Granting correct AD Permissions for Agentless Windows Event Log monitoring

This document outlines the steps to grant permissions for remote agentless Event Log monitoring without having to use Domain Admin accounts.

Granting Correct AD Permissions
for Agentless Windows Event Log
Running the Agentless Windows Event Log Monitor requires that the machine running this policy runs its client Honeycomb mesh
service under an account with sufficient privileges to access Events Logs residing on machines listed in the policy.
It is certainly possible to run the service under a Domain Admin account, which will give permissions for the service to access remote
Event Logs. However, Domain Admins will have many more privileges than is required to subscribe to and read remote Event Logs.
Here, we outline the procedure for granting access to an Active Directory service user account without having to make it a
Domain Admin:
Step 1: Create and Assign the User Account
Create a user account in Active Directory to use for Honeycomb mesh services that will run the Agentless Event Log Monitor Policy.
Assign this account to the relevant Honeycomb mesh service(s) using the local Service Control Manager (services.msc) on the
machine(s) to run the Agentless Windows Event Log Monitor Policy.
Note: it is good practice to make this account’s password extremely strong – e.g. minimum 48 characters, numbers, letters, punctuation and completely random.
Step 2: Modify AD Group Policy
Note: This step is required for each Group Policy object that relate to machines to be monitored – e.g. Default Domain Policy,Default Domain Controllers Policy,etc
On one of your Domain Controllers, launch gpmc.msc’ to bring up the Group Policy editor.
Right click on the relevant Group Policy object and select ‘Edit..’
Navigate to:
‘Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->User Rights Assignment’ and locate
he ‘Manage auditing and security log’ property:
4.Double-click on the ‘Manage auditing and security log’ item and press Add User or Group …’. Here, you can add the service user
account created in Step 1 for the Honeycomb mesh service.
5.Once added, press OK and close the Group Policy editor.
It can take a several minutes for the Group Policy to update local and remote machines. You can run ‘gpupdate /force’ from
a command prompt on relevant machines to get the Group Policy updated straight away.
© Copyright 2015 Honeycomb Technologies Ltd. All Rights Reserved.


Tags: , , ,