Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

From Source Windows Server

  • Log on to the source computer (e.g. Windows AD) as administrator, open a command or PowerShell prompt, and run the command below:

PS C:\Users\Administrator>winrm quickconfig

  • To determine the current channel access permissions, run the command below:

PS C:\Users\Administrator>wevtutil get-log security

This outputs the following

name: security

enabled: true

type: Admin

owningPublisher:

isolation: Custom

channelAccess:

O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)

logging:

 logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx

 retention: false

 autoBackup: false

 maxSize: 20971520

publishing:

fileMax: 1

The Security Identifier (SID) for the Network Service account is S-1-5-20.  Add it to the SDDL as shown here using wevtutilset-log command with the /ca (channel access) parameter to give the account read permission on the Security Event Log.

Now run below the following command on each source computers:

PS C:\Users\Administrator>wevtutil set-log security ‘/ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)’


After running the set-log security command:

The links below provide more details on how to perform the above steps

https://msdn.microsoft.com/en-us/library/cc748890.aspx 

https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2


Ref link: Windows Event Collector Tutorial - Andy's Tech Blog


Seceon Inc. All rights reserved. https://www.seceon.com