If you are collecting events from the security log, and use this basic configuration, you will get the following error:
Code (0x138C) Windows Event Forward plugin can't read any event from the query since the query returns no active channel. Please check channels in the query and make sure they exist and you have access to them.This occurs because you need to assign addition permissions to allow the security log to be read by a computer. You need to:
- Add the Network Service local account to the Event Log Readers Group
- Modify the Manage auditing and security log User Rights Assignment to include the Network Service local account and the event collector computer account. By default, this includes only the local Administrators group.
As you've seen this is a bit of a hassle. As an alternative, if you have a user account that has local administrative permissions on the event source computer then you can configure the event subscription to use that account instead. A user account with local administrative permissions already has the necessary permissions.