My Environment:
Windows XP - Client (Workgroup)
Windows Server 2016/2019 - Collector (Domain)
Managed to set up Collector Initiated subscription and successfully forwarding Application and System events. However, when selecting "Security" events to be forwarded, I see the following event in "Microsoft Windows Forwarding Operational logs" of the Client:
The subscription "Name" is created, but one or more channels in the query could not be read at this time.
From various readings understood, that the "user" used for this purpose should be added to the "Event Log Readers" group, but in Windows XP there is no such group. Or can add permission via SDDL in Registry for Security events, but then the CustomSD value is not supported in Windows XP as per https://docs.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
So is it even possible to forward "security logs" from Windows XP?