Tuesday, October 9, 2012

Security Permissions for Event Log Forwarding

The default configuration for all of the Microsoft documentation related to event log forwarding indicates that you should use security based on the computer account of the computer that is collecting the events. From a security perspective, you need to add the computer account of the collector as an event log reader.
If you are collecting events from the security log, and use this basic configuration, you will get the following error:
Code (0x138C) Windows Event Forward plugin can't read any event from the query since the query returns no active channel. Please check channels in the query and make sure they exist and you have access to them.
This occurs because you need to assign addition permissions to allow the security log to be read by a computer. You need to:
  • Add the Network Service local account to the Event Log Readers Group
  • Modify the Manage auditing and security log User Rights Assignment to include the Network Service  local account and the event collector computer account. By default, this includes only the local Administrators group.
After configuring the security permissions, you need to restart the computer that is source of the events.

As you've seen this is a bit of a hassle. As an alternative, if you have a user account that has local administrative permissions on the event source computer then you can configure the event subscription to use that account instead. A user account with local administrative permissions already has the necessary permissions.


4 comments:

  1. What if the computers are domain controllers?

    ReplyDelete
  2. The simple but relatively insecure way to do it with domain controllers would be to have a user account that is a member of the builtin Administrators group in AD. That would give the necessary permissions.

    Otherwise, the same permissions would apply to computer accounts as listed above. The Manage auditing and security log user right is not defined by the Default Domain Controllers policy, but you could modify that to assign the user rights to all DCs quickly. Instead of the local Event Log Readers group, you would use the builtin Event Log Readers group in AD.

    ReplyDelete
  3. Thanks for this info. I got these permissions working through GPO by:

    1- Adding collector server and Network Service account to the "Manage auditing and security log" under user rights assignment.

    2- Adding Network Service to a restricted group rule to add it to the built-in event log readers group.

    3- Running the subscriptions with a service account with local admin on the machines.

    ReplyDelete
  4. Great post, this one had me tearing what little remains of my hair out for while but it is now fixed. Good work :-)

    ReplyDelete