Apologies for not blogging for sometime. I have been away on vacation, out of the country on training plus work commitments so add that up and it equals and enforced hiatus. Plus of course do not forget the Volcano :).
Well I am back now and have an interesting information around Event Log access and the way thing have changed in Windows 2008 . This comes out of some work I have been doing with my customer.
So if you want to give Non-Administrator users access remotely to Event logs if the Servers or Domain Controllers they are accessing are Windows 2003 follow the steps below.
I have extrapolated the information contained in the following two KBarticles. It is not easy as it is using service discretionary access control lists.
http://support.microsoft.com/kb/323076 plus http://support.microsoft.com/kb/914392 .
This works for both Domain Controllers and Member servers. Therefore when it talks in the body of the steps around Default Domain Group Policies , this can be supplanted with the relevant Group Policy object.
You will also need to download a Name to Sid type utility. Details of this here.
There are others around externally and internally to Microsoft. The internal one would only be available to you if you raise a Premier Support Call as part of your premier contract if you have one.
Plus of course you have the Windows Sysinternals
As per the article follow the below steps;
Use Group Policy to Set Your Application and System Log Security for a Domain, Site, or Organizational Unit in Active Directory
Important: To view the group policy settings that are described in this article in the Group Policy editor, first complete the following steps, and then continue to the "Use Group Policy to Set Your Application and System Log Security" section:
1. Use a text editor such as Notepad to open the Sceregvl.inf in the %Windir%\Inf
2. Add the following lines to the [Register Registry Values] section:
MACHINE\System\CurrentControlSet\Services\Eventlog\File Replication Service\CustomSD,1,%FRSCustomSD%,2
3. Add the following lines to the [Strings] section:
AppCustomSD="Eventlog:Security descriptor for Application event log"
SecCustomSD="Eventlog:Security descriptor for Security event log"
SysCustomSD="Eventlog:Security descriptor for System event log"
DSCustomSD="Eventlog:Security descriptor for Directory Service event log"
DNSCustomSD="Eventlog:Security descriptor for DNS Server event log"
FRSCustomSD="Eventlog: Security descriptor for File Replication Service event log"
4. Save the changes you made to the Sceregvl.inf file, and then run the regsvr32 scecli.dll command.
5. Start Gpedit.msc, and then double-click the following branches to expand them:
Computer Configuration Windows Settings Security Settings Local Policies Security Options
6. View the right panel to find the new "Eventlog" settings.
7. Open the relevant Policy for the member server. Open Computer Configuration -> Windows Settings Security Settings Local Policies Security Options Look for Event Log settings
3) Use a name2sid utilitily to find the SID of the group for which you want to give access to
the event viewer.
4) Open “Eventlog: Security descriptor for Application event log”. Click on Define
this policy setting.
Copy the following registry key:
Copy the above value for each of the event logs (like application, system, security
etc…) & append respective event logs with (A;; 0x3;;;SID of the Group) in the above
Here 0x3 indicates read & write privileges. The write privileges are required only
if the group needs to write events into the event logs (like an application service
using this user account)
Replace 0x3 with 0x1 - if this group needs only READ access to the event viewer
5) Run GPupdate
As an FYI see below for the explanation of the codes;
Replace 0x3 with 0x1 - If this group needs only READ access to the event viewer 5) Run GPupdate on the DC Entry Meaning O:BA Object owner is Built-in Admin (BA). G:SY Primary group is System (SY). D: This is a DACL, rather than an audit entry or SACL. (D;;0xf0007;;;AN) Deny Anonymous (AN) all access. (D;;0xf0007;;;BG) Deny Built-in Guests (BG) all access. (A;;0xf0005;;;SY) Allow System Read and Clear, including DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER (indicated by the 0xf0000). (A;;0x7;;;BA) Allow Built-in Admin READ, WRITE and CLEAR. (A;;0x7;;;SO) Allow Server Operators READ, WRITE and CLEAR. (A;;0x3;;;IU) Allow Interactive Users READ and WRITE. (A;;0x3;;;SU) Allow Service accounts READ and WRITE. (A;;0x3;;;S-1-5-3) Allow Batch accounts (S-1-5-3) READ and WRITE. The specific event log access mask bits are: 0x0001 ELF_LOGFILE_READ Permission to read log files. 0x0002 ELF_LOGFILE_WRITE Permission to write log files.
