Collect Logs Remotely Using a Least-Privileged User Account (Windows 2008)

The following procedure assumes both the 2008 system running the agent and the 2008 system that is the target of event log collection are on the same domain:

1. Create your domain account.
2. Add the account to the EventLogReaders Group.
3. Either on each target Host individually or via GPO, ensure that this account has Read access to these two registry keys.

   • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\Microsoft-Windows-Security-Auditing

   • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Security\Microsoft-Windows-Security-Auditing

4. Run the LogRhythm System Monitor Service with this particular account.
5. On the 2008 target system you wish to collect logs from, do the following:
   1. Make the domain account created in Step 1 a member of the local Event Log Readers group.
   2. Make sure that the proper firewall ports are open if the system is running the windows firewall.
   3. Make sure any intervening firewalls traffic fall within the Dynamic Port Range (49152-65535) on the target systems.
      By default, the entire range is included. However, it can be modified to a different range. Before changing the range, verify with your Windows System Administrator.