Event Log Rights for Non-Administrators 11


Granting event log rights to non-administrators wsa challenging in Windows 2003, becomes easier in Windows 2008 (R2). However fine-tuned access still requires playing with Security Descriptors reading and writing.

Event Log Rights Case #1: Read Access only

For Windows 2008, If you just want to grant regular read access, the built-in “Event Log Readers” group is fine. Just put your user(s) into that group.

Event Log Rights Case #2: Read-Write (or other) Access

If you need to grant read/write access or grant access to other groups/users than the “Event Log Readers” you must create your own SDDL descriptor for each log you want to give access to.

Let’s take the example of the application log. To get the current list of authorized access you can type in the following command:

Alternatively you can get a XML output with:

The line which is of interest is channelAccess. By default, you get the following entry:

The S-1-5-32-573 represents the “Event Log Readers Group”, as mentioned in the well-known groups & users list, and 0x1 means it has read access only.

If you want to add a read/write access for one user or group, just get its SID and grant him the 0x3 right. To get the SID you can use pssid from Sysinternals or Get-ADUser / Get-ADGroup cmdlets in powershell:

Then use the wevtutil sl command and its /ca switch to override the channelAccess value:

Put everything on a single line! You can chheck the change has been made by re-issuing the gl switch.

Event Log Rights Case #3: Security Log case

If you ‘just’ need read and write rights on the security log, you could also assign the privilege ‘Managing and Auditing the Security log’. However this gives additional rights to the user, like setting the audit descriptors (Success, FAilure) on objects. That’s often a bit too much.


Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

11 thoughts on “Event Log Rights for Non-Administrators

  • Trevor Ketch

    Hello.

    I was not able to find an answer to my question on the internet.

    I am wondering if adding a user / group to “Event Log Readers” allows those users to view the event logs from all servers, including domain controllers and member servers?

    • Dimitri Post author

      “Event Log Readers” is not a domain group, it is a local group on each member server. If you’d like to grant a domain group or domain user the right to read events on every server in your domain, you should add this group/user to every “event log readers” group of every server. Fortunately you can do this with a “restricted group” GPO where you make mandatory some group membership. It is often use to define who is part of the local administrators group, but nothing restricts you to use it for that very specific group.

  • Nadia

    is there a way to grant access to non administrator user to export particular event log (windows login and out)?

    Also, can we automate windows log export for particular events ((windows login and out)) bi weekly and monthly?

    • Dimitri Post author

      You could create a domain user of your choice, grant it the right to read the log(s) of your choice, and extract data on a schedule using the scheduled task engine if you wish.
      As long as the user has access to the event log using either built!in “event log readers” group or by adding its SID to the ACL of the target event log, events can be accessed.

      • Nadia

        i granted access to event log readers but they can see all logs. We want to give them acess to only login time and log out time for whole month. just as their time sheets and we wan to generate this csv file as routine after every 30 days or 28 days. how to do it?

        • Dimitri Post author

          There is no built-in mechanism to see only some events in a given log. The finest level of permissions is at the log event;
          Therefore you have to grant a user the right to read the log where those events are stored.
          However what you could do is have a script run by that user which does the sort based on some criteria.
          Here you could use the login name to split the event.
          Here is a Powershell start example to be adapted to suit your needs:
          (Get-EventLog -LogName Security -InstanceId 4624) | Where-Object { $_.ReplacementStrings[5] -notin (“SYSTEM”,”UMFD-0″,”UMFD-1″,”LOCAL SERVICE”, “NETWORK SERVICE”,”DWM-1″) } | Foreach-Object { Write-Host “$($_.ReplacementSTrings[5]) logged on $($_.TimeGenerated)” }

          • Nadia

            Hi Dimitri,

            This script does not generate any output. I just copy pasted whole command in PowerShell but there is no output? any idea what to do? I have never done PowerShell scripting so i might be missing something here.

          • Nadia

            HI, Sorry i generated output. please feel free to remove my previous comment. I might have few more questions will ask later. THNAKS A LOT