However for Windows 2008 Life gets much easier
Windows 2008 is much easier as long as you are giving the users and groups in question read access to all event logs. If that is the case just add them to the Built in Event Log Readers group.
However if you do not want to give access to ALL event logs you still have to resort to using SDDL
The location on the SDDL has changed in Windows 2008 and is no longer set it via the CustomSD in the registry. You now have to use the wevtutil utility.
If you need to define access to just the System event log on our Windows 2008 Server.
1. open the command prompt, and run the following command to dump out the SDDL for the System log out to a txt file.
wevtutil gl system > C:\temp\out.txt
2. Open the text file and copy out the channelAccess: entry
channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) )
3. Copy the Interactive User (IU) rights and add your user or group to them.
O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) (A;;0x1;;; S-1-5-3-3127463467463))
Last we need to apply the new SDDL. Just replace the O:BAG:XXXX with your SDDL String you created in the previous step.
wevtutil sl System /ca:O:BAG:XXXX
In addition you can remove access for the Event Log Readers group from event log in question by removing the (A;;0x1;;;S-1-5-32-573) entry from the respective log SDDL String.
Hi Jane - Great Article, this is one of our pain points in production, there is a genuine need for developers to able to look at the Application Logs for their App related events. Although this Article clarifies things, the steps required are still complex and error prone. Microsoft has a GPO setting that allows access to Security Logs but not Applciation Logs, I hope Microsoft comes up with something similar for App Logs. Do you know of any such plans?
I executed this task successfully. Thanks a lot.
Could you please walk me through the process of applying this setting for group containing a no. of users, instead of a particular user.
Is there any way to set SDDL permissions for the Directory Service or DNS Server logs on Windows Server 2008 R2 Domain Controllers in Group Policy? As far as I can see it can't be set in de default eventlog.admx...
Nice Article and very helpful .
This is a valid request which we get from site admins inorder to read the security logs to monitor logon events etc.
No Problem glad I could help
I get "access denied" when trying to save the changes. Everything is set so that I can make changes, but it doesn't let me.
Hey guys ... i am trying to do tha same however it is not working for .. i have group in a parent domain and i am trying to give permission on the domain controllers in the child domain not sure if it makes a difference ...please suggest... However i can see the SID added in CustomSD registry entry...
I also cannot save the Sceregvl.inf on my 2008 R2 DC.
And I wish someone would explain how to do this for the Security Event logs. The SDDL format is not hex.
Help.. I am stuck! I am able to see the event log descriptor settings via local policy, but am missing a step to get them to show up in a domain group policy. I have a few dozen windows 2003 servers I need to apply this change to. Do I need to import the GPO setting somehow?
Help.. I read the article and i understand all except how to add the string to the dword for example:
Open the relevant Policy for the member server. Open Computer Configuration -> Windows Settings Security Settings Local Policies Security Options Look for Event Log settings
Open “Eventlog: Security descriptor for Application event log”. Click on Define
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD so how do you append respective event logs with (A;; 0x3;;;SID of the Group) please provide an example of what the string should look like.
What he is saying is to copy the value in the registry key, append the code - (A;; 0x3;;;SID of the Group) - to what you get (e.g. in Notepad) and then paste it into your policy.
Let me know if you need help, I'm happy to do a quick call if needed.
MG Technology Group
Does this look right?
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD (A;;0x3;;;S-1-5-21-********)?? Is there a space between the word CustomSD and (???
I have added this to the SD for App Log. When I check the event logs after a gpupdate and/or reboot, I am receiving access denied?
this doesn't seem to work for security log if the user is running at batch or as a service. i can take the same permissionset that works for reading SYSTEM and set it for SECURITY and yet it still will get an access denied error unless i add the user to localadmin.
You state that the built-in "Event Log Reader" group allows read access to ALL event logs, however it doesn't allow a regular use to remotely access system/application event logs on other computers.
Hi.. i am trying log events from windows 7 to windows 2003/2008. It was working earlier but from few days, i could not see any log messages from windows 7 machines. when i checked the code, it says Reportevent (vb6) is failing.
Can you tell me what are the permissions required to updated Windows 2003/2008 event log from Windows 7?