Controlling Access to Windows 2008 Event Logs

On systems running 2003, any user account needing the ability to read other system’s event logs required that the registry to be edited and some SDDL (Security Descriptor Definition Language) entries be made on all respective remote systems. In 2008 it has been simplified by utilizing a group that has read access by default. It’s called “Event Log Readers” group.

That’s great and makes it much easier to grant this type of access. But what if I want the user accounts defined in this group to be restricted to certain event logs only? This too is possible, but you need to remove the SID of the local Event Log Readers group.

The command-line utility called “wevtutil” allows this to be performed. And not all event logs are readable, such as any of the “Application and Service” logs, until access is granted to the Event Log Readers group. The wevtutil command allows this to be performed as well.

When using the wevtutil command, you will want to first view the “channelAccess” string:

wevtutil gl security ;”gl” means “Get log configuration information” and displays the channelAccess string as noted below.

channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0×5;;;BA)(A;;0×1;;;S-1-5-32-573) The value of “(A;;0×1;;;S-1-5-32-573)” is what grants (A = Allow) read (0×1 = Read) access to the Event Log Readers group (SID = S-1-5-32-573). Append similar strings to the channelAccess string to grant read access to a specific SID. To remove read access from the Event Log Readers group, execute the following command: wevtutil sl security /ca: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0×5;;;BA) Note the removal of (A;;0×1;;;S-1-5-32-573).

While SDDL entries can appear to be “confusing” they are also a useful place to verify access to specific event logs for troubleshooting purposes.

So keys to the kingdom don’t have to be delegated if time is taken to address the specific access requirements in your organization.