Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

On each source computer (e.g. Windows AD), from where logs are expected to be forwarded,type the following at an elevated command prompt:

PS C:\Users\Administrator>winrm quickconfig

Log on to the source computer (e.g. Windows AD) as administrator, open a command or PowerShell prompt, and run the command below to determine the current channel access permissions:

PS C:\Users\Administrator>wevtutil get-log security

This outputs the following

name: security

enabled: true

type: Admin

owningPublisher:

isolation: Custom

channelAccess:

O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)

logging:

 logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx

 retention: false

 autoBackup: false

 maxSize: 20971520

publishing:

fileMax: 1

The Security Identifier (SID) for the Network Service account is S-1-5-20.  Add it to the SDDL as shown here using wevtutilset-log command with the /ca (channel access) parameter to give the account read permission on the Security Event Log.

Now run below the following command on each source computers:

PS C:\Users\Administrator>wevtutil set-log security ‘/ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)’

The links below provide more details on how to perform the above steps

https://msdn.microsoft.com/en-us/library/cc748890.aspx 

https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2

  • No labels

Seceon Inc. All rights reserved. https://www.seceon.com