I am currently prototyping a setup, in which a Windows Server 2008 is configured as a central logging instance for Windows XP and Windows 7 clients via source initiated event forwarding. All computers are in the same domain.
I configured everything according to this DevCenter Article, but due to problems with the provided xml for the logging configuration I simply created a new abonnement (source initiated), put in the "domain computers" group and simply added all events to it. The resulting XML looks like this:
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*</Select>
<Select Path="Security">*</Select>
<Select Path="Setup">*</Select>
<Select Path="System">*</Select>
</Query>
</QueryList>
As you can see, I want to log all events from all event loggers. However, when evaluating the logs on the logging server, all events from the security log stream are not forwarded to the central logging instance (e.g. when trying to run a program as another user and entering a wrong password). Other log streams like system or application work perfectly. I've worked through the validation-part of the article without seeing any problems. So far, I just tested the Windows 7 client, as Windows XP does not have event forwarding installed by default.
Any hints what I do wrong?