We are trying to do event log forwarding.
On my computer, Windows 10, before I changed anything, this is what I see:
C:\WINDOWS\system32>wevtutil gl security
name: security
enabled: true
type: Admin
owningPublisher:
isolation: Custom
channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)
logging:
logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx
retention: false
autoBackup: false
maxSize: 102367232
publishing:
fileMax: 1
But in this article, https://docs.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/security-event-log-forwarding-fails-error-0x138c-5004
they mention another access identifier:
Value: O:BAG:SYD:(D;; 0xf0007;;;AN)(D;; 0xf0007;;;BG)(A;; 0xf0007;;;SY)(A;; 0x7;;;BA)(A;; 0x7;;;SO)(A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;; 0x2;;;NS)(A;; 0x7;;;DA)(A;; 0x1;;;S-1-5-21-xxx-xxx-xxx-xxx)
Questions:
1. How does one interpret these identifiers?
2. What should be deployed to computers for auditing to work - the default value, the value mentioned in the article, both? Can you give me a complete string?
3. Is there / should there, be any difference between workstations and servers?
