K
kingstonen
I have set to forward MS Windows Server 2012 Security (Microsoft Windows Security Auditing) Event logs to another MS Windows 2012 server (Event Collector).
Event Collector display message of Forwarded Event without information.
The General view for the Forwarded Event will display the following:
An account was successfully logged on.
Subject:
Security ID: S-1-5-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: %21
New Logon:
Security ID: %5
Account Name: %6
Account Domain: %7
Logon ID: %8
Logon GUID: %13
Process Information:
Process ID: %17
Process Name: %18
Network Information:
Workstation Name: %12
Source Network Address: %19
Source Port: %20
Detailed Authentication Information:
Logon Process: %10
Authentication Package: %11
Transited Services: %14
Package Name (NTLM only): %15
Key Length: %16
Why are these variables not filled in when Forwarded?
The Subscription Event ContentFormat is set to Events.
Continue reading...
Event Collector display message of Forwarded Event without information.
The General view for the Forwarded Event will display the following:
An account was successfully logged on.
Subject:
Security ID: S-1-5-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: %21
New Logon:
Security ID: %5
Account Name: %6
Account Domain: %7
Logon ID: %8
Logon GUID: %13
Process Information:
Process ID: %17
Process Name: %18
Network Information:
Workstation Name: %12
Source Network Address: %19
Source Port: %20
Detailed Authentication Information:
Logon Process: %10
Authentication Package: %11
Transited Services: %14
Package Name (NTLM only): %15
Key Length: %16
Why are these variables not filled in when Forwarded?
The Subscription Event ContentFormat is set to Events.
Continue reading...