Security Event logs - Forwarding from Windows XP to Windows 2016/2019

Question

My Environment:
Windows XP - Client (Workgroup)
Windows Server 2016/2019 - Collector (Domain)

Managed to set up Collector Initiated subscription and successfully forwarding Application and System events. However, when selecting "Security" events to be forwarded, I see the following event in "Microsoft Windows Forwarding Operational logs" of the Client:

The subscription "Name" is created, but one or more channels in the query could not be read at this time.

From various readings understood, that the "user" used for this purpose should be added to the "Event Log Readers" group, but in Windows XP there is no such group. Or can add permission via SDDL in Registry for Security events, but then the CustomSD value is not supported in Windows XP as per https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key

So is it even possible to forward "security logs" from Windows XP?

Answer 1

Hi,

Thanks for posting in Q&A platform.

Please understand, since support for Windows XP has ended from April 8, 2014, we do not have such Windows XP machine to test in our environment.

I think the user should be added to the group Event Log Readers from DC, here is an article for your reference:

Privileges/permissions required for event log collection
Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

Best Regards,
Sunny

----------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.