Event Log Forwarder - Where is the Audit Failure Type?

Hi There,

I'm trialing Kiwi Syslog and I'm having trouble with the Log Forwarder and Security Event Log.  When I click on the Security Log I don't see Audit Success or Audit Failure as an event type.  It just has Error, Warning and Information.  If I manually edit the CFG file and add <int>16</int> it works, but then it gets overwritten if I make a change.  Am I doing something wrong?  How can I see Audit Failure as an Event Type?

Thanks,

Parents
  • Curious if anyone has any updates on this. 

    I recently deployed 5 kiwi servers for log collecting across multiple sites.  Have successfully setup the log forwarder at each site forwarding necessary logs.

    On every Domain Controller that i've tried to setup Security log forwarding on (8, so far), I get the "Subscribe failed with error 15001, The specified query is invalid." error.

    So far, I've done the following

    First, tried using only Audit Success / Audit Failure, matching it with the event type.  (keeping in mind some events are ONLY failures)

    Edited the cfg file to use the string instead of the words "audit success/failure". 

    Cleared the evtx file.

    Deleted / recreated the cfg file

    Created other subscriptions that forward logs successfully

    Created a "blank" subscription for Security that forwards EVERYTHING over (this worked)

    Reached out to support and was told this was a free product, so they don't support it.  (even though I have purchased multiple licenses for the Kiwi Syslog servers, themselves).  

Reply
  • Curious if anyone has any updates on this. 

    I recently deployed 5 kiwi servers for log collecting across multiple sites.  Have successfully setup the log forwarder at each site forwarding necessary logs.

    On every Domain Controller that i've tried to setup Security log forwarding on (8, so far), I get the "Subscribe failed with error 15001, The specified query is invalid." error.

    So far, I've done the following

    First, tried using only Audit Success / Audit Failure, matching it with the event type.  (keeping in mind some events are ONLY failures)

    Edited the cfg file to use the string instead of the words "audit success/failure". 

    Cleared the evtx file.

    Deleted / recreated the cfg file

    Created other subscriptions that forward logs successfully

    Created a "blank" subscription for Security that forwards EVERYTHING over (this worked)

    Reached out to support and was told this was a free product, so they don't support it.  (even though I have purchased multiple licenses for the Kiwi Syslog servers, themselves).  

Children
No Data