Hi,

I'm trying to deploy a information System and need a log centralization. 

When I configure subscription, all is fine, axcept for audit logs : I can't see them. When Im' looking the subscription state, I have this error code : 

"Code (0x138C)"Windows Event Forward plugin can't read any event from the query since the query returns no active channel. Please check channels in the query and make sure they exist and you have access to them".

So I try to apply the solution : 

1. Adding the Network Service and the machine account of the collector to the Event Log Users domain local group

2. Assigning the Manage auditing and security log" user right to the Network Service and the machine account of the collector on the sources.

The 1st one is ok. But for the second one, the strategy "Manage auditing and security log" can't be modified. I just see the default value and the button used to add accounts or groups is inactive (in grey). 

Can someone help me ?

Thanks a lot,

Julie A. 

• Edited by Julie Amelot Friday, August 21, 2015 10:04 AM
• Moved by Emile SupiotMicrosoft contingent staff, Moderator Friday, August 21, 2015 11:39 AM written in English

Hi Julie,

When assigning the Manage auditing and security log" user right, if you are using local policy, it may be overwrote by group policy.

Try to assign the rights in group policy.

I have seen a similar case, and it says we need to configure audit policies to enable it:
https://social.technet.microsoft.com/Forums/en-US/47833d6a-e6bd-44c5-a59f-5991c783d11b/how-to-let-manage-auditing-and-security-log-properties-add-a-user-and-group-button-enable-?forum=w7itprosecurity

Manage auditing and security log:
https://technet.microsoft.com/en-us/library/Cc957161.aspx?f=255&MSPPError=-2147217396

Best Regards,

Leo