I recently decided to implement this in my lab to see if it was possible. An extra step is required beyond the typical instructions provided by Microsoft.
In this scenario we have a domain controller (DC1) that we want to configure as an event forwarder. We also have a member server computer (SRV1) that we want to configure as an event collector.
Configure Event Forwarding on DC1
1. Enable Windows Remote Management
Note: The quickconfig option is fine because a domain controller usually only has one interface. On computers with multiple interfaces I prefer to use different options so the service only listens on needed IP addresses.
2. Add the computer account of the collector to the “Event Log Readers” builtin local security group.
Note: On a domain controller you need to do this from something like “Active Directory Users and Computers”
3. Add the SID of the Network Service account to the Channel Access permissions of the Security Event Log.
The reason for doing this is that the Windows Remote Management service runs under the Network Service account.
The safe way to perform this step is to first run the following command and determine the current permissions:
wevtutil gl security
By default, the permission is:
In this case, the command to set the required permission is (we simply append the new permission to what was obtained with the previous commend):
wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)
Note: S-1-5-20 is the well known SID for the Network Service account
Configure Event Collection on SRV1
1. Configure the Event Collector service
2. Create the event subscription
- Subscription Type: Collector Initiated
- Source: DC1
- Events to collect: In the filter set the “Event logs” field to “Security”
After approximately 15 minutes you should start to see events in the Forwarded Events event log on SRV1. If you don’t see these then try the following:
On DC1, open the Applications and Services Logs -> Microsoft -> Windows -> Eventlog-ForwardingPlugin -> Operational event log and look for Event ID 100. If you are getting Event ID 102 then you may need to restart either or both DC1 and SRV1.