To configure Windows Log Forwarding, you need
administrative privileges for configuring group policies on Windows
servers. Configure Windows Log Forwarding on all the Windows
Event Collectors—the member servers that collect login events
from domain controllers. The following is an overview of the tasks;
consult your Windows Server documentation for
the specific steps.
On each Windows Event Collector, enable event
collection, add the domain controllers as event sources, and configure
the event collection query (subscription). The events you specify
in the subscription vary by domain controller platform:
Windows Server 2003
—The event IDs for the
required events are 672 (Authentication Ticket Granted), 673 (Service
Ticket Granted), and 674 (Ticket Granted Renewed).
Windows Server 2008/2012 (including R2) and 2016, or MS
—The event IDs for the required events are 4768 (Authentication
Ticket Granted), 4769 (Service Ticket Granted), 4770 (Ticket Granted
Renewed), and 4624 (Logon Success).
forward events as quickly as possible,
configuring the subscription.
User-ID agents monitor
the Security log, not the default forwarded events location, on
Windows Event Collectors. Therefore, perform the following steps
on each Windows Event Collector to change the event logging path
to the Security log.