Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Procedure for forwarding system and application logs from a given winrm endpoint can be found at https://blogs.technet.com/otto/default.aspx
In order to forward security events, the following needs to be done at the endpoint:
If endpoint is Vista, WS08: Add "Network Service" to the "Event Log Readers" group. This is because limited users have access to read events from the security log - "Event Log Readers" group being one of them.
If endpoint is Win2k3 R2: The following CustomSD key needs to be set within "HKLM/SYSTEM/CCS/Services/EventLog/Security" to "O:BAG:SYD:(A;;CC;;;NS)". This is because on Win2k3 there is no event log readers group. More info can be found at https://support.microsoft.com/kb/323076
If endpoint is XP SP2+: WinRM service needs to be running as LocalSystem
Comments
Anonymous
September 13, 2009
Is there any C++ sample code available for collecting windows events for W2K8 Server or Vista?Anonymous
March 02, 2010
How can I get security logs from Win2K8 R2 endpoint? Adding "Network Service" to "Event Log Readers" doesn´t do the trick. Thanks.Anonymous
September 13, 2011
Domain Controllers don't have any local groups. How do I set this for Domain Controllers? BubbaAnonymous
April 10, 2012
Bubba did you ever figure this out ?Anonymous
September 28, 2015
To the point of Bubba and Alpha's question: Rather than local Groups, DCs should be using AD Groups instead of the referenced local groups. e.g. <___domain>BuiltinEvent Log Readers