Skip to main content
Skip table of contents

Create a Least-Privileged Domain User Account for Remote Log Collection

Access to the event logs is determined by the account under which the LogRhythm Agent is running. To provide the Agent with the permissions to access the Windows Event Logs on remote Windows machines, it is necessary to create a special account on the Windows domain.

This procedure outlines setting up a least-privileged domain user account for the LogRhythm System Monitor Service to start under when remote event log monitoring is required. The system monitor agent and the remote Windows Event log source host must both be on the same domain.

This configuration is not necessary if you use an account that is a member of the Domain Admin group. 

Add LogRhythm User to the Domain

  1. On any write-enabled domain controller or domain system with Active Directory Tools installed, open Active Directory Users and Groups.
  2. Right-click Users, click New, and then click User.
  3. Fill in the fields as required. Set the user logon name to LogRhythm (or another suitable name that uniquely identifies this account as the account used for LogRhythm). 
    The LogRhythm user account should only be a member of the Domain Users group by default, but if you want to collect Domain Controller logs with this account, you should also make it a member of the Event Log Readers group. 
  4. Add the LogRhythm service account you created to the Local Administrators group of the system which is running the LogRhythm agent to perform remote collection.
  5. Configure the LogRhythm Agent service to run as the service account through services.msc.
  6. Restart the LogRhythm Agent to apply the change.
    The Agent is now be running as the service account.

Collect Logs on Domain-Member Systems Using Default Event Log Readers Group (Windows Server 2008 and Later)

By default, all Windows computers have a built-in local group called Event Log Readers. This group allows accounts in it the ability to read event logs for log collection remotely. To collect Event Logs from domain member systems running Windows Server 2008 and later, you can use a group policy to add the service account running the System Monitor to the local Event Log Readers group on all machines in the domain.

  1. Open the Group Policy Management Editor.
  2. Create a new Group Policy under the OU you wish to collect logs within.
  3. Add the service account created above to the local Event Log Reader group through Local Users and Groups.
    1. Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups.
    2. Open Event Log Readers group properties
    3. Action: Update
    4. Under the Members: heading, click Add... and select the LogRhythm service account created above.
    5. Click OK.
  4. You may need to adjust the Group Policy scope and/or enforcement depending on your environment. Consult with your Active Directory system administrator for further information on group policy configuration/management. 

Collect Logs on Domain-Controller Systems Using Default Event Log Readers Group (Windows Server 2008 and Later)

Domain Controllers are unique in that they do not have a local Event Log Readers group. Instead, they use the domain Event Log Readers group. While LogRhythm recommends using local agents for domain controller event log collection, some customers may need to perform collection of domain controller logs from another host. To collect logs from a domain controller remotely, you need to add the LogRhythm service account to the Event Log Readers group in the domain.

  1. On any write-enabled domain controller or domain system with Active Directory Tools installed, open Active Directory Users and Groups.
  2. Right-click Groups, and then click Search.
  3. Type in Event Log Readers.
  4. Open the Group properties, Members tab
  5. Add the LogRhythm account created above to the group

Set Basic Rights on the Domain (Windows Server 2003)

  1. Open Administrative Tools, and then click Domain Security Policy.
  2. Click Security Settings, click Local Policies, and then click User Rights Assigned.
  3. Double-click the Logon as Service policy.
  4. Select the Define check box.
  5. Click Add.
  6. Add the LogRhythm user.
  7. Double-click the Manage Auditing and Security Log policy.
  8. Select the Define check box.
  9. Click Add.
  10. Add the LogRhythm user.

Set Advanced Rights on the Domain (Windows Server 2003)

To collect Event Logs from systems running Windows Server 2003, advanced rights must be assigned to the LogRhythm Agent's account. These must be given on both Windows Servers, and can be configured locally on each machine's Group Policy or pushed more globally as part of domain Group Policy.

There are additional steps and alternate terms used with Windows Server 2008 included within and at the end of the following instructions.

Starting with Windows Server 2003, Windows tightened the ACLs on the Event Logs to restrict which accounts can read and write to the logs. The security of each log is configured locally through the values in the following registry key:

CODE
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog

The Security Descriptors for the Event Logs must be modified to allow access from the Active Directory user or group you want. The Security Descriptors are saved in Security Descriptor Definition Language (SDDL) format. The Security Descriptors may be modified locally on each Windows Server 2003 system or set in a Group Policy for a Domain, Site or Organizational Unit. See the Microsoft website for details.

