I have searched online and cannot find an answer around how Windows Event Forwarding subscriptions are evaluated, in what priority or order, when there are overlapping subscriptions or conflicts. I also cannot seem to decipher the outcomes when i test. Here goes.
My base config is Source Initiated, applies to all Domain Controllers and Domain Computers. I use GP to enable security auditing across most of the auditing categories, as per MS, ASD, Palantir, SwiftOnSecurity and IGOR documentation. I have the Network Service as an Event Log Readers group member across the entire domain.
If i create a GUI initiated subscription to collect the entire Security event log, all of my computers quickly subscript and i see all kinds of security related event IDs.
If i copy paste the XML query from the GUI for the subscription above, drop it into a subscription XML file, and create the subscription using wecutil cs <name.xml>, i get no logs forwarded. All the clients stop sending logs. There are no Event Forwarder Plugin Events 102 errors either. -- The XML Query