https://community.splunk.com/t5/Splunk-Search/Windows-Security-events-not-getting-forwarded/m-p/571619#M199190 <P>Running this as a splunk user</P> Wed, 20 Oct 2021 09:16:41 GMT srinivas_gowda 2021-10-20T09:16:41Z https://community.splunk.com/t5/Splunk-Search/Windows-Security-events-not-getting-forwarded/m-p/571598#M199178 <P>Hello team,</P><P>&nbsp;</P><P>I am trying to monitor windows event logs and have installed the universal forwarded with relevant data. I am getting the Application and System logs, however the Security events are not being forwarded. I am adding the inputs.conf details below please let me know what is causing this.</P><P>&nbsp;</P><P><BR />###### OS Logs ######<BR />[WinEventLog://Application]<BR />disabled = 0<BR />start_from = oldest<BR />current_only = 0<BR />checkpointInterval = 5<BR /># only index events with these event IDs.<BR />whitelist = 16350-16400<BR />index = default_tier1_idx<BR />renderXml=false</P><P>[WinEventLog://Security]<BR />disabled = 0<BR />start_from = oldest<BR />current_only = 0<BR />checkpointInterval = 5<BR /># only index events with these event IDs.<BR />whitelist = 0-10000<BR />index = default_tier1_idx<BR />renderXml=false</P><P>[WinEventLog://System]<BR />disabled = 0<BR />start_from = oldest<BR />current_only = 0<BR />checkpointInterval = 5<BR /># only index events with these event IDs.<BR />whitelist = 7000-7050<BR />index = default_tier1_idx<BR />renderXml=false</P><P>&nbsp;</P><P>Thank you</P> Wed, 20 Oct 2021 07:23:12 GMT https://community.splunk.com/t5/Splunk-Search/Windows-Security-events-not-getting-forwarded/m-p/571598#M199178 srinivas_gowda 2021-10-20T07:23:12Z https://community.splunk.com/t5/Splunk-Search/Windows-Security-events-not-getting-forwarded/m-p/571610#M199184 <P>What user are you running your UF with? Local System? Or any other user?</P><P>Do you get any errors in your UF's log?</P><P>&nbsp;</P> Wed, 20 Oct 2021 08:56:35 GMT https://community.splunk.com/t5/Splunk-Search/Windows-Security-events-not-getting-forwarded/m-p/571610#M199184 PickleRick 2021-10-20T08:56:35Z https://community.splunk.com/t5/Splunk-Search/Windows-Security-events-not-getting-forwarded/m-p/571619#M199190 <P>Running this as a splunk user</P> Wed, 20 Oct 2021 09:16:41 GMT https://community.splunk.com/t5/Splunk-Search/Windows-Security-events-not-getting-forwarded/m-p/571619#M199190 srinivas_gowda 2021-10-20T09:16:41Z https://community.splunk.com/t5/Splunk-Search/Windows-Security-events-not-getting-forwarded/m-p/571623#M199193 <P>OK. So you're using a designated user, created specificaly for the installation of UF, right? This user most probably does not have sufficient permissions to read the Security Event Log.</P><P>The easiest way to grant this user privileges to read all event logs is to add it to the "EventLog readers" local group. But it gives the rights to read ALL event logs which in your case might not be what you want. In order to selectively grant permissions to single event logs, you have to fiddle with registry entries and SDDL (ugly as hell, I admit) - <A href="https://docs.microsoft.com/en-us/troubleshoot/windows-server/group-policy/set-event-log-security-locally-or-via-group-policy" target="_blank">https://docs.microsoft.com/en-us/troubleshoot/windows-server/group-policy/set-event-log-security-locally-or-via-group-policy</A></P> Wed, 20 Oct 2021 09:43:01 GMT https://community.splunk.com/t5/Splunk-Search/Windows-Security-events-not-getting-forwarded/m-p/571623#M199193 PickleRick 2021-10-20T09:43:01Z