Security event log forwarding fails with Error 0x138C and 5004 in Windows Server

Applies to: Windows Server 2012 StandardWindows Server 2012 FoundationWindows Server 2012 Datacenter More

Symptoms


When you try to forward security event logs in Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008, you receive the following error message on the event collector computer: 


Also, you receive the following error message on the event source computer: 

 

Cause


This problem may occur when the following conditions are true:

  • The Network Service account does not have the correct permission when Windows Remote Management (WinRM) tries to query the security logs from the source computer.
  • Permissions to manage the security event log are modified by registry or by configuring the Manage auditing and Security log that sets the following registry entry on the source computer:
     

    Registry key

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security

    Registry entry

    CustomSD

    Value

    O:BAG:SYD:(D;; 0xf0007;;;AN)(D;; 0xf0007;;;BG)(A;; 0xf0007;;;SY)(A;; 0x7;;;BA)(A;; 0x7;;;SO)(A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;; 0x2;;;NS)(A;; 0x7;;;DA)(A;; 0x1;;;S-1-5-21-xxx-xxx-xxx-xxx)

Resolution


To fix this problem, you need to add the Network Service account to the Manage auditing and security log group policy. To do this, follow these steps:

  1. Select Start > Administrative Tools > Local Security Policy.
  2. On the navigation menu, select Local Policies > User Rights Assignment.
  3. Right-click Manage auditing and security log, and then select Properties.
  4. On the Local Security Setting tab, click Add User or Group to add the Network Service account.

The previous procedure add the SID S-1-5-20 (well-known SID of the Network Service account) to the CustomSD registry value that's mentioned above. You could also manually add the value to the registry key. After the modification, the value resembles the following:

O:BAG:SYD:(D;; 0xf0007;;;AN)(D;; 0xf0007;;;BG)(A;; 0xf0007;;;SY)(A;; 0x7;;;BA)(A;; 0x7;;;SO)

(A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;; 0x2;;;NS)(A;; 0x7;;;DA)(A;; 0x1;;;S-1-5-21-xxx-xxx-xxx-xxx);;; S-1-5-20