Security Logon/Logoff events are "Audit Success" or "Audit Failure" event types. I'd recommend that you check your Event Log Subscription in Log Forwarder, and make sure that if you are subscribing to the Security event log, the Audit Success and Audit Failure event type checkboxes (at the top of the subscription config window) are checked.
As for the choice of which Syslog Facility to use, it doesn't really matter too much - whichever one you select corresponds to what will appear in Kiwi Syslog Server's Priority field (in the KSS display grid for instance).
For example, if you choose a facility of "Security/authorization messages", then Logon/Logoff events that get forwarded by Log Forwarder to Kiwi Syslog on that facility, are displayed in Kiwi Syslog Server as Priority "Auth.Notice". "Auth" - corresponding to the "Security/authorization" facility, and "Notice" the alert level of the message (Notice is the default syslog level for Audit Success event types).
If you've set up Log Forwarder to subscribe to Security Events and have selected Audit Success/Failure event types in the subscription, and you want to test that the subscription is working correctly, you'll need to simulate a Logon Event manually. Unfortunately, you won't be able to use the "Test" facility in Log forwarder to do this, because 3rd party applications (including Log Forwarder) are forbidden by Windows from writing events to the Security event log directly.
So if you want to test the Security event log subscription for a LogOn event, you can get Windows to generate one by using the following command:
RunAs /user:testuser C:\Windows\Notepad.exe
If you have a local user named 'testuser' you will be prompted for a password and then Notepad will run in that user's security context, and Windows will generate a "Security: Successful Logon, User Name: testuser" event - which will be forwarder by Log Forwarder to Kiwi Syslog Server as "Auth.Notice Security Successful Logon 'testuser'".
You should get some LogOff events after you close notepad as well.
BTW, the RunAs should work just as well for a domain user.
Thanks for the update, Kuz...this seemed to help...