This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 76%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
We are trying to do event log forwarding.
On my computer, Windows 10, before I changed anything, this is what I see:
C:\WINDOWS\system32>wevtutil gl security
name: security
enabled: true
type: Admin
owningPublisher:
isolation: Custom
channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)
logging:
logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx
retention: false
autoBackup: false
maxSize: 102367232
publishing:
fileMax: 1
But in this article, https://learn.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/security-event-log-forwarding-fails-error-0x138c-5004
they mention another access identifier:
Value: O:BAG:SYD:(D;; 0xf0007;;;AN)(D;; 0xf0007;;;BG)(A;; 0xf0007;;;SY)(A;; 0x7;;;BA)(A;; 0x7;;;SO)(A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;; 0x2;;;NS)(A;; 0x7;;;DA)(A;; 0x1;;;S-1-5-21-xxx-xxx-xxx-xxx)
Questions:
HI reuvygroovy,
1.Did you have the same "Security event log forwarding fails with Error 0x138C and 5004 in Windows Server" error?
2.Are you forwarding security log from win10 computers to windows server 2012r2?
3.Are you using source Initiated Subscription or collector Initiated Subscription?
HI reuvygroovy,
Is there any progress on your question?
Sorry.
We are forwarding from Windows 10 to Windows 2019.
Using a collector.
HI reuvygroovy,
"Still not clear how to intepret this string:"
There is answer:
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x5;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x2;;;BA)(A;;0x2;;;LS)(A;;0x2;;;NS)
Entry meanings:
O:BA Object owner is Built-in Admin (BA).
G:SY Primary group is System (SY).
D: It's a discretionary access control list (DACL), rather than an audit entry or SACL.
(D;;0xf0007;;;AN) Deny Anonymous (AN) all access. (1=Read + 2=Write + 4=Clear) (First ACE string in this SDDL).
(D;;0xf0007;;;BG) Deny Built-in Guests (BG) all access.
(A;;0xf0005;;;SY) Allow System Read and Clear (1=Read + 4=Clear), including DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER (indicated by the 0xf0000).
(A;;0x7;;;BA) Allow Built-in Admin READ, WRITE, and CLEAR.
(A;;0x7;;;SO) Allow Server Operators READ, WRITE, and CLEAR.
(A;;0x3;;;IU) Allow Interactive Users READ and WRITE.
(A;;0x3;;;SU) Allow Service accounts READ and WRITE.
2.How do you break up each group (permission, user, etc.)?
The Security Descriptor Definition Language of Love (Part 1)
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/the-security-descriptor-definition-language-of-love-part-1/ba-p/395202
The Security Descriptor Definition Language of Love (Part 2)
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/the-security-descriptor-definition-language-of-love-part-2/ba-p/395258
Fail to write to the Windows event log from an ASP.NET or ASP application
https://learn.microsoft.com/en-us/troubleshoot/aspnet/fail-write-event-log
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
HI reuvygroovy,
1.Are both win10 and server 2019 joined to the same AD domain?
2.How does one interpret these identifiers?
You can see below an example of the SDDL you’ll need for the Security event log. The channelAccess line represents the permissions set on the event log
3.What should be deployed to computers for auditing to work - the default value, the value mentioned in the article, both? Can you give me a complete string?
Do you add the host name of w2019 and NT network service account to "event log readers" group on win10?
Security Descriptor Definition Language
https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language
There are 2 documents for your reference, I still work on this issue.
How To Set Up Windows Event Log Forwarding In Windows Server 2016
https://adamtheautomator.com/windows-event-collector/
How to set event log security locally or by using Group Policy
https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/set-event-log-security-locally-or-via-group-policy
HI
Is there any update for your issue?
Hi
Still not clear how to intepret this string:
channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)
Value: O:BAG:SYD:(D;; 0xf0007;;;AN)(D;; 0xf0007;;;BG)(A;; 0xf0007;;;SY)(A;; 0x7;;;BA)(A;; 0x7;;;SO)(A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;; 0x2;;;NS)(A;; 0x7;;;DA)(A;; 0x1;;;S-1-5-21-xxx-xxx-xxx-xxx)
Even as mentioned here:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/set-event-log-security-locally-or-via-group-policy
The following is a sample SDDL that shows the default SDDL string for the Application log. The access rights (in hexadecimal) are bold-faced for illustration:
O:BAG:SYD:(D;; 0xf0007 ;;;AN)(D;; 0xf0007 ;;;BG)(A;; 0xf0007 ;;;SY)(A;; 0x5 ;;;BA)(A;; 0x7 ;;;SO)(A;; 0x3 ;;;IU)(A;; 0x2 ;;;BA)(A;; 0x2 ;;;LS)(A;; 0x2 ;;;NS)
For example, the first ACE denies Anonymous Users read, write, and clear access to the log. The sixth ACE permits Interactive Users to read and write to the log.
How do you break up each group (permission, user, etc.)
The SDDL in this article (https://learn.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/security-event-log-forwarding-fails-error-0x138c-5004) is wrong:
The SID at the end cannot be there: S-1-5-20
ConvertFrom-SddlString -Sddl "O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x2;;;BA)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x7;;;DA)(A;;0x1;;;S-1-5-32-573);;; S-1-5-20"
Gives: Exception calling ".ctor" with "3" argument(s): "The SDDL form of a security descriptor object is invalid.
You should first read your current SDDL and then add (A;;0x1;;;S-1-5-32-573). That's it.
Default that would result in:
O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)
OR: O:BAG:SYD:(A;;0xf005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)
Explain:
(A;;0xf0005;;;SY) Allow System Read and Clear (1=Read + 4=Clear)
(A;;0x5;;;BA) Allow Built-in Admin READ and CLEAR (geen WRITE meer)
(A;;0x1;;;S-1-5-32-573) Allow Builtin\Event Log Readers READ
(A;;0x1;;;S-1-5-20) Allow NetworkService READ
(A;;0x1;;;NS) Allow NetworkService READ