Security Event logs - Forwarding from Windows XP to Windows 2016/2019

Question

Security Event logs - Forwarding from Windows XP to Windows 2016/2019

Prasanna N 21

My Environment:
Windows XP - Client (Workgroup)
Windows Server 2016/2019 - Collector (Domain)

Managed to set up Collector Initiated subscription and successfully forwarding Application and System events. However, when selecting "Security" events to be forwarded, I see the following event in "Microsoft Windows Forwarding Operational logs" of the Client:

The subscription "Name" is created, but one or more channels in the query could not be read at this time.

From various readings understood, that the "user" used for this purpose should be added to the "Event Log Readers" group, but in Windows XP there is no such group. Or can add permission via SDDL in Registry for Security events, but then the CustomSD value is not supported in Windows XP as per https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key

So is it even possible to forward "security logs" from Windows XP?

Accepted answer

0 additional answers

Your answer

Answer 1

Anonymous

Hi,

Thanks for posting in Q&A platform.

Please understand, since support for Windows XP has ended from April 8, 2014, we do not have such Windows XP machine to test in our environment.

I think the user should be added to the group Event Log Readers from DC, here is an article for your reference:

Privileges/permissions required for event log collection
Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

Best Regards,
Sunny

----------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Prasanna N 21 Reputation points

2021-05-26T05:25:45.447+00:00

Thanks for the response. However there is no such group "Event Log Readers" in XP.
Anonymous

2021-05-26T07:30:13.427+00:00

I would suggest you could try to add the specific user to Event Log Readers group from domain controller.
Prasanna N 21 Reputation points

2021-05-26T08:28:34.053+00:00

Just to make it clear. I'm using collector initiated subscription and using Client's built-in admin credential for this subscription. Note: Client is in Workgroup, Collector is in Domain.
Anonymous

2021-05-31T02:24:48.213+00:00

Hi, thanks for your response. This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.

Best Regards,
Sunny
Prasanna N 21 Reputation points

2021-05-31T06:14:04.36+00:00

Thanks for your support, however this is resolved by running WinRM service as a "Local System Account" on the source computer.
Anonymous

2021-05-31T09:06:19.167+00:00

Hi,

Thanks for your update. Glad to hear that your issue has been resolved. If there is anything else we can do for you, please feel free to post in the forum.

You could accept the useful reply as answer if you want to end this thread up.

Have a nice day~

Best Regards,
Sunny

Share via

Security Event logs - Forwarding from Windows XP to Windows 2016/2019

0 additional answers

Your answer