Security events are different than other Windows events because they require a special level of authentication/credentials in order to read or forward these events. Different configurations are required depending on which Windows platform is the client. The event collector functionality is only implemented in Windows Vista or Server 2003 R2 (or later).
The following table illustrates the special configurations required for each platform:
The “Windows Remote Management” Service needs to run as “Local System” (make sure you’re okay with this elevation – it does have potential security ramifications)
The following “CustomSD” key needs to be set within “HKLM/SYSTEM/CCS/Services/EventLog/Security” to “O:BAG:SYD:(A;;CC;;;NS)”
Vista, Server 2008, and beyond
Add “Network Service” to the “Event Log Readers” Local Security Group
Note: A popular scenario includes forwarding Security Events from a Domain Controller in order to get an enterprise view for auditing and security monitoring. Due to the large number of Security Events that tend to be generated on Domain Controllers, the Event Forwarding subscription should not request that Forwarded Events be “Rendered”. Event rendering for a large number of events will consume a large amount of processing resources on the client. The “ContentFormat” of the subscription needs to be set to “Events” rather than the default “RenderedText”. This change can be made via “WECUTIL.EXE”.
Note: In addition, Security events are typically considered time sensitive and it’s desirable to forward them immediately, rather than at a set interval. The following “MaxItems” setting for the subscription insures that events are forwarded as they occur (only valid for “Push” subscriptions).
wecutil ss <subscription name> /cm:Custom /dmi:1
More details can be found below:
WMI Blog on this topic (adds a little more background info): http://blogs.msdn.com/wmi/archive/2009/04/06/forwarding-security-related-events-from-xp-win2k3-vista-using-winrm-wsman-event-forwarding.aspx
Setting Event Log Security via Group Policy (KB Article): http://support.microsoft.com/default.aspx/kb/323076
Event Forwarding Plug-In for XP SP2+ and Server 2003 SP1+: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=845289ca-16cc-4c73-8934-dd46b5ed1d33