Need some explanation about Windows event Smart connector
If a Windows expert see this topic
In the Windows Unified Smart connector documentation, page 19 and 20
I can read that we need to use two users:
Domain user: Enter the name of the user account with adequate privilieges to collect Windows events from the target host.
Active Directory Username: Enter the Active Directory User NAme for access to Active Directory
As I'm not a Windows administrator, I don't know really, what are the minium of privileges required for these users.
A can't provide a full privilege to these users. So I need to know what are the strict minimum needed to allow my smartconnector to run correctly.
Thanks in advance.
The user needs to be able to read the event log from the remote host. AFAIK, most people configure them as local administrators w/ remote interactive login denied or simply a domain administrator account. I can't remember if Power Users are able to read the event logs, but that may be an option.
It is possible to pull event log events without being either a domain or local administrator, but it's a bit of a pain. For Security events, you can set a local security policy permission. (Local Policies, User Rights Assignment, Manage auditing and security log, and add the user account you intend to use for the Windows Unified Connector)
There is a registry hack you can find with a bit of googling (sorry, don't have it handy right now) that will let you grant access to the other event logs (system, application, etc), but I've never done it. If I can get away with just security events, I just use the local security policy setting above. But if I need all the event logs, we work out an administrative privilege configuration.
(Don't forget that you could also get the system or domain owner to create the account and type in the credentials for you, so while the account would be an administrator, you yourself won't have the password.)
Thanks, I saw that the DOmain user credential is only used to browse the Active Directory.
In my case I don't need this feature as I know the machine to monitor.
For the other user, I've created it with the permission of Event Logs Reader
If you want the ability to pull ALL events I think that additional privileges are still required if your account doesn't have administrative rights. Even if you place the account in a group like "Auditors" that has the "Manage audit and security logs" right in the security policy, you may still not be able to pull anything but the Security logs. I can't say I've checked if this is still the case in 2008 or 2008 R2. This can be corrected by modifying the permissions to each type of event log in the registry.
Here is the Microsoft KB article that was mentioned earlier explaining the SDDL strings for non-administrative event log access in Windows 2003: