Windows Vista Collector, CustomSD, SDDL, Security Log and how it works

book

Article ID: 178134

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

You imported the customsd.reg file to the registry or you have set the CustomSD according to the documentation that ships with the collector..

Cause

Support recommends not to use the security descriptor for the CustomSD from the Quick Reference Guide (p. 12).

Resolution


Don't import the customsd.reg or set any CustomSD manually.
Windows 2008 and Vista grant read access to the event logs to the Event Log Readers group by default.
If you want to use a User for the collector that doesn't have administrative privileges you can create a User and add it to the Event Log Readers group.

Run the wevtutil command to get information about the access rights.

For example to get settings for the Security log run the following command:
wevtutil gl security

The command will give you the following output:

name: security
enabled: true
type: Admin
owningPublisher:
isolation: Custom
channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)
logging:
logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx
retention: false
autoBackup: false
maxSize: 20971520
publishing:


Have a look at the output for the channnelAccess which returns the SDDL string which is set for the Security Log.
In this case the third ACE string (A;;0x1;;;S-1-5-32-573) grants read access to the Event Log Readers group.

0x1 = Read
0x2 = Write
0x3 = Read/Write
0x4 = Delete

winrm also grants read access to the Event Log Readers group by default when running the command winrm quickconfig. The ACE string of the RootSDDL which grants read access to the Event Log Readers: (A;;GR;;;ER)

If you imported the cutomsd.reg or set the CustomSD in the registry go into the Registry and delete the CustomSD key. This will restore the default setting.

To be able to collect the Security log from a Windows 2008 machine via winrm there is one more step necessary, because access to the Security log is restricted to a few users.
To be able to read the Security log via winrm, the Network Service account must be given read access to the Security log. The Network Service is the default account which the Windows Remote Management service uses to run.

There are two possibilities to give the Netwok Service account the right permission.
Note: If you are pulling from a Domain Controller, you must modify the SDDL string.

You can either add the account to the Event Log Readers group on the Windows 2008 machine from which you want to collect the Security log:
net localgroup "Event Log Readers" "NT Authority\Network Service" /add

or you can give the Network Service account read access to the Security log by changing the channel access:
wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

The second option also has the advantage that you can use a Group Policy to set the channel access for the Security log in a domain environment.

If you are pulling from a Domain Controller:
Add this string to the Custom SDDL for the Domain User to grant Network Service read access (A;;0x1;;;NS)

On a Windows 2008 Domain Controller you will have to use the second option as the Network Service is a Built-in Security Principal and local groups are not used on a Domain Controller.