Re: Subject: Security Event Log reading by Domain Users

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 07/13/04 

Date: Tue, 13 Jul 2004 10:03:19 -0400

Security logs are locked off from non-admins by default. You only need to add
Manage Auditing and Security Log right to see them, however that means that
account will also be able to clear the security log. In XP and 2K3 you can get
more granular and just offer read.

However your next issue is because the program can't read the Message Library or
the registry entries involved. It has been a long time since I wrote event log
code but if you are using the standard OpenEventLog/ReadEventLog and then using
FormatMessage you will need to redirect the library from which you do the
LoadLibrary for for the message IDs OR open up the security to the message
library on the remote machine.

   joe 

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Gera wrote:
> Is it possible to normally read Sec. Event Log under Domain User account?
> We wrote a simple application which reads 538, 540, 528, etc. events and counts them.
> Under administrative account it works fine, but under Domain User can't open sec. log.
> Adding a "Manage auditing and sec. log" and "Act as the part of oper. system" settings via GP
> permits to view sec. log, but events are read like
> "The description for Event ID ( 538 ) in Source ( Security ) cannot be found. The local computer may
> not have the necessary registry information or message DLL files to display messages from a remote
> computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and
> Support for details. The following information is part of the event: pmtest; COMPANY; (0x0,0x5A968);
> 11."
> Thus, our software doesn't work - it can't read the events.
> 
> I added all possible rights to the Domain User account, from "Create a Token Object" to "Generate
> Security audits", but no luck.
> I heard that domain user account maybe need some rights to read some reg. key with Event Log message
> library, but I don't know which exactly...
> 
> Is it possible to make this work?
> 
> 
> Thanks,
> Gera, MCSE
> MGBaltic
> 
> 
>

Relevant Pages

  • RE: Event ID 643
    ... After researching the event log, I have found the Caller User Name is ... CSMONITOR$ in the security log, it seems the system has raised this error. ... Event log 1704 has indicated that security policy in the Group policy ...
    (microsoft.public.win2000.security)
  • Re: Subject: Security Event Log reading by Domain Users
    ... our "program" is a SQL script run trough Microsoft Log Parser. ... > account will also be able to clear the security log. ... Event Log under Domain User account? ...
    (microsoft.public.win2000.security)
  • File access auditing fills security log too fast
    ... I am attempting to enable file and application auditing to meet HIPAA ... The issue I am having is the security log fills up way to fast, ... into the event log? ...
    (microsoft.public.security)
  • RE: Event ID 643
    ... I set up another machine in a lab the same way as our DATACENTERNYC machines ... with IIS and the local security policy. ... > Thanks for the event log! ... > CSMONITOR$ in the security log, it seems the system has raised this error. ...
    (microsoft.public.win2000.security)
  • Re: File access auditing fills security log too fast
    ... monitoring and the auditing log is filling up way to fast. ... > *I am attempting to enable file and application auditing to meet ... The issue I am having is the security log fills up way ... > into the event log? ...
    (microsoft.public.security)