Event Subscription (log forwarding) Security logs not forwarding

I have a log server collecting windows event logs from windows servers in my domain.  my log collector is a windows 2012 r2 server.   I created a subscription to collect all event logs....application, security and system.  However non of my security logs are being forwarded.  All I see is application and system.    I tried selecting keywords to include auditing success and failure but when I do this it seems no logs get forwarded.   Anybody else run into this issue???
gmckfnAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
If you want to forward events from the Security Event Log of a DC, you will need to make sure the permissions that the Network Service account has channel access permissions to the Security Event Log. Most of the time, this occurs because the security events (being differently treated) requires a special level of authentication/credentials in order to read or forward these events. Ref https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2 and also catch in short
For Windows Vista, Windows Server 2008 and later version of clients, please follow the steps below to configure it.

1.       Click start->run, type CompMgmt.msc  to open Computer Management Console.
2.       Under Local Users and Groups, click Groups->Event Log Readers to open Event Log Readers Properties.
3.       Click Add, then click Location button, select your computer and click OK.
4.       Click Object Types button, check the checkbox of Build-in security principals and click OK.
5.       Add “Network Service” build-in account to Event Log Readers group.
6.       Reboot the client computer.

After these steps have been taken, you will see the security event logs in the Forwarded Events on your event collector.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/8434ffb3-1621-4bc5-8311-66d88b215886/how-to-collect-security-logs-using-event-forwarding?forum=winservergen
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.