How to collect security logs using event forwarding?
I have 2008 running as event collector in source initiated setup where it collects logs from the client machines. It's able to collect the system and application logs but it doesn't collect the security logs for some reason. Subscription configuration: event logs: application, system, and security Event level: critical, warning, error I've tried selecting information under the event level but still doesn't collect any security events. Anyone got this working? Thanks!
May 12th, 2010 3:37am
Hi Admiles, According to your description, you’ve configured event collector to collect application, system and security logs from the client computers. However, the security logs cannot be collected. This occurs because the security events are different from other Windows events as they require a special level of authentication/credentials in order to read or forward these events. Different configurations are required depending on which Windows platform is installed on the client. For Windows Vista, Windows Server 2008 and later version of clients, please follow the steps below to configure it. 1. Click start->run, type CompMgmt.msc to open Computer Management Console. 2. Under Local Users and Groups, click Groups->Event Log Readers to open Event Log Readers Properties. 3. Click Add, then click Location button, select your computer and click OK. 4. Click Object Types button, check the checkbox of Build-in security principals and click OK. 5. Add “Network Service”build-in account to Event Log Readers group. 6. Reboot the client computer. After these steps have been taken, you will see the security event logs in the Forwarded Events on your event collector. For Windows XP SP2+ client computers, Windows Remote Management service must be run by Local System Account. To do this, 1. Open Services console under Administrative Tools. 2. Right click Windows Remote Management service and click on properties. 3. On Log On tab, choose Local System Account. Please be aware that this setting has potential security risks. For Windows Server 2003 client computers, set the registry key CustomerSD under HKLM/SYSTEM/CurrentControlSet/Services/EventLog/Security as O:BAG:SYD:(A;;CC;;;NS). For more information on Security Events Forwarding issue, please check the link below. http://blogs.technet.com/otto/archive/2009/06/22/forwarding-security-events-from-windows-xp-server-2003-and-vista-server-2008.aspx For more information about Event Subscriptions, please refer to the TechNet article below. http://technet.microsoft.com/en-us/library/cc749183.aspx Regards, Karen Ji This posting is provided "AS IS" with no warranties, and confers no rights.
May 13th, 2010 12:46pm
Thanks Karen, About "For Windows Server 2003 client computers, set the registry key CustomerSD under HKLM/SYSTEM/CurrentControlSet/Services/EventLog/Security as O:BAG:SYD:(A;;CC;;;NS)." The CustomerSD's value is O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA) Do I add the (A;;CC;;;NS) to the exsting to make it O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;CC;;;NS) or replace the existing with it to make it O:BAG:SYD:(A;;CC;;;NS)
May 16th, 2010 10:22pm
Hi Admiles, Please replace the value of CustomerSD. But remember to backup the registry key before you make the change in case of the failure. Regards, Karen Ji This posting is provided "AS IS" with no warranties, and confers no rights.
May 17th, 2010 4:49am
Hello, I have quite similar problem with Security Event Logs forwarding. In my case the subscription gets created on the source computer and starts to forward logs to the collector. However this works only for some time and then it fails with error. It seems to me that the WS-Man service stops responding, because if I reset it, forwarding works again.. on the source computer an event is generated, when the service stops responding: Event Type: Error Event Source: EventForwarder-Operational Event Category: None Event ID: 102 Date: 12.5.2010 Time: 10:11:36 User: N/A Computer: SERVER Description: The subscription Security Log can not be created. The error code is 8. While on the collector computer the subscription Runtime Status shows errors: [server.domain] - Error - Last retry time: 12.5.2010 10:11:36. Code (0x8): <f:ProviderFault provider="Event collector plugin for Windows Remote Management " path="%systemroot%\system32\wevtfwd.dll" xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault"> <t:ProviderError xmlns:t="http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog">Windows Event Forward Plugin failed to create subscription. </t:ProviderError></f:ProviderFault> Next retry time: 12.5.2010 10:51:36. OR [server.domain] - Error - Last retry time: 12.5.2010 10:15:56. Code (0x80338126): The WinRM client cannot complete the operation within the time specified. Check if the machine name is valid and is reachable over the network and firewall exception for Windows Remote Management service is enabled. Next retry time: 12.5.2010 10:55:56. Configuration on the source machine WS-Management 1.1 (KB936059) installed collector computer account is in Local Administrators security group WINRM listening on port 5985 customSD key created as mentioned in previous posts Configuration on the collector machine - subscription Collector initiated destination log Forwarded Events logging particular 36 EventIDs from Security log listening on port 5985 everything else is DEFAULT There is no problem in event forwarding on Windows Server 2008(R2). Thanks for any kind of advice or guidance, azarro
May 18th, 2010 11:38am
Hi Azarro, Could you guide me on how you established the eventforwarding from windows 2003 to windows 2008? I am facing the same issues as you mentioned, the event forwarding is unstable at the moment..and then i get an error saying 'check if WS-Management supports HTTP requests' Thanks,
July 4th, 2010 8:06am