ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
576 views

Need some explanation about Windows event Smart connector

Hello,

If a Windows expert see this topic

In the Windows Unified Smart connector documentation, page 19 and 20

I can read that we need to use two users:

Domain user: Enter the name of the user account with adequate privilieges to collect Windows events from the target host.

Active Directory Username: Enter the Active Directory User NAme for access to Active Directory

As I'm not a Windows administrator, I don't know really, what are the minium of privileges required for these users.

A can't provide a full privilege to these users. So I need to know what are the strict minimum needed to allow my smartconnector to run correctly.

Thanks in advance.

Labels (1)
0 Likes
4 Replies
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

The user needs to be able to read the event log from the remote host.  AFAIK, most people configure them as local administrators w/ remote interactive login denied or simply a domain administrator account.  I can't remember if Power Users are able to read the event logs, but that may be an option.

0 Likes

It is possible to pull event log events without being either a domain or local administrator, but it's a bit of a pain. For Security events, you can set a local security policy permission. (Local Policies, User Rights Assignment, Manage auditing and security log, and add the user account you intend to use for the Windows Unified Connector)

There is a registry hack you can find with a bit of googling (sorry, don't have it handy right now) that will let you grant access to the other event logs (system, application, etc), but I've never done it. If I can get away with just security events, I just use the local security policy setting above. But if I need all the event logs, we work out an administrative privilege configuration.

(Don't forget that you could also get the system or domain owner to create the account and type in the credentials for you, so while the account would be an administrator, you yourself won't have the password.)

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Thanks, I saw that the DOmain user credential is only used to browse the Active Directory.

In my case I don't need this feature as I know the machine to monitor.

For the other user, I've created it with the permission of Event Logs Reader

Thanks

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

If you want the ability to pull ALL events I think that additional privileges are still required if your account doesn't have administrative rights.  Even if you place the account in a group like "Auditors" that has the "Manage audit and security logs" right in the security policy, you may still not be able to pull anything but the Security logs.  I can't say I've checked if this is still the case in 2008 or 2008 R2.  This can be corrected by modifying the permissions to each type of event log in the registry.

Here is the Microsoft KB article that was mentioned earlier explaining the SDDL strings for non-administrative event log access in Windows 2003:

http://support.microsoft.com/kb/323076

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.