You may want a peek at using wevtutil as outlined in http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-admin istrators-permission-to-read-event-logs-windows-2003-and-windows-2008.as px
I know you got pointed to the old KB about SDDL elsewhere but this also outlines a different approach for WS2008 and above. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Friday, October 29, 2010 4:59 AM To: NT System Admin Issues Subject: RE: Question on Granting service account read access to Domain Controller Eventlogs It has a service that runs as an account that contacts the DC's to read the logs, this service accounts doesn't run on the DC's but on the Vericept Console itself. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Friday, October 29, 2010 12:57 AM To: NT System Admin Issues Subject: RE: Question on Granting service account read access to Domain Controller Eventlogs Presumably this product has an agent or uses WinRM or something to read/pull in the logs in real time, back to a central location for correlation. The service account that's being used requires permission to read the logs. Cheers Ken From: Free, Bob [mailto:r...@pge.com] Sent: Friday, 29 October 2010 3:06 AM To: NT System Admin Issues Subject: RE: Question on Granting service account read access to Domain Controller Eventlogs If your environment is that big how can they look at multiple DCs in real time and correlate them? Maybe I don't understand your requirements but it seems like you want to ship the logs real-time to a SIEM or log management tool managed by the security team or MSSP, that is a far better way to do it than to grant access to the logs directly. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, October 28, 2010 6:51 AM To: NT System Admin Issues Subject: RE: Question on Granting service account read access to Domain Controller Eventlogs Its for Vericept, and they need to read the logs in realtime to correlate what is seen on the network with a user. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Cameron [mailto:cameron.orl...@gmail.com] Sent: Thursday, October 28, 2010 9:32 AM To: NT System Admin Issues Subject: Re: Question on Granting service account read access to Domain Controller Eventlogs Could you not just setup a job to copy the security.evtx file to somewhere else and let them access that? On Thu, Oct 28, 2010 at 2:48 AM, James Rankin <kz2...@googlemail.com> wrote: Can you control this by NTFS access to the .evt file itself? On 27 October 2010 16:31, Ziots, Edward <ezi...@lifespan.org> wrote: Running a Windows 2008 R2 DFL/FFL domain, security team needs a service account to have read only access to the Security Eventlog accordingly. Is there a way via the Default Domain Controllers Policy to Grant this, or maybe a users right in Windows 2008 R2 accordingly? Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> Cell:401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin