locked
How to collect security events from Windows Server 2008 (R2) RRS feed

  • Question

  • Hello,

    I have a problem with collecting security events using built-in Event Collector service in Windows Server 2008R2. I can successfully collect the application and system events but when I configure the security log only I get this error when I look at the Runtime status:

    Error - Last retry time: ....
    Code (0x138C)
    <f:ProviderFault provider="Event Forwarding Plugin" path="%systemroot%\system32\wevtfwd.dll" xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault">
    <t:ProviderError xmlns:t="http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog">
    Windows Event Forward plugin can't read any event from the query since the query returns no active channel. Please check channels in the query and make sure they exist and you have access to them.
    </t:ProviderError>
    </f:ProviderFault>
    Next retry time: ...


    I have already added the event collector computer account to Local Administrators . I´ve also tried adding Network Service account to Event Log Readers local security group according to: http://blogs.technet.com/otto/archive/2009/06/22/forwarding-security-events-from-windows-xp-server-2003-and-vista-server-2008.aspx
    ...but it still refuses to work..

    Any ideas plz? I can succesfully collect security events form Windows Server 2003R2.

    EDIT : I have found this event on the source Windows Server 2008R2 computer:

    Source : Eventlog-ForwardingPlugin
    EventID : 102
    Details : The subscription <subscription name> can not be created. The error code is 5004.


    Tuesday, March 9, 2010 9:01 AM

All replies

  • Did you ever find the solution for this?  I have added the network service, the collector server, and the service account  to the event log readers and the local administrators group, and have given them logon as service, and have even rebooted.
    Tuesday, June 1, 2010 8:22 PM