Forwarding Security Events from Windows XP, Server 2003, and Vista/Server 2008

Security events are different than other Windows events because they require a special level of authentication/credentials in order to read or forward these events. Different configurations are required depending on which Windows platform is the client. The event collector functionality is only implemented in Windows Vista or Server 2003 R2 (or later).

 

The following table illustrates the special configurations required for each platform:

Platform

Configuration Requirement

XP SP2+

The “Windows Remote Management” Service needs to run as “Local System” (make sure you're okay with this elevation - it does have potential security ramifications)

Server 2003

The following “CustomSD” key needs to be set within “HKLM/SYSTEM/CCS/Services/EventLog/Security” to “O:BAG:SYD:(A;;CC;;;NS)”

Vista, Server 2008, and beyond

Add “Network Service” to the “Event Log Readers” Local Security Group

Note: A popular scenario includes forwarding Security Events from a Domain Controller in order to get an enterprise view for auditing and security monitoring. Due to the large number of Security Events that tend to be generated on Domain Controllers, the Event Forwarding subscription should not request that Forwarded Events be "Rendered". Event rendering for a large number of events will consume a large amount of processing resources on the client. The "ContentFormat" of the subscription needs to be set to "Events" rather than the default "RenderedText". This change can be made via "WECUTIL.EXE".

<ContentFormat>Events</ContentFormat>

Note: In addition, Security events are typically considered time sensitive and it's desirable to forward them immediately, rather than at a set interval. The following "MaxItems" setting for the subscription insures that events are forwarded as they occur (only valid for "Push" subscriptions).

wecutil ss <subscription name> /cm:Custom /dmi:1

More details can be found below: