We are trying to do event log forwarding.
On my computer, Windows 10, before I changed anything, this is what I see:
C:\WINDOWS\system32>wevtutil gl security
But in this article, https://docs.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/security-event-log-forwarding-fails-error-0x138c-5004
they mention another access identifier:
Value: O:BAG:SYD:(D;; 0xf0007;;;AN)(D;; 0xf0007;;;BG)(A;; 0xf0007;;;SY)(A;; 0x7;;;BA)(A;; 0x7;;;SO)(A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;; 0x2;;;NS)(A;; 0x7;;;DA)(A;; 0x1;;;S-1-5-21-xxx-xxx-xxx-xxx)
1. How does one interpret these identifiers?
2. What should be deployed to computers for auditing to work - the default value, the value mentioned in the article, both? Can you give me a complete string?
3. Is there / should there, be any difference between workstations and servers?