarding installed by default.
Any hints what I do wrong?
Best Answer
For Windows Vista, 7 and 2008:
The Windows-Eventcollector service (wecsvc) on the source-computers, which forwards the events to the collector-computer(s) if you are using Source-initiated Subscription, runs as "Network Service" account. But the Network-Service account does not have access to the Security event log. The local group "Event Log Readers" has access to all logs. That means on each source-computer you need to add the "Network Service" account to the local "Event Log Readers" group so the Windows-Eventcollector service has access to the Security event log and so it can forward it to the collector-computer(s).
Using SDDL (Security Descriptor Definition Language) you can also redefine the permissions on the different event logs using wevtutil, but that is more complex, which means you could easily break something or cause unwanted effects if you don't read up on this and carefully formulate the SDDL before you do anything.