HomeSupercharger KBGetting StartedGranting Permissions for Security Log Forwarding

2.8. Granting Permissions for Security Log Forwarding

If your subscription collects events from the Security Log you must configure permissions on all forwarder computers to all the WinRM service read access. WinRM runs as NETWORK SERVICE so that’s who we’ll be granting access to. There are 2 ways to do this via group policy. We recommend the first so that you can avoid rebooting forwarders.

Option 1: Configure Log Access

Enter the following string into these 2 group policy settings. The portion in bold is what is being added to the default permissions preceding it.


Option 2: Membership in Event Log Readers

Note: this requires reboot of the forwarder computer

Add NETWORK SERVICE to the Event Log Readers local group using Restricted Groups policy

This page was: Helpful | Not Helpful