If your subscription collects events from the Security Log you must configure permissions on all forwarder computers to all the WinRM service read access. WinRM runs as NETWORK SERVICE so that’s who we’ll be granting access to. There are 2 ways to do this via group policy. We recommend the first so that you can avoid rebooting forwarders.
Option 1: Configure Log Access
Enter the following string into these 2 group policy settings. The portion in bold is what is being added to the default permissions preceding it.
Option 2: Membership in Event Log Readers
Note: this requires reboot of the forwarder computer
Add NETWORK SERVICE to the Event Log Readers local group using Restricted Groups policy
Optionally provide private feedback to help us improve this article...
Thank you for your feedback!