This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Event Log Forwarder - Where is the Audit Failure Type?

Hi There,

I'm trialing Kiwi Syslog and I'm having trouble with the Log Forwarder and Security Event Log.  When I click on the Security Log I don't see Audit Success or Audit Failure as an event type.  It just has Error, Warning and Information.  If I manually edit the CFG file and add <int>16</int> it works, but then it gets overwritten if I make a change.  Am I doing something wrong?  How can I see Audit Failure as an Event Type?

Thanks,

Parents Reply
  • In the first item, I am working with R&D on formally addressing, but the workaround is the following.


    Manually edit the CFG file and change

    <keywords>

    <string>Audit Success</string>

    <string>Audit Failure</string>

    </keywords>


    To


    <keywords>

    <string>0x20000000000000</string>

    <string>0x10000000000000</string>

    </keywords>

Children
  • I can confirm that this does not resolve the issue.  I was able to resolve the issue by removing the Entry for DFS Replication.  I hope that helps.  Thanks

  • Thanks,

    I had same issue today. Thinking to create template on one server and use same on all other machines, but thought to test, if this really works:

    Error:

    Subscription failed with error 15001, the specified query is invalid.

    1. Created a standard subscription (security events)

    2. Stopped solarwinds windows event forwarder  service

    3. Moved the .cfg file in a new folder

    4. Started the solarwinds windows event forwarder service, this created a new file.

    5. Stopped the service again

    6. Now replaced newly created file with the one created in step 1 (with subscription)

    7. started service, it started throwing error

    8. Replaced following and it started working with hexadecimal values

    Original values:

    <string>Audit Success</string>

    <string>Audit Failure</string>

    new values:

    <string>0x20000000000000</string>

    <string>0x10000000000000</string>

    Seems some bug in version 1.2.0 @Slorwinds, any proper solution of this issue?