Presumably this product has an agent or uses WinRM or something to read/pull in the logs in real time, back to a central location for correlation. The service account that's being used requires permission to read the logs.
Cheers Ken From: Free, Bob [mailto:[email protected]] Sent: Friday, 29 October 2010 3:06 AM To: NT System Admin Issues Subject: RE: Question on Granting service account read access to Domain Controller Eventlogs If your environment is that big how can they look at multiple DCs in real time and correlate them? Maybe I don't understand your requirements but it seems like you want to ship the logs real-time to a SIEM or log management tool managed by the security team or MSSP, that is a far better way to do it than to grant access to the logs directly. From: Ziots, Edward [mailto:[email protected]] Sent: Thursday, October 28, 2010 6:51 AM To: NT System Admin Issues Subject: RE: Question on Granting service account read access to Domain Controller Eventlogs Its for Vericept, and they need to read the logs in realtime to correlate what is seen on the network with a user. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Cameron [mailto:[email protected]] Sent: Thursday, October 28, 2010 9:32 AM To: NT System Admin Issues Subject: Re: Question on Granting service account read access to Domain Controller Eventlogs Could you not just setup a job to copy the security.evtx file to somewhere else and let them access that? On Thu, Oct 28, 2010 at 2:48 AM, James Rankin <[email protected]<mailto:[email protected]>> wrote: Can you control this by NTFS access to the .evt file itself? On 27 October 2010 16:31, Ziots, Edward <[email protected]<mailto:[email protected]>> wrote: Running a Windows 2008 R2 DFL/FFL domain, security team needs a service account to have read only access to the Security Eventlog accordingly. Is there a way via the Default Domain Controllers Policy to Grant this, or maybe a users right in Windows 2008 R2 accordingly? Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected]<mailto:email%[email protected]> Cell:401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
