Skip to main content
Skip table of contents

Create a Least-Privileged Domain User Account

Access to the event logs is determined by the account under which the LogRhythm Agent is running. To provide the Agent with the permissions to access the Windows Event Logs on remote Windows machines, it is necessary to create a special account on the Windows domain.

This procedure outlines setting up a least-privileged domain user account for the LogRhythm System Monitor Service to start under when remote event log monitoring is required. The system monitor agent and the remote windows event log source host must both be on the same domain.

This configuration is not necessary if you use an account that is a member of the Domain Admin group. When using a Domain Admin account, the Agent service must be set to start under this account.

Add LogRhythm User to the Domain

  1. On the primary domain controller (PDC), open Active Directory Users and Groups.
  2. Right-click Users, click New, and then click User.
  3. Fill in the fields as required. Set the user logon name to LogRhythm (or another suitable name that uniquely identifies this account as the account used for LogRhythm). 
    The LogRhythm user account should only be a member of the Domain Users group.

Set Basic Rights on the Domain (Windows Server 2003)

  1. Open Administrative Tools, and then click Domain Security Policy.
  2. Click Security Settings, click Local Policies, and then click User Rights Assigned.
  3. Double-click the Logon as Service policy.
  4. Select the Define check box.
  5. Click Add.
  6. Add the LogRhythm user.
  7. Double-click the Manage Auditing and Security Log policy.
  8. Select the Define check box.
  9. Click Add.
  10. Add the LogRhythm user.

Add Service Account to Event Log Readers Group (Windows Server 2008 and Later)

To collect Event Logs from systems running Windows Server 2008 and later, you can use a group policy to add the service account running the System Monitor to the local Event Log Readers group on all machines in the domain.

Set Advanced Rights on the Domain (Windows Server 2003)

To collect Event Logs from systems running Windows Server 2003, advanced rights must be assigned to the LogRhythm Agent's account. These must be given on both Windows Servers and can be configured locally on each machine's Group Policy or pushed more globally as part of domain Group Policy.

There are additional steps and alternate terms used with Windows Server 2008 included within and at the end of the following instructions.

Starting with Windows Server 2003, Windows tightened the ACLs on the Event Logs to restrict which accounts can read and write to the logs. The security of each log is configured locally through the values in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog

The Security Descriptors for the Event Logs must be modified to allow access  from the Active Directory user or group you want. The Security Descriptors are saved in Security Descriptor Definition Language (SDDL) format. The Security Descriptors may be modified locally on each Windows Server 2003 system or set in a Group Policy for a Domain, Site or Organizational Unit. See the Microsoft Web site for details.

In a domain environment, this file must be changed on the domain controller for Windows Server 2003.

  1. Use a text editor such as Notepad to open the file %Windir%\Inf\Sceregvl.inf.

    If you are using Windows Server 2008, you must take ownership of this file before you can save changes to it.

  2. Add the following lines to the [Register  Registry Values] section:

    CODE 
    MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD,1,%AppCustomSD%,2MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD,1,%SecCustomSD%,2
MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD,1,%SysCustomSD%,2
MACHINE\System\CurrentControlSet\Services\Eventlog\Directory
Service\CustomSD,1,%DSCustomSD%,2
MACHINE\System\CurrentControlSet\Services\Eventlog\DNS
Server\CustomSD,1,%DNSCustomSD%,2
MACHINE\System\CurrentControlSet\Services\Eventlog\File
Replication
Service\CustomSD,1,%FRSCustomSD%,2

  3. Add the following lines to the [Strings] section:

    CODE 
    AppCustomSD="Eventlog: Security descriptor for  Application event log"
SecCustomSD="Eventlog: Security descriptor for  Security event log"
SysCustomSD="Eventlog: Security descriptor for System  event log"
DSCustomSD="Eventlog: Security descriptor for Directory Service  event log"
DNSCustomSD="Eventlog: Security descriptor for DNS Server event  log"
FRSCustomSD="Eventlog: Security descriptor for File Replication Service  event log"

  4. Save the changes to the Sceregvl.inf file. 
  5. Run the command regsvr32 scecli.dll from the Windows Run box or command line. 
    When the update finishes, a message box appears with the text DllRegisterServer in scecli.dll succeeded.
  6. Open the Group Policy Editor by doing one of the following: 
    • If configuring the Group Policy for the local machine, start Gpedit.msc from the Windows Run... box or command line.
    • If configuring the Group Policy for the domain, open Active Directory Users and Computers:
      1. Go to the Organizational Unit (OU) that contains the computer account objects.
      2. Right-click the OU and click Properties.
      3. Click the Group Policy tab.
      4. Click the GPO in effect.
      5. To modify the GPO, click Edit.
  7. In the Group Policy Object Editor MMC for Windows Server 2003, go to Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click Security Options
  8. View the right panel to find the new Eventlog: settings.
  9. Perform one of the following:
    • If configuring the Group Policy for the local machine, append (A;;0x1;;; <SID>) to the end of any Security Descriptors of Event Logs you want to collect, where <SID> is replaced by the  SID of the user or group being granted access.
      For example: (A;;0x1;;;  S-1-5-21-1760952874-2610146993-1928205901-1246)
    • If configuring the Group Policy for the domain:

      1. First, establish a base Security Descriptor for access.

        Because of the variation in customer environments, LogRhythm cannot specify what the base access should be. For network environments with no current settings, it may be possible to copy the default Security  Descriptor(s) from an active Windows Server 2003 successfully.

      2. Append (A;;0x1;;; <SID>) to the end of any Security Descriptors of Event Logs you want to collect, where <SID> is replaced by the SID of the user or group being granted access. For example: (A;;0x1;;;  S-1-5-21-1760952874-2610146993-1928205901-1246)

        When editing the SDDLs on Windows 2000 domain controllers, the SDDL must be enclosed in double quotes ("). However, Windows Server 2003 domain controllers do not allow double quotes (").

      3. Wait until the Group Policy is propagated to Windows Servers 2003 machines. To force immediate updating of the GPO on local machines, run the command GPUpdate.exe from a command line locally on each  machine.

        LogRhythm testing shows that propagating these Security Descriptors has no adverse effects on Event Log access for Windows 2000 systems. If users, especially members of the Domain Admins group, experience a loss of access to the Event Logs (specifically the Security Event Log), it may be necessary to assign those users or groups the Manage Auditing and Security Log right in the Group Policy.

The Agent should now have access to the configured Event Logs.

For more information, consult the Microsoft Web site.   

If the LogRhythm Agent is to read or perform integrity monitoring of flat files on the host machine, it might be necessary to assign additional rights to the user account or make the user account a member of a more privileged group to allow access to the required files.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close