System Administration & Network Administration
- windows active-directory group-policy windows-event-log eventviewer
- Updated Sat, 21 May 2022 10:01:01 GMT
-
Grant access to Event Viewer "Application and Services Logs" via GPO
My monitoring team has requested to be able to read the logs under "Application and Services" in 2008/2012/2016 event viewer. These are the logs that reside in "%SystemRoot%\System32\Winevt\Logs\". Specifically, they're interested in the "Operations Manager" log, which deals with the MS SCOM client's health and activities.
I've tried:
None of these have helped, they get an access denied.
The ideal solution would be deployable by GPO, not require admin rights, and allow them to connect to a server remotely via Event Viewer without going through Remote Desktop, command line, or powershell.
I'm stuck. Any help is appreciated!
Solution
Granting permission to the files is not going to provide access.
If you find that Event Log Readers does not have access to any of the logs under Applications and Services Logs, you can create a list of the log names and use wevtutil to grant your custom permission:
REM %%i in a cmd script, or %i if running interactively
FOR /F %%i in (Lognames.txt) DO (
REM Event Log Readers (S-1-5-32-573) security principal
wevtutil sl %%i /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;BO)(A;;0x1;;;SO)(A;;0x1;;;S-1-5-32-573)
)
You may want to confirm which Event Log Readers the accounts have been added to. For member servers, they need to be added to the local Event Log Readers group. For domain controllers, the domain builtin Event Log Readers group.
Comments (3)
- +0 – Ah! I haven't run into wevtutil before. Thank you! — Jan 25, 2018 at 16:38
- +0 – To be safe, should I knock something out that catches the existing ChannelAccess value, tack (A;;0x1;;;S-1-5-32-573) on to the end of it, and then set that value as the channel access? — Jan 25, 2018 at 16:40
- +0 – @KiltedBuckeye: yes, that would be the safe approach. — Jan 25, 2018 at 16:42