In a domain environment, this file must be changed on the domain controller for Windows Server 2003.
  1. Use a text editor such as Notepad to open the file %Windir%\Inf\Sceregvl.inf.

    If you are using Windows Server 2008, you must take ownership of this file before you can save changes to it.
  2. Add the following lines to the [Register Registry Values] section:

    CODE
    MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD,1,%AppCustomSD%,2MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD,1,%SecCustomSD%,2
    MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD,1,%SysCustomSD%,2
    MACHINE\System\CurrentControlSet\Services\Eventlog\Directory
    Service\CustomSD,1,%DSCustomSD%,2
    MACHINE\System\CurrentControlSet\Services\Eventlog\DNS
    Server\CustomSD,1,%DNSCustomSD%,2
    MACHINE\System\CurrentControlSet\Services\Eventlog\File
    Replication
    Service\CustomSD,1,%FRSCustomSD%,2

  3. Add the following lines to the [Strings] section:

    CODE
    AppCustomSD="Eventlog: Security descriptor for  Application event log"
    SecCustomSD="Eventlog: Security descriptor for  Security event log"
    SysCustomSD="Eventlog: Security descriptor for System  event log"
    DSCustomSD="Eventlog: Security descriptor for Directory Service  event log"
    DNSCustomSD="Eventlog: Security descriptor for DNS Server event  log"
    FRSCustomSD="Eventlog: Security descriptor for File Replication Service  event log"

  4. Save the changes to the Sceregvl.inf file. 
  5. Run the following command from the Windows Run box or command line. 

    CODE
    regsvr32 scecli.dll

    When the update finishes, a message box appears with the text DllRegisterServer in scecli.dll succeeded.

  6. Open the Group Policy Editor by doing one of the following: 
    • If configuring the Group Policy for the local machine, start Gpedit.msc from the Windows Run... box or command line.
    • If configuring the Group Policy for the domain, open Active Directory Users and Computers:
      1. Go to the Organizational Unit (OU) that contains the computer account objects.
      2. Right-click the OU and click Properties.
      3. Click the Group Policy tab.
      4. Click the GPO in effect.
      5. To modify the GPO, click Edit.
  7. In the Group Policy Object Editor MMC for Windows Server 2003, go to Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click Security Options
  8. View the right panel to find the new Eventlog: settings.
  9. Perform one of the following:
    • If configuring the Group Policy for the local machine, append (A;;0x1;;; <SID>) to the end of any Security Descriptors of Event Logs you want to collect, where <SID> is replaced by the SID of the user or group being granted access.
      For example: (A;;0x1;;;  S-1-5-21-1760952874-2610146993-1928205901-1246)
    • If configuring the Group Policy for the domain:
      1. First, establish a base Security Descriptor for access.

        Because of the variation in customer environments, LogRhythm cannot specify what the base access should be. For network environments with no current settings, it may be possible to copy the default Security Descriptor(s) from an active Windows Server 2003 successfully.
      2. Append (A;;0x1;;; <SID>) to the end of any Security Descriptors of Event Logs you want to collect, where <SID> is replaced by the SID of the user or group being granted access.
        For example: (A;;0x1;;;  S-1-5-21-1760952874-2610146993-1928205901-1246)

        When editing the SDDLs on Windows 2000 domain controllers, the SDDL must be enclosed in double quotes ("). However, Windows Server 2003 domain controllers do not allow double quotes (").
      3. Wait until the Group Policy is propagated to Windows Servers 2003 machines. To force immediate updating of the GPO on local machines, run the command GPUpdate.exe from a command line locally on each machine.

        LogRhythm testing shows that propagating these Security Descriptors has no adverse effects on Event Log access for Windows 2000 systems. If users, especially members of the Domain Admins group, experience a loss of access to the Event Logs (specifically the Security Event Log), it may be necessary to assign those users or groups the Manage Auditing and Security Log right in the Group Policy.

The Agent now has access to the configured Event Logs.

For more information, consult the Microsoft website.   

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.