From time to time you may create a subscription for an event log and the subscription is created, you see forwarders showing up as healthy but you get no events in the log. Checking the Eventlog-ForwardingPlugin log on the collector shows event ID's 102 as you see below:
This is normally due to the NETWORK SERVICE not having permissions to the log you are forwarding from the forwarders. First you need to get the full name of the log you are forwarding. This can be found in event viewer under the logs properties. For example, below is the full name for the Microsoft Windows AppID Operational log.
You will need to run the following command on the forwarders to give the access. You would most likely want to set this up via Group Policy.
wevtutil sl Microsoft-Windows-AppID/Operational /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;BO)(A;;0x1;;;SO)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)
This gives the NETWORK SERVICE permissions to the log. Be sure that when you copy and paste it doesn't change the :( in SYD:(A to a sad face.
A breakdown of the above command:
wevtutil sl - this is the set log name for the wevtutil cmd
Microsoft-Windows-AppID/Operational - full name the log in our example
/ca:O:BAG:SYD - /ca is the channel to set the permissions
(A;;0xf0007;;;SY) - local system full access
(A;;0x7;;;BA) - Administrators read, write and clear access
(A;;0x1;;;BO) - Backup Operators read access
(A;;0x1;;;SO) - Server Operators read access
(A;;0x1;;;S-1-5-32-573) - Event Log Readers group read access
(A;;0x1;;;S-1-5-20) - NETWORK SERVICE read access
Optionally provide private feedback to help us improve this article...
Thank you for your feedback!