How to collect security logs using event forwarding?
I have 2008 running as event collector in source initiated setup where it collects logs from the client machines.
It's able to collect the system and application logs but it doesn't collect the security logs for some reason.
Subscription configuration:
event logs: application, system, and security
Event level: critical, warning, error
I've tried selecting information under the event level but still doesn't collect any security events.
Anyone got this working?
Thanks!
May 12th, 2010 3:37am
Hi Admiles,
According to your description, you’ve configured event collector to collect application, system and security logs from the client computers.
However, the security logs cannot be collected.
This occurs
because the security events are different from other Windows events as they require a special level of authentication/credentials in order to read or forward these events. Different configurations are required depending on which Windows platform
is installed on the client.
For Windows Vista, Windows Server 2008 and later version of clients, please follow the steps below to configure it.
1.
Click
start->run, type CompMgmt.msc
to open Computer Management Console.
2.
Under
Local Users and Groups, click Groups->Event Log Readers to open Event Log Readers Properties.
3.
Click
Add, then click Location button, select your computer and click
OK.
4.
Click
Object Types button, check the checkbox of Build-in security principals and click
OK.
5. Add “Network Service”build-in account to
Event Log Readers group.
6.
Reboot the client computer.
After these steps have been taken, you will see the security event logs in the
Forwarded Events on your event collector.
For Windows XP SP2+ client computers, Windows Remote Management service must be run by
Local System Account. To do this,
1.
Open Services console under
Administrative Tools.
2.
Right click
Windows Remote Management service and click on properties.
3.
On
Log On tab, choose Local System Account.
Please be aware that this setting has potential security risks.
For Windows Server 2003 client computers, set the registry key
CustomerSD under HKLM/SYSTEM/CurrentControlSet/Services/EventLog/Security as
O:BAG:SYD:(A;;CC;;;NS).
For more information on Security Events Forwarding issue, please check
the link below.
http://blogs.technet.com/otto/archive/2009/06/22/forwarding-security-events-from-windows-xp-server-2003-and-vista-server-2008.aspx
For more information about Event Subscriptions, please refer to the TechNet article below.
http://technet.microsoft.com/en-us/library/cc749183.aspx
Regards,
Karen Ji
This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2010 12:46pm
Thanks Karen,
About
"For Windows Server 2003 client computers, set the registry key
CustomerSD under HKLM/SYSTEM/CurrentControlSet/Services/EventLog/Security as
O:BAG:SYD:(A;;CC;;;NS)."
The CustomerSD's value is O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)
Do I add the
(A;;CC;;;NS) to the exsting to make it
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;CC;;;NS)
or replace the existing with it to make it
O:BAG:SYD:(A;;CC;;;NS)
May 16th, 2010 10:22pm
Hi Admiles,
Please replace the value of CustomerSD. But remember to backup the registry key before you make the change in case of the failure.
Regards,
Karen Ji
This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2010 4:49am
Hi Azarro,
Could you guide me on how you established the eventforwarding from windows 2003 to windows 2008? I am facing the same issues as you mentioned, the event forwarding is unstable at the moment..and then i get an error saying 'check if WS-Management supports
HTTP requests'
Thanks,
July 4th, 2010 8:06am
Hi Admiles,
According to your description, youve configured event collector to collect application, system and security logs from the client computers.
However, the security logs cannot be collected.
This occurs
because the security events are different from other Windows events as they require a special level of authentication/credentials in order to read or forward these events. Different configurations are required depending on which Windows platform
is installed on the client.
For Windows Vista, Windows Server 2008 and later version of clients, please follow the steps below to configure it.
1.
Clickstart->run,
type CompMgmt.msc to open Computer Management Console.
2.
Under
Local Users and Groups, click Groups->Event Log Readersto open Event Log Readers Properties.
3.
Click
Add, then click Locationbutton, select your computer and click
OK.
4.
Click
Object Typesbutton, check the checkbox of Build-in security principalsand click
OK.
5. Add Network Servicebuild-in account to
Event Log Readers group.
6.
Reboot the client computer.
After these steps have been taken, you will see the security event logs in the
Forwarded Eventson your event collector.
For Windows XP SP2+ client computers, Windows Remote Managementservice must be run by
Local System Account. To do this,
1.
Open Servicesconsole under
Administrative Tools.
2.
Right click
Windows Remote Managementservice and click on properties.
3.
On
Log Ontab, choose Local System Account.
Please be aware that this setting has potential security risks.
For Windows Server 2003 client computers, set the registry key
CustomerSDunder HKLM/SYSTEM/CurrentControlSet/Services/EventLog/Securityas
O:BAG:SYD:(A;;CC;;;NS).
For more information on Security Events Forwarding issue, please check
the link below.
http://blogs.technet.com/otto/archive/2009/06/22/forwarding-security-events-from-windows-xp-server-2003-and-vista-server-2008.aspx
For more information about Event Subscriptions, please refer to the TechNet article below.
http://technet.microsoft.com/en-us/library/cc749183.aspx
Regards,
Karen Ji
This posting is provided "AS IS" with no warranties, and confers no rights.
hi karen. thank you for answer.
i have a win2008 R2 configured as event colector and a joined win 2008 R2 client as forwarding computer.
i performed the steps you described but problem exists and al events are forwarded to server other than Security Logs.
what should i do ?
Free Windows Admin Tool Kit Click here and download it now
February 22nd, 2012 6:11am