That error code means there is something wrong with one of your subscriptions in the log forwarder, this causes the Log Forwarder Service to not start (it also wont restart if you try)
I found this out the hard way - What I ended up doing was disable ALL subscriptions....then restart the log forwarder service on the client.
Enable ONE subscription on the log forwarder and restart the KIWI log forwarder service again, if it restarts then enable the next subscription, carry on until the service DOESNT restart...
When that happens its because there is something the log forwarder doesn't like about THAT subscription you have enabled...
Armed with this info you then need to go into that subscription, screenshot the event categories (ie security, application etc) you have ticked on the left....and untick ALL the event categories on the left, refer to your screenshot and tick two event categories you had ticked before, save the subscription then restart the service again, if it restarts you can do the same again and tick another 2 event categories....do this till the two events you tick end up making it so the log forwarder service doesn't restart...
You then know ONE of those 2 event categories is the problem....you need to figure out which one (tick one, restart service, if works its the other one) and you need to leave that unticked....
I found out the hard way, so 2012 servers have different events to 2016 and 2019 servers, if I loaded a config file from a 2016 box onto a 2012 box it broke the log forwarder on the 2012 box (service wouldn't restart). I had to do the above to figure out which event the 2012 box didn't like. I have now got 2 diff config files one for 2016/2019 and one for 2012....
Also, keep in mind you can ONLY HAVE 22 event IDs in each subscription, if you have over 22 event Ids in it does the same and wont let you start the service again!
I hope this helps someone, I went through literal hell figuring this out!
