SQL 2008 R2 Auditing to Security Log Fails

Hi,

I am trying to get SQL 2008 R2 Login auditing to the Security log to work. I can get it to work to the Application log, and I have followed the additional instructions for the more tightly controlled Security log.

I am running SQL2008x64R2DE(10.50.1746) on Win2k8x64R2EE, using a non local privileged domain account for the sql svc. Everything else seems to be fine.

I had origingally had some registry tweaks that allow non-admins to read the security log.   http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008.aspx       

Regardless, I am not even trying this anymore. I'm just tryign to get out of the box sql to log successfully to the security even log.

I have followed the instructions at http://msdn.microsoft.com/en-us/library/cc645889.aspx  using auditpol etc. I just keep getting an error when I switch the auditing to security log from application, and I cannot find a way to get more verbose output to find the cause.

SQL LOGS:

SQL Server Audit could not write to the security log.

APPLICATION LOG:

33217  SQL Server Audit is starting the audits. This is an informational message. No user action is required.

33218  SQL Server Audit has started the audits. This is an informational message. No user action is required.

33204  SQL Server Audit could not write to the security log.     DOH!

SECURITY LOG:

Failure Audit:    A handle to an object was requested.

Subject:

 Security ID:  MYDOMAIN\svc-myservice

 Account Name: svc-myservice

 Account Domain:  MYDOMAIN

 Logon ID: 0x363b9

Object:

 Object Server: Security

 Object Type: Key

 Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\eventlog\Security

 Handle ID: 0x0

Process Information:

 Process ID: 0x8b8

 Process Name: E:\mypath\MSSQL\Binn\sqlservr.exe

Access Request Information:

 Transaction ID: {00000000-0000-0000-0000-000000000000}

 Accesses: READ_CONTROL

 Query key value

 Set key value

 Create sub-key

 Enumerate sub-keys

 Notify about changes to keys

 Access Reasons: -

 Access Mask: 0x2001f

 Privileges Used for Access Check: -

 Restricted SID Count: 0

C:\Windows\system32>auditpol /get /subcategory:"application generated"
System audit policy
Category/Subcategory                      Setting
Object Access
  Application Generated                   Success and Failure

It just seems like there is a missing piece in the MS docs, perhaps when not running the svc as local system or something.  Any ideas? or ideas how to get more verbose output?