If your environment is that big how can they look at multiple DCs in real time and correlate them?
Maybe I don't understand your requirements but it seems like you want to ship the logs real-time to a SIEM or log management tool managed by the security team or MSSP, that is a far better way to do it than to grant access to the logs directly. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, October 28, 2010 6:51 AM To: NT System Admin Issues Subject: RE: Question on Granting service account read access to Domain Controller Eventlogs Its for Vericept, and they need to read the logs in realtime to correlate what is seen on the network with a user. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Cameron [mailto:cameron.orl...@gmail.com] Sent: Thursday, October 28, 2010 9:32 AM To: NT System Admin Issues Subject: Re: Question on Granting service account read access to Domain Controller Eventlogs Could you not just setup a job to copy the security.evtx file to somewhere else and let them access that? On Thu, Oct 28, 2010 at 2:48 AM, James Rankin <kz2...@googlemail.com> wrote: Can you control this by NTFS access to the .evt file itself? On 27 October 2010 16:31, Ziots, Edward <ezi...@lifespan.org> wrote: Running a Windows 2008 R2 DFL/FFL domain, security team needs a service account to have read only access to the Security Eventlog accordingly. Is there a way via the Default Domain Controllers Policy to Grant this, or maybe a users right in Windows 2008 R2 accordingly? Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> Cell:401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
