Subject: Security Event Log reading by Domain Users

[Gera]

Is it possible to normally read Sec. Event Log under Domain User account?
We wrote a simple application which reads 538, 540, 528, etc. events and counts them.
Under administrative account it works fine, but under Domain User can't open sec. log.
Adding a "Manage auditing and sec. log" and "Act as the part of oper. system" settings via GP
permits to view sec. log, but events are read like
"The description for Event ID ( 538 ) in Source ( Security ) cannot be found. The local computer may
not have the necessary registry information or message DLL files to display messages from a remote
computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and
Support for details. The following information is part of the event: pmtest; COMPANY; (0x0,0x5A968);
11."
Thus, our software doesn't work - it can't read the events.

I added all possible rights to the Domain User account, from "Create a Token Object" to "Generate
Security audits", but no luck.
I heard that domain user account maybe need some rights to read some reg. key with Event Log message
library, but I don't know which exactly...

Is it possible to make this work?


Thanks,
Gera, MCSE
MGBaltic

 

[Joe Richards [MVP]]

Security logs are locked off from non-admins by default. You only need to add
Manage Auditing and Security Log right to see them, however that means that
account will also be able to clear the security log. In XP and 2K3 you can get
more granular and just offer read.

However your next issue is because the program can't read the Message Library or
the registry entries involved. It has been a long time since I wrote event log
code but if you are using the standard OpenEventLog/ReadEventLog and then using
FormatMessage you will need to redirect the library from which you do the
LoadLibrary for for the message IDs OR open up the security to the message
library on the remote machine.

joe

 

[Gera]

Thanks for repsonse.
The point is, our "program" is a SQL script run trough Microsoft Log Parser.
Is it possible to solve the problem in this case (using MS LP and any Windows settings)
or we will need to rewrite an app in C++ using WinAPI functions?


Thanks,

 

[Joe Richards [MVP]]

Ah.

You can try making it so that the process can read the event log section of the
registry on that machine. That may work, alternatively you may have to do that
AND open it up so the remote process can get to %SystemRoot%\System32 on the
remote machine.

 

[Gera]

You can try making it so that the process can read the event log section of the registry on that
machine.
Could you explain how to achieve this? I mean, that we be able to use a Log Parser?

That may work, alternatively you may have to do that
AND open it up so the remote process can get to %SystemRoot%\System32 on the
remote machine.

We do not need to run Log Parser remotely, only locally.
If it is possible fot you, please explain further, how could I let access to LogParser to registry
and so on to make it work normally without admin rights.


Thanks a lot,
Gera, MCSE
MGBaltic

 

[Joe Richards [MVP]]

You are running the process directly on the server itself that you are reading
logs for? Then you just need to look at your perms on the eventlog section of
the registry and system32 and make sure the ID running the process has access.

 

[Rustem]

Gera,

Could you please advise if you found any solution as I am facing the
same problem.
Many thanks

 

[Steven L Umbach]

I am not sure what you are asking but if you want to prevent domain users
from reading the security logs on their computers then either don't make
them a local administrator or if they have to be add their domain account to
the local guests group and use Group Policy to deny access to members of the
guests group to the security/application/system logs. A local administrator
could certainly remove themselves from the guests group if they knew what
they were doing though you can also use Group Policy Restricted Groups to
enforce membership of local groups on domain computers at the Organizational
Unit level so that the membership of the guests group would be enforced at
the next security policy refresh interval.. --- Steve