Remote access also requires permissions to use the Remote Registry, and read from the system share (C$). This is accomplished by adding the user that the LogRhythm Agent will run under to the local Backup Operators group on remote machines. If collecting from Windows XP workstations, the user that the LogRhythm Agent will run under needs to be added to the local Administrators group instead of Backup Operators.
- Ensure required permissions are enabled for access to the event logs via Remote Registry:
- Ensure the Remote Registry service in Windows has its Startup Type set to start Automatic and is started.
- By default, the Event Logs, via Remote Registry, are accessible to machines on the domain.
This permission is created by a default entry in the Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths\Machines.
- If global permissions have been removed, they can be added manually for a specific user or group to the Event Log's registry key by doing the following:
- Open RegEdit.
- Go to HKEY_Local_Machine\System\CurrentControlSet\Services\Eventlog.
- Right-click the EventLog key in the tree, and then click Permissions.
- Allow permissions to the domain user where the LogRhythm Agent is running.
- Ensure required permissions are enabled for read access to the system share (C$) on the remote system. This can be accomplished by placing the domain account that the LogRhythm Agent will run under in the Backup Operators group (or Administrators group, if collecting from Windows XP workstations). For information about automating permission granting, see Batch Add Domain Users to a Local Security Group on Domain Hosts.