How to collect security logs using event forwarding?
I have 2008 running as event collector in source initiated setup where it collects logs from the client machines.
It's able to collect the system and application logs but it doesn't collect the security logs for some reason.
Subscription configuration:
event logs: application, system, and security
Event level: critical, warning, error
I've tried selecting information under the event level but still doesn't collect any security events.
Anyone got this working?
Thanks!
May 12th, 2010 3:37am
Hi Admiles,
According to your description, you’ve configured event collector to collect application, system and security logs from the client computers.
However, the security logs cannot be collected.
This occurs
because the security events are different from other Windows events as they require a special level of authentication/credentials in order to read or forward these events. Different configurations are required depending on which Windows platform
is installed on the client.
For Windows Vista, Windows Server 2008 and later version of clients, please follow the steps below to configure it.
1.
Click
start->run, type CompMgmt.msc
to open Computer Management Console.
2.
Under
Local Users and Groups, click Groups->Event Log Readers to open Event Log Readers Properties.
3.
Click
Add, then click Location button, select your computer and click
OK.
4.
Click
Object Types button, check the checkbox of Build-in security principals and click
OK.
5. Add “Network Service”build-in account to
Event Log Readers group.
6.
Reboot the client computer.
After these steps have been taken, you will see the security event logs in the
Forwarded Events on your event collector.
For Windows XP SP2+ client computers, Windows Remote Management service must be run by
Local System Account. To do this,
1.
Open Services console under
Administrative Tools.
2.
Right click
Windows Remote Management service and click on properties.
3.
On
Log On tab, choose Local System Account.
Please be aware that this setting has potential security risks.
For Windows Server 2003 client computers, set the registry key
CustomerSD under HKLM/SYSTEM/CurrentControlSet/Services/EventLog/Security as
O:BAG:SYD:(A;;CC;;;NS).
For more information on Security Events Forwarding issue, please check
the link below.
http://blogs.technet.com/otto/archive/2009/06/22/forwarding-security-events-from-windows-xp-server-2003-and-vista-server-2008.aspx
For more information about Event Subscriptions, please refer to the TechNet article below.
http://technet.microsoft.com/en-us/library/cc749183.aspx
Regards,
Karen Ji
This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2010 12:46pm
Thanks Karen,
About
"For Windows Server 2003 client computers, set the registry key
CustomerSD under HKLM/SYSTEM/CurrentControlSet/Services/EventLog/Security as
O:BAG:SYD:(A;;CC;;;NS)."
The CustomerSD's value is O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)
Do I add the
(A;;CC;;;NS) to the exsting to make it
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;CC;;;NS)
or replace the existing with it to make it
O:BAG:SYD:(A;;CC;;;NS)
May 16th, 2010 10:22pm
Hi Admiles,
Please replace the value of CustomerSD. But remember to backup the registry key before you make the change in case of the failure.
Regards,
Karen Ji
This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2010 4:49am
Hello,
I have quite similar problem with Security Event Logs forwarding. In my case the subscription gets created on the source computer and starts to forward logs to the collector. However this works only for some time and then it fails with error. It seems to
me that the WS-Man service stops responding, because if I reset it, forwarding works again..
on the source computer an event is generated, when the service stops responding:
Event Type: Error
Event Source: EventForwarder-Operational
Event Category: None
Event ID: 102
Date: 12.5.2010
Time: 10:11:36
User: N/A
Computer: SERVER
Description:
The subscription Security Log can not be created. The error code is 8.
While on the collector computer the subscription Runtime Status shows errors:
[server.domain] - Error - Last retry time: 12.5.2010 10:11:36. Code (0x8):
<f:ProviderFault provider="Event collector plugin for Windows Remote Management "
path="%systemroot%\system32\wevtfwd.dll"
xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault">
<t:ProviderError xmlns:t="http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog">Windows Event Forward Plugin failed to create subscription.
</t:ProviderError></f:ProviderFault> Next retry time: 12.5.2010 10:51:36.
OR
[server.domain] - Error - Last retry time: 12.5.2010 10:15:56. Code (0x80338126):
The WinRM client cannot complete the operation within the time specified. Check if the machine name is valid and is reachable
over the network and firewall exception for Windows Remote Management service is enabled. Next retry time: 12.5.2010 10:55:56. Configuration on the source machine
WS-Management 1.1 (KB936059) installed
collector computer account is in Local Administrators security group
WINRM listening on port 5985
customSD key created as mentioned in previous posts
Configuration on the collector machine - subscription
Collector initiated
destination log Forwarded Events
logging particular 36 EventIDs from Security log
listening on port 5985
everything else is DEFAULT
There is no problem in event forwarding on Windows Server 2008(R2).
Thanks for any kind of advice or guidance,
azarro
May 18th, 2010 11:38am
Hi Azarro,
Could you guide me on how you established the eventforwarding from windows 2003 to windows 2008? I am facing the same issues as you mentioned, the event forwarding is unstable at the moment..and then i get an error saying 'check if WS-Management supports
HTTP requests'
Thanks,
Free Windows Admin Tool Kit Click here and download it now
July 4th, 2010 8:06am