Home → Supercharger KB → Getting Started → Granting Permissions for Security Log Forwarding

2.8. Granting Permissions for Security Log Forwarding

If your subscription collects events from the Security Log you must configure permissions on all forwarder computers to all the WinRM service read access. WinRM runs as NETWORK SERVICE so that’s who we’ll be granting access to. There are 2 ways to do this via group policy. We recommend the first so that you can avoid rebooting forwarders.

Option 1: Configure Log Access

Enter the following string into these 2 group policy settings. The portion in bold is what is being added to the default permissions preceding it.

O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)

https://blogs.technet.microsoft.com/janelewis/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008/

Option 2: Membership in Event Log Readers

Note: this requires reboot of the forwarder computer

Add NETWORK SERVICE to the Event Log Readers local group using Restricted Groups policy

This page was: Helpful | Not Helpful

← Troubleshooting a Problem Forwarder Install Supercharger with Splunk Free and the Splunk App for LOGbinder →

Knowledge Base

2.8. Granting Permissions for Security Log Forwarding

Option 1: Configure Log Access

Option 2: Membership in Event Log Readers