Home > Uncategorized > Administering Event Log permissions

Administering Event Log permissions

If you’re like me, you use the Nagios plugin I wrote called check_smb_speed.

This means that you are running an instance of NSClient++ with a user account that’s been created and dedicated to the task of running NSClient++, and its minion, check_smb_speed.

This user account, let’s call it SMBTest, has been assigned membership to a security group called SMBTestGroup, for which is now its primary group, and has been since removed from being a Domain Users group member.  Of course SMBTestGroup has read and write permissions to the destination SMB share you have been testing with check_smb_speed; it is also a member of the local Users group (since it is a member of the Authenticated Users group).

But, our friend SMBTest should only be allowed two permissions: 1) Read and Write to the target SMB folder for which we are testing and, 2) Create a process on the host with NSClient++ running.  It shouldn’t even be able to write locally… Alright fine!  It can write to the NSClient++ log file, and read nsc.ini, but that’s it!

Now, we’re stuck in a predicament.  Highly secure user means highly secure access means highly administered.

So, you want SMBTest to check the event logs?  You run:

[root@nagiospoller]# ./check_nrpe -H [destination host ip] -c CheckEventLog -a filter=new file="security" MaxWarn=10 MaxCrit=10 filter-generated=\<2h filter=in filter=all

And all you get back is

Could not open the 'security' event log: 5: Access is denied.

It’s pretty obvious that the cause is that SMBTest doesn’t have permissions to read the event log!

Here is a walk through of the overly complex, arguably necessary (hey, I lost a reputation point defending my Internet honor after all) method of administering event log permissions:

1) Find all the event logs that are available on the system:

reg query HKLM\System\CurrentcontrolSet\Services\eventlog
ex. return values:
 HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\eventlog\<a class="zem_slink" title="Distributed File System (Microsoft)" href="http://en.wikipedia.org/wiki/Distributed_File_System_%28Microsoft%29" rel="wikipedia">DFS Replication</a>
 HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\eventlog\Internet Explorer

2) edit %Windir%\Inf\Sceregvl.inf

3) add entries under [Register Registry Values]

 MACHINE\System\CurrentControlSet\Services\Eventlog\DFS Replication\CustomSD,1,%DFSRCustomSD%,2
 MACHINE\System\CurrentControlSet\Services\Eventlog\Internet Explorer\CustomSD,1,%IECustomSD%,2

4) add entries under [Strings]

 AppCustomSD="Event Log: <a class="zem_slink" title="Security descriptor" href="http://en.wikipedia.org/wiki/Security_descriptor" rel="wikipedia">Security descriptor</a> for Application Event Log."
 DFSRCustomSD="Event Log: Security descriptor for DFSR Event Log."
 IECustomSD="Event Log: Security descriptor for IE Event Log."
 SecCustomSD="Event Log: Security descriptor for Security Event Log."
 SysCustomSD="Event Log: Security descriptor for System Event Log."

5) Save file, close, and run regsvr32 scecli.dll

6) open gpedit.msc

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options

7) Use getsid, psgetsid or name2sid to find the SID of the object you wish to grant permission

SID for the group DOMAIN\EventLog_Readers:

8 ) Access each of the Security Settings and modify the SDDL:

0x1 means read
 0x2 means write
 0x4 means clear
 0xf0007 means ?

For definitions of some strings, see http://support.microsoft.com/kb/914392 & http://msdn.microsoft.com/en-us/library/aa374928(VS.85).aspx

Original (from member server):
Modified (for member server):

9) Run gpupdate /force


  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: