Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Current »

  • Log on to the source computer (e.g. Windows AD) as administrator, open a command or PowerShell prompt, and run the command below:

PS C:\Users\Administrator>winrm quickconfig

  • To determine the current channel access permissions, run the command below:

PS C:\Users\Administrator>wevtutil get-log security

This outputs the following

name: security

enabled: true

type: Admin

owningPublisher:

isolation: Custom

channelAccess:

O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)

logging:

 logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx

 retention: false

 autoBackup: false

 maxSize: 20971520

publishing:

fileMax: 1

The Security Identifier (SID) for the Network Service account is S-1-5-20.  Add it to the SDDL as shown here using wevtutilset-log command with the /ca (channel access) parameter to give the account read permission on the Security Event Log.

Now run below the following command on each source computers:

PS C:\Users\Administrator>wevtutil set-log security ‘/ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)’


After running the set-log security command:

The links below provide more details on how to perform the above steps

https://msdn.microsoft.com/en-us/library/cc748890.aspx 

https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2

  • No labels

Seceon Inc. All rights reserved. https://www.seceon.com