• State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 35 replies
  • Subscribers 24 subscribers
  • Views 7996 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Event Log Forwarder - Where is the Audit Failure Type?

ckjtrollen

Hi There,

I'm trialing Kiwi Syslog and I'm having trouble with the Log Forwarder and Security Event Log.  When I click on the Security Log I don't see Audit Success or Audit Failure as an event type.  It just has Error, Warning and Information.  If I manually edit the CFG file and add <int>16</int> it works, but then it gets overwritten if I make a change.  Am I doing something wrong?  How can I see Audit Failure as an Event Type?

Thanks,

Parents
  • 0

    Because of changes in the security event logs starting with Windows 2008, you will find these options under the Keywords section:

    lf.JPG

  • 0 in reply to bkyle

    I have my client setup exactly like that and it doesn't seem to work.  In fact, when I setup a subscription for the Security log the service won't start.  If I delete the subscription it starts again.  Application and System logs work perfectly.

    Here is the error message I get when the service won't start.

    3/19/2015 9:54:38 AM - Unable to setup Windows Event Log subscribers.  Subscribe failed with error 15001, The specified query is invalid.

    3/19/2015 9:54:38 AM - Server Initialization Failed.  See previous event messages for reason.

    3/19/2015 9:54:38 AM - SolarWinds Event Log Forwarder for Windows; Service Stopped.

  • 0 in reply to ckjtrollen

    Are you selecting only the Security event log?

  • 0 in reply to bkyle

    Yes, I added it as a separate subscription that only has the Security log.  It appears that it breaks when I add the "Audit Failure" keyword.  If I select nothing for the keywords it works as expected, the service starts and I get everything including success and failure syslogs.  As soon as I add the Audit Failure keyword the service won't start.  Removing it starts again.  One thing to note is that I am running the latest version 1.20.

    Security_Log.jpg

  • 0 in reply to ckjtrollen

    What operating system are you running Log Forwarder on?  I will do some testing.

Reply Children

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.