Administering Event Log permissions
This means that you are running an instance of NSClient++ with a user account that’s been created and dedicated to the task of running NSClient++, and its minion, check_smb_speed.
This user account, let’s call it SMBTest, has been assigned membership to a security group called SMBTestGroup, for which is now its primary group, and has been since removed from being a Domain Users group member. Of course SMBTestGroup has read and write permissions to the destination SMB share you have been testing with check_smb_speed; it is also a member of the local Users group (since it is a member of the Authenticated Users group).
But, our friend SMBTest should only be allowed two permissions: 1) Read and Write to the target SMB folder for which we are testing and, 2) Create a process on the host with NSClient++ running. It shouldn’t even be able to write locally… Alright fine! It can write to the NSClient++ log file, and read nsc.ini, but that’s it!
Now, we’re stuck in a predicament. Highly secure user means highly secure access means highly administered.
So, you want SMBTest to check the event logs? You run:
[root@nagiospoller]# ./check_nrpe -H [destination host ip] -c CheckEventLog -a filter=new file="security" MaxWarn=10 MaxCrit=10 filter-generated=\<2h filter=in filter=all
And all you get back is
Could not open the 'security' event log: 5: Access is denied.
It’s pretty obvious that the cause is that SMBTest doesn’t have permissions to read the event log!
Here is a walk through of the overly complex, arguably necessary (hey, I lost a reputation point defending my Internet honor after all) method of administering event log permissions:
1) Find all the event logs that are available on the system:
reg query HKLM\System\CurrentcontrolSet\Services\eventlog ex. return values: HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\eventlog\Application HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\eventlog\<a class="zem_slink" title="Distributed File System (Microsoft)" href="http://en.wikipedia.org/wiki/Distributed_File_System_%28Microsoft%29" rel="wikipedia">DFS Replication</a> HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\eventlog\Internet Explorer HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\eventlog\Security HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\eventlog\System
2) edit %Windir%\Inf\Sceregvl.inf
3) add entries under [Register Registry Values]
MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD,1,%AppCustomSD%,2 MACHINE\System\CurrentControlSet\Services\Eventlog\DFS Replication\CustomSD,1,%DFSRCustomSD%,2 MACHINE\System\CurrentControlSet\Services\Eventlog\Internet Explorer\CustomSD,1,%IECustomSD%,2 MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD,1,%SecCustomSD%,2 MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD,1,%SysCustomSD%,2
4) add entries under [Strings]
AppCustomSD="Event Log: <a class="zem_slink" title="Security descriptor" href="http://en.wikipedia.org/wiki/Security_descriptor" rel="wikipedia">Security descriptor</a> for Application Event Log." DFSRCustomSD="Event Log: Security descriptor for DFSR Event Log." IECustomSD="Event Log: Security descriptor for IE Event Log." SecCustomSD="Event Log: Security descriptor for Security Event Log." SysCustomSD="Event Log: Security descriptor for System Event Log."
5) Save file, close, and run regsvr32 scecli.dll
6) open gpedit.msc
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options
7) Use getsid, psgetsid or name2sid to find the SID of the object you wish to grant permission
SID for the group DOMAIN\EventLog_Readers: S-1-5-21-4056406504-540640-564065-4401
8 ) Access each of the Security Settings and modify the SDDL:
0x1 means read 0x2 means write 0x4 means clear 0xf0007 means ?
For definitions of some strings, see http://support.microsoft.com/kb/914392 & http://msdn.microsoft.com/en-us/library/aa374928(VS.85).aspx
Original (from member server): O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3) Modified (for member server): O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x1;;;S-1-5-21-4056406504-540640-564065-4401)
9) Run gpupdate /force