Event Logging policy settings in Windows Server 2008 and Vista

re: Event Logging policy settings in Windows Server 2008 and Vista

botler — Thu, 14 Aug 2008 15:00:26 GMT

In the article you are wrote about option LogFilePath:

"You only provide a path location; Windows maintains the file name."

I checked this and if name of log file not entered - option does not working. In my lab this is working if option LogFilePath has a value:

LogFilePath = c:\<folder_name>\<file_name>.evtx

If value is:

LogFilePath = c:\<folder_name>\

it not working.

Thanks

P.S. sorry for my english

re: Event Logging policy settings in Windows Server 2008 and Vista

NedPyle — Thu, 14 Aug 2008 16:56:28 GMT

Hi Botler,

Nice catch! That has been corrected in the blog post. Thanks very much for bringing that to us.

- Ned

Interesting Links – 8/14/2008

Matt Johnson's Technical Adventures — Thu, 14 Aug 2008 20:05:06 GMT

Ask the Directory Services Team : MCS Talks Infrastructure Architecture joeware - never stop exploring…

BlogMS Weekly Articles Published - 11th August 2008 to 17th August 2008

BlogMS - Team Blogs at Microsoft — Mon, 18 Aug 2008 14:46:22 GMT

135 Microsoft Team blogs searched, 70 blogs have new articles in the past 7 days. 177 new articles found

re: Event Logging policy settings in Windows Server 2008 and Vista

botler — Mon, 18 Aug 2008 17:01:00 GMT

I have a problem with option 'Log Access'.

What I doing:

1. With CACLS tool I detect the SDDL string for security log in default location:

CACLS c:\windows\system32\winevt\logs\security.evtx /S

result is:

D:AI(A;ID;FA;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)(A;ID;FA;;;SY)(A;ID;FA;;;BA)

2. Open option 'Log Access' in 'Default Domain Controllers Policy' and writing this value.

3. Restart DC.

After that I login as administrator and run Event Viewer. I get error when open Security log:

'Event Viewer cannot open the eventlog or custom view. Verify that Event Log service is running. The security descriptor structure is invalid (1338)'

and events doesn't displayed.

Also I try to get a SDDL string for security log with ICACLS tool:

icacls c:\windows\system32\winevt\logs\security.evtx /save c:\sddl.txt

result in file:

D:AI(A;ID;FA;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)(A;ID;FA;;;SY)(A;ID;FA;;;BA)

In Event Viewer the same error occured.

Where is mistake in my workflow?

Thaks.

P.S. Sorry for my english.

re: Event Logging policy settings in Windows Server 2008 and Vista

NedPyle — Mon, 18 Aug 2008 17:48:23 GMT

Hi,

There's a slight misunderstanding here - you are trying to set permissions for the EVTX file itself, when actually you should be setting permissions used by the event log system. The permissions on the EVTX file are not correct for what would be used in the CustomSD value that gets written.

The following KB gives an example of the correct SDDL syntax you will need to be testing with:

323076 How to set event log security locally or by using Group Policy in Windows Server 2003

http://vkbexternal/VKBWebService/ViewContent.aspx?scid=KB;EN-US;323076

(Ignore the 2003-theme of the aticle and just focus on the section starting with "The following sample SDDL")

- Ned

re: Event Logging policy settings in Windows Server 2008 and Vista

botler — Tue, 19 Aug 2008 13:09:46 GMT

Hi Ned.

Thank You for comment - it is very usefull for me. I solved my previous problem, but new questions occured.

I have a domain user account with name 'adm1' and he is member of the following groups: Domain Admins, Domain Guests, Domain Users, Users, Guests. His SID is 'S-1-5-21-2843397318-35701858-1184183407-1106'.

1. In group policy 'Default Domain Policy' in option 'Log Access' for Security and Application log I writed the following string:

O:BAG:SYD:(D;;0xf0007;;;S-1-5-21-2843397318-35701858-1184183407-1106)

After that i restarted a member server, login as 'adm1' on it and run Event Viewer. When I try to open Application Log I have a correct error:

'Event Viewer cannot open the eventlog or custom view. Verify that Event Log service is running. Access is denied (5).'

Security log is opened without errors and events are visible. Why the Security log is visible?

2. In above scenario I writed a Windows Command Script (.cmd) file:

eventcreate.exe /L application /id 999 /T error /D "Test"

When I run this "as administrator" (additional credentials are not answered and command running under 'adm1' user) - event created successfully in Application log. Does it correct?

Thanks

P.S. Sorry for my English.

re: Event Logging policy settings in Windows Server 2008 and Vista

NedPyle — Tue, 19 Aug 2008 17:00:40 GMT

(Whoops - I gave a bad link last time - should have been:

http://support.microsoft.com/kb/323076)

I'm not 100% sure about your repro. It's possible that members of Administrators are special-cases to prevent them from being locked out of reading critical log info. Try again with your test user being *only* a domain user and not a member of all those other groups.

re: Event Logging policy settings in Windows Server 2008 and Vista

murrato1 — Fri, 28 Nov 2008 01:12:04 GMT

Good info - thanks.

When I look at the properties of newly-built Windows 2008 server, the maximum log size dialog shows as 2048KB (2MB) and not 20MB as you indicate above.

Tony