This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Event Log Forwarder - Where is the Audit Failure Type?

Hi There,

I'm trialing Kiwi Syslog and I'm having trouble with the Log Forwarder and Security Event Log.  When I click on the Security Log I don't see Audit Success or Audit Failure as an event type.  It just has Error, Warning and Information.  If I manually edit the CFG file and add <int>16</int> it works, but then it gets overwritten if I make a change.  Am I doing something wrong?  How can I see Audit Failure as an Event Type?

Thanks,

Parents Reply Children
  • Great, thanks.  I hope we can get these issues resolved because they are show stoppers for me.

    Case # 783704 - Security Audit Failure bug

    Case # 789329 - Event Log Forwarder stops forwarding

  • In the first item, I am working with R&D on formally addressing, but the workaround is the following.


    Manually edit the CFG file and change

    <keywords>

    <string>Audit Success</string>

    <string>Audit Failure</string>

    </keywords>


    To


    <keywords>

    <string>0x20000000000000</string>

    <string>0x10000000000000</string>

    </keywords>

  • We're experiencing exactly the same issue. Should I raise a new case or is this already being dealt with? Many thanks.

  • I have the exact same problem and also would like to know if this has been fixed and if a hotfix or a new version has been released.

  • Same problem here and it isn't fixed in the latest version.

    Almost a year has passed and still no solution?

  • I can confirm that this does not resolve the issue.  I was able to resolve the issue by removing the Entry for DFS Replication.  I hope that helps.  Thanks

  • I experienced this problem today, fresh version downloaded. Any updates?

    Server 2012 R2. Receiving the same "Unable to setup Windows Event Log subscribers. Subscribe failed with error 15001, The specified query is invalid."

  • Thanks,

    I had same issue today. Thinking to create template on one server and use same on all other machines, but thought to test, if this really works:

    Error:

    Subscription failed with error 15001, the specified query is invalid.

    1. Created a standard subscription (security events)

    2. Stopped solarwinds windows event forwarder  service

    3. Moved the .cfg file in a new folder

    4. Started the solarwinds windows event forwarder service, this created a new file.

    5. Stopped the service again

    6. Now replaced newly created file with the one created in step 1 (with subscription)

    7. started service, it started throwing error

    8. Replaced following and it started working with hexadecimal values

    Original values:

    <string>Audit Success</string>

    <string>Audit Failure</string>

    new values:

    <string>0x20000000000000</string>

    <string>0x10000000000000</string>

    Seems some bug in version 1.2.0 @Slorwinds, any proper solution of this issue?