Hello, Trying to deploy User ID and the method used for part of the network is Windows Log Forwarding, as per guide linked below https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/user-id/deploy-user-id-in-a-large-scale-network#72077 Got the Windows event subscription forwarding from source to collector’s “forwarded events” log OK, but as per Palo Alto’s advice to forward events directly into security.evtx log, it does not work. When the destination via command line is forced, the following error when clicking on the subscription. Currently collecting data into a Windows 2012 R2 Standard domain controller. To check it wasn’t a domain controller, picked a domain member server and setup a subscription, then tried to force the destination as the security log and got the same error. That was a Windows 2008 R2 Standard server. Is something missing or does the Windows event log forwarding method simply doesn’t work and documentation needs to be updated? Thanks in advance Farzana
... View more