Granting event log rights to non-administrators wsa challenging in Windows 2003, becomes easier in Windows 2008 (R2). However fine-tuned access still requires playing with Security Descriptors reading and writing.
Event Log Rights Case #1: Read Access only
For Windows 2008, If you just want to grant regular read access, the built-in “Event Log Readers” group is fine. Just put your user(s) into that group.
Event Log Rights Case #2: Read-Write (or other) Access
If you need to grant read/write access or grant access to other groups/users than the “Event Log Readers” you must create your own SDDL descriptor for each log you want to give access to.
Let’s take the example of the application log. To get the current list of authorized access you can type in the following command:
|
1 |
wevtutil gl application > application-log-settings.txt |
Alternatively you can get a XML output with:
|
1 |
wevtutil gl application /f:XML > application-log-settings.xml |
The line which is of interest is channelAccess. By default, you get the following entry:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
name: application enabled: true type: Admin owningPublisher: isolation: Application channelAccess: channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3) (A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) logFileName: %SystemRoot%\System32\Winevt\Logs\application.evtx retention: false autoBackup: false maxSize: <Size Set in your GPO> publishing: fileMax: 1 |
The S-1-5-32-573 represents the “Event Log Readers Group”, as mentioned in the well-known groups & users list, and 0x1 means it has read access only.
If you want to add a read/write access for one user or group, just get its SID and grant him the 0x3 right. To get the SID you can use pssid from Sysinternals or Get-ADUser / Get-ADGroup cmdlets in powershell:
|
1 2 3 4 5 6 7 8 9 10 |
PS > Get-ADGroup My-Log-Admins DistinguishedName : CN=My-Log-Admins,OU=Admin Accounts,DC=domain,DC=dom GroupCategory : Security GroupScope : Global Name : My-Log-Admins ObjectClass : group ObjectGUID : deadbeef-dead-beef-dead-beefdeadbeef SamAccountName : My-Log-Admins SID : S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-rrrr |
Then use the wevtutil sl command and its /ca switch to override the channelAccess value:
|
1 2 |
C:\Windows\system32>wevtutil sl application /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2 ;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x3;;;S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-rrrr) |
Put everything on a single line! You can chheck the change has been made by re-issuing the gl switch.
Event Log Rights Case #3: Security Log case
If you ‘just’ need read and write rights on the security log, you could also assign the privilege ‘Managing and Auditing the Security log’. However this gives additional rights to the user, like setting the audit descriptors (Success, FAilure) on objects. That’s often a bit too much.
Hello.
I was not able to find an answer to my question on the internet.
I am wondering if adding a user / group to “Event Log Readers” allows those users to view the event logs from all servers, including domain controllers and member servers?
“Event Log Readers” is not a domain group, it is a local group on each member server. If you’d like to grant a domain group or domain user the right to read events on every server in your domain, you should add this group/user to every “event log readers” group of every server. Fortunately you can do this with a “restricted group” GPO where you make mandatory some group membership. It is often use to define who is part of the local administrators group, but nothing restricts you to use it for that very specific group.
HI Dimitri,
Is it possible to get the user name whi is logged in into windows I need to capture USer name, windows log in time and log out time every day. How can i do it?
The user name can be found as a parameter of the message, that’s the $_.MessageStrings part of the above Powershell. The Log In and Log out time are the TimeGenerated field of the event. THere’s an event ID for Login and one for Logout. See https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events for more details.
is there a way to grant access to non administrator user to export particular event log (windows login and out)?
Also, can we automate windows log export for particular events ((windows login and out)) bi weekly and monthly?
You could create a domain user of your choice, grant it the right to read the log(s) of your choice, and extract data on a schedule using the scheduled task engine if you wish.
As long as the user has access to the event log using either built!in “event log readers” group or by adding its SID to the ACL of the target event log, events can be accessed.
i granted access to event log readers but they can see all logs. We want to give them acess to only login time and log out time for whole month. just as their time sheets and we wan to generate this csv file as routine after every 30 days or 28 days. how to do it?
There is no built-in mechanism to see only some events in a given log. The finest level of permissions is at the log event;
Therefore you have to grant a user the right to read the log where those events are stored.
However what you could do is have a script run by that user which does the sort based on some criteria.
Here you could use the login name to split the event.
Here is a Powershell start example to be adapted to suit your needs:
(Get-EventLog -LogName Security -InstanceId 4624) | Where-Object { $_.ReplacementStrings[5] -notin (“SYSTEM”,”UMFD-0″,”UMFD-1″,”LOCAL SERVICE”, “NETWORK SERVICE”,”DWM-1″) } | Foreach-Object { Write-Host “$($_.ReplacementSTrings[5]) logged on $($_.TimeGenerated)” }
Thanks. I will try it.
Hi Dimitri,
This script does not generate any output. I just copy pasted whole command in PowerShell but there is no output? any idea what to do? I have never done PowerShell scripting so i might be missing something here.
HI, Sorry i generated output. please feel free to remove my previous comment. I might have few more questions will ask later. THNAKS A LOT