Menu

Search

LOGbinder Support


4. Granting Permissions for Security Log Forwarding


bjvista
How To

If your subscription collects events from the Security Log you must configure permissions on all forwarder computers to all the WinRM service read access. WinRM runs as NETWORK SERVICE so that’s who we’ll be granting access to. There are 2 ways to do this via group policy. We recommend the first so that you can avoid rebooting forwarders.

Option 1: Configure Log Access

Enter the following string into these 2 group policy settings. The portion in bold is what is being added to the default permissions preceding it.

O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)

 

https://blogs.technet.microsoft.com/janelewis/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008/

Option 2: Membership in Event Log Readers

Note: this requires reboot of the forwarder computer

Add NETWORK SERVICE to the Event Log Readers local group using Restricted Groups policy


On a scale of 1-5, please rate the helpfulness of this article


Not Helpful
Very Helpful
Optionally provide private feedback to help us improve this article...

Thank you for your feedback!


Still have questions - Submit a new ticket