To configure Windows Log Forwarding, you need
administrative privileges for configuring group policies on Windows
servers. Configure Windows Log Forwarding on all the Windows
Event Collectors—the member servers that collect login events
from domain controllers. The following is an overview of the tasks;
consult your Windows Server documentation for
the specific steps.
On each Windows Event Collector, enable event
collection, add the domain controllers as event sources, and configure
the event collection query (subscription). The events you specify
in the subscription vary by domain controller platform:
Windows Server 2003
—The event IDs for the
required events are 672 (Authentication Ticket Granted), 673 (Service
Ticket Granted), and 674 (Ticket Granted Renewed).
Windows Server 2012 (including R2) and 2016, or MS Exchange
—The
event IDs for the required events are 4768 (Authentication Ticket
Granted), 4769 (Service Ticket Granted), 4770 (Ticket Granted Renewed), and
4624 (Logon Success).
To forward
events as quickly as possible,
Minimize Latency
when
configuring the subscription.
User-ID agents monitor
the Security log on Windows Event Collectors, not the default forwarded
events location. To change the event logging path to the Security
log, perform the following steps on each Windows Event Collector.