On each source computer (e.g. Windows AD), from where logs are expected to be forwarded,type the following at an elevated command prompt:
PS C:\Users\Administrator>winrm quickconfig
- Log on to the source computer (e.g. Windows AD) as administrator, open a command or PowerShell prompt, and run the command below
...
- :
PS C:\Users\Administrator>winrm quickconfig
- To determine the current channel access permissions, run the command below:
PS C:\Users\Administrator>wevtutil get-log security
This outputs the following
name: security
enabled: true
type: Admin
owningPublisher:
isolation: Custom
channelAccess:
O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)
logging:
logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx
retention: false
autoBackup: false
maxSize: 20971520
publishing:
fileMax: 1
The Security Identifier (SID) for the Network Service account is S-1-5-20. Add it to the SDDL as shown here using wevtutilset-log command with the /ca (channel access) parameter to give the account read permission on the Security Event Log.
Now run below the following command on each source computers:
PS C:\Users\Administrator>wevtutil Administrator>wevtutil set-log security ‘/ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)’
After running the set-log security command:
The links below provide more details on how to perform the above steps
...
https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2
Ref link: Windows Event Collector Tutorial - Andy's Tech Blog