Hi,

I'm trying to deploy a information System and need a log centralization. 

When I configure subscription, all is fine, axcept for audit logs : I can't see them. When Im' looking the subscription state, I have this error code : 

"Code (0x138C)"Windows Event Forward plugin can't read any event from the query since the query returns no active channel. Please check channels in the query and make sure they exist and you have access to them".

So I try to apply the solution : 

1. Adding the Network Service and the machine account of the collector to the Event Log Users domain local group

2. Assigning the Manage auditing and security log" user right to the Network Service and the machine account of the collector on the sources.

The 1st one is ok. But for the second one, the strategy "Manage auditing and security log" can't be modified. I just see the default value and the button used to add accounts or groups is inactive (in grey). 

Can someone help me ?

Thanks a lot,

Julie A. 

• Edited by Julie Amelot Friday, August 21, 2015 10:04 AM
• Moved by Emile SupiotMicrosoft contingent staff, Moderator Friday, August 21, 2015 11:39 AM written in English

Hi Julie,

When assigning the Manage auditing and security log" user right, if you are using local policy, it may be overwrote by group policy.

Try to assign the rights in group policy.

I have seen a similar case, and it says we need to configure audit policies to enable it:
https://social.technet.microsoft.com/Forums/en-US/47833d6a-e6bd-44c5-a59f-5991c783d11b/how-to-let-manage-auditing-and-security-log-properties-add-a-user-and-group-button-enable-?forum=w7itprosecurity

Manage auditing and security log:
https://technet.microsoft.com/en-us/library/Cc957161.aspx?f=255&MSPPError=-2147217396

Best Regards,

Leo

Hi,

First, thanks for your answer. I've ever configured Audit object access in the Local policy and activate both options (Fail and success). But the add user option is always desactivate for the policy "Manage auditing and security log". 

Regards,

Julie. 

Hi Julie,

Have you checked group policy? If it is configured in GPO, we may not be able to configure in local policy.

Best Regards,

Leo

Hi, 

I checked the group policy but I can't find anything interesting about Log Viewer, so I don't modify it. 

I follow this article to create subscription : http://blogs.technet.com/b/mspfe/archive/2011/11/22/setting_2d00_up_2d00_security_2d00_event_2d00_log_2d00_subscriptions_2d00_with_2d00_windows_2d00_server_2d00_20032008.aspx so I'd created a GPO named Event Forwarding subscription. 

Thanks,

Julie.

I strongly suspect winRM which is the core component for reading and redirecting logs. WINRM will not impersonate account, so you need to understand account permissions and set them accordingly.

run the below command to understand the permissions set. or run wevtutil which will give you all the available options

wevtutil -gl <logname>

Hi,

Thanks for your answer and sorry for the response time. 

I just test this command with the logname : I've the following command : "wevtutil -gl securtiy"

The command prompt (and the PowerShell prompt, I test both) return to me the error that the security command is not supported and that the parameter is incorrect (I've the error in French, I can't copy/paste here, sorry).

I'm so so so desperate !! :)

Julie.

Hi Julie,

I suppose we could try to assign the user right using GPO.

Open Group Policy Management Editor, and find the following:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.

Best Regards,