Event Subscription (log forwarding) Security logs not forwarding

gmckfn
gmckfn used Ask the Experts™
on
I have a log server collecting windows event logs from windows servers in my domain.  my log collector is a windows 2012 r2 server.   I created a subscription to collect all event logs....application, security and system.  However non of my security logs are being forwarded.  All I see is application and system.    I tried selecting keywords to include auditing success and failure but when I do this it seems no logs get forwarded.   Anybody else run into this issue???
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
Commented:
If you want to forward events from the Security Event Log of a DC, you will need to make sure the permissions that the Network Service account has channel access permissions to the Security Event Log. Most of the time, this occurs because the security events (being differently treated) requires a special level of authentication/credentials in order to read or forward these events. Ref https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2 and also catch in short
For Windows Vista, Windows Server 2008 and later version of clients, please follow the steps below to configure it.

1.       Click start->run, type CompMgmt.msc  to open Computer Management Console.
2.       Under Local Users and Groups, click Groups->Event Log Readers to open Event Log Readers Properties.
3.       Click Add, then click Location button, select your computer and click OK.
4.       Click Object Types button, check the checkbox of Build-in security principals and click OK.
5.       Add “Network Service” build-in account to Event Log Readers group.
6.       Reboot the client computer.

After these steps have been taken, you will see the security event logs in the Forwarded Events on your event collector.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/8434ffb3-1621-4bc5-8311-66d88b215886/how-to-collect-security-logs-using-event-forwarding?forum=winservergen

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial