Forwarding security related events from XP, Win2k3, Vista using WinRM (WSMan) event forwarding
Procedure for forwarding system and application logs from a given winrm endpoint can be found at https://blogs.technet.com/otto/default.aspx
In order to forward security events, the following needs to be done at the endpoint:
If endpoint is Vista, WS08: Add "Network Service" to the "Event Log Readers" group. This is because limited users have access to read events from the security log - "Event Log Readers" group being one of them.
If endpoint is Win2k3 R2: The following CustomSD key needs to be set within "HKLM/SYSTEM/CCS/Services/EventLog/Security" to "O:BAG:SYD:(A;;CC;;;NS)". This is because on Win2k3 there is no event log readers group. More info can be found at https://support.microsoft.com/kb/323076
If endpoint is XP SP2+: WinRM service needs to be running as LocalSystem
Comments
Anonymous
September 13, 2009
Is there any C++ sample code available for collecting windows events for W2K8 Server or Vista?Anonymous
March 02, 2010
How can I get security logs from Win2K8 R2 endpoint? Adding "Network Service" to "Event Log Readers" doesn´t do the trick. Thanks.Anonymous
September 13, 2011
Domain Controllers don't have any local groups. How do I set this for Domain Controllers? BubbaAnonymous
April 10, 2012
Bubba did you ever figure this out ?Anonymous
September 28, 2015
To the point of Bubba and Alpha's question: Rather than local Groups, DCs should be using AD Groups instead of the referenced local groups. e.g. <domain>BuiltinEvent Log Readers