0

What is the most efficient way to allow a specific user access to event logs?

I have come across a method to enforce permissions using local security policy and group policy, but it seems overly complex.

Is there a facility that makes granting a user access to the event logs easier?

Note that I do not have the User in any local security groups (such as Users, Power Users, or Administrators). It is a service user who is, you guessed it, my monitoring agent (NSClient++).

For future reference: Here you will find helpful SDDL definitions.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
brandeded
  • 1,845
  • 8
  • 32
  • 50
  • 4
    Efficient doesn't mean secure. But you wanted it efficient: Make him an Administrator. – mailq Aug 25 '11 at 17:04
  • Efficient how? That adjective is pretty subjective with the leve of detail you have provided. Do you need to do this on a single computer, or one hundred computers? The group policy method seems like it would be great for a large set of computers. – Zoredache Aug 25 '11 at 17:11
  • @mailq: I like your style (because I'm a sarcastic "give them what they ask for" kind of person). – joeqwerty Aug 25 '11 at 17:29
  • 1
    All: This tangent, although ego supportive, isn't very useful, specifically since I've mentioned that the user isn't part of any local groups, clearly implying that security is a concern. The question in itself implicates that very granular security is wanted and needed. Efficient would mean: is there an easier way to handle all this heavy lifting. – brandeded Aug 25 '11 at 17:42
  • @joeqwerty: It was sarcastic. Otherwise I would have made it an "answer". – mailq Aug 25 '11 at 18:21
  • @mbrownnyc: Efficient/easy and secure/solid never go together. You already have the right answer to your question but want it easy and secure, but that doesn't fit. – mailq Aug 25 '11 at 18:25
  • Regardless of the category, Windows system administration tends to be light and fluffy. My question was directly related to ease of administration of Windows, and inquiring as to reducing the complexity of this administrative task. I do not agree that _administering_ a security mechanism must be complex in order for that security mechanism to be effective. – brandeded Aug 25 '11 at 18:38
  • 1
    @mbrownnyc: My humor (sarcasm) wasn't directed at you, so no offense intended. In addition, the user is a member of a local group (Users) by way of their membership in the Domain Users group, if the computer is joined to a domain. If the computer is not joined to a domain then the user is a direct member of the local Users group by default as it's not possible to add a user without automatic membership in this group, although it's possible to modify after the fact. – joeqwerty Aug 25 '11 at 18:45
  • To make this most secure, the user account had been removed from any security group with any rights any asset except where needed, as any user object running services should, (by the way, got it following the above overly complex/only method, the nrpe call to CheckEventLogs.dll works fine). Of course, it is a member of Authenticated Users... but you can never win. – brandeded Aug 25 '11 at 18:53

2 Answers2

1

Using group policies would be the correct method of granting this right.

mrdenny
  • 27,174
  • 4
  • 41
  • 69
  • This is true, as you can create an ADM(x) that populates the HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\eventlog\Application\ CustomSD REG_SZ key with the SDDL. The policy would not be "fully managed," but it may be easier for someone who's dealing with an administrative hierarchy. I'm trying to get the above (edit the .inf method) working via "security policy" .inf in a domain-wide GPO https://mbrownnyc.wordpress.com/2011/09/15/administer-event-log-permissions-via-a-domain-gpo/ which seems like it will work once finished. – brandeded Sep 16 '11 at 20:18
1

This MS Knowledge Base article describes how to do it via registry or Group Policy.

DougN
  • 670
  • 2
  • 7
  • 16