How to set up Windows Security Event Log Forwarding

Question

In a network with multiple Windows Server 2012 servers, I need to configure event forwarding to a dedicated server. To implement this, I configure Windows Event Log Forwarding. Collector initiated.

I have made the settings according to the manuals. For implementation, I created a separate account.

Forwarding works, but events from the Security log are not forwarded.

Apparently, additional settings are needed in group policy so that the dedicated user account can read entries from the Security log.

But I didn't find clear and precise setup instructions on the Internet.

I ask for help from knowledgeable people. Which settings need to be configured in group policy.

Answer 1

Hello

To configure Windows Security Event Log Forwarding, you need to adjust the settings in the Group Policy and the registry. Here are the steps:

Configure Group Policy:

Open the Local Group Policy Editor tool (gpedit.msc).

Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Event Log Service.

Double-click Security, then in the Settings pane, select Configure log access.

Configure Registry:

The security of each log is configured locally through the values in the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog.

For example, the Application log Security Descriptor is configured through the following registry value: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD

And the System log Security Descriptor is configured through HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD.

The Security Descriptor for each log is specified by using SDDL syntax.

Please note that modifying the registry can have serious consequences if done incorrectly. Make sure to back up the registry before making any changes.

Set event log security locally or via Group Policy - Windows Server | Microsoft Learn