https://community.splunk.com/t5/Getting-Data-In/Splunk-unable-to-fetch-Windows-Security-eventlogs/m-p/217433#M42780 <P>thanks mate. We have requested the same to Windows Admin already. I'm not sure how to verify these permissions afterwards (full control is done &amp; verified, read access to files verified, long as service is verified). rest of the things, I'm not sure how to verify, though they said has been done.</P> Thu, 29 Sep 2016 16:15:34 GMT koshyk 2016-09-29T16:15:34Z https://community.splunk.com/t5/Getting-Data-In/Splunk-unable-to-fetch-Windows-Security-eventlogs/m-p/217428#M42775 <P>We have a Windows Universal Forwader installed as service-user (svcSplunk) with read access to ALL eventlogs. (Windows 2008R2) We are getting all eventlogs except "Security" evlogs. We are struggling to find the reason for it. diags show three errors as below </P> <PRE><CODE> - ERROR ExecProcessor - message from "D:\SplunkUniversalForwarder\bin\splunk-winevtlog.exe" splunk-winevtlog - WinEventLogChannel::init: Init failed, unable to subscribe to Windows Event Log channel 'security': errorCode=5 - ERROR ExecProcessor - Couldn't start command "D:\SplunkUniversalForwarder\bin\splunk-admon.exe": The media is write protected. - ERROR ExecProcessor - message from "D:\SplunkUniversalForwarder\bin\splunk-winevtlog.exe" splunk-winevtlog - WinEventLogChannel::init: Failed to bind to DC, dc_bind_time=12106 msec </CODE></PRE> <P>I've tested the recommendations in below URL too, but it is NOT related to Security Softwares running:<BR /> <A href="https://answers.splunk.com/answers/248673/why-is-the-splunk-universal-forwarder-on-my-domain.html">https://answers.splunk.com/answers/248673/why-is-the-splunk-universal-forwarder-on-my-domain.html</A></P> <P>any help would be much appreciated</P> <P>============ update ============<BR /> PS: (the other options/test we tried already)</P> <UL> <LI> Windows Application, system eventlogs are read and working correctly. Problem is ONLY with Wineventlog:Security</LI> <LI>With admin permissions everything works perfect including Security logs</LI> <LI>No Security softwares running</LI> <LI>Created an interactive "<EM>test</EM>" user with same level of permissions as <EM>svcSplunk</EM>. As "<EM>test</EM>" user, eventlogs are readable</LI> </UL> Thu, 29 Sep 2016 15:01:01 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-unable-to-fetch-Windows-Security-eventlogs/m-p/217428#M42775 koshyk 2016-09-29T15:01:01Z https://community.splunk.com/t5/Getting-Data-In/Splunk-unable-to-fetch-Windows-Security-eventlogs/m-p/217429#M42776 <P>What happens if you run the Forwarder with domain admin permissions just as a test?</P> <P>On Windows UF you should only need to changes the splunkd service account in windows services.msc and the account should have those user rights assignments :</P> <P>Full control over Splunk's installation directory<BR /> Read access to any flat files you want to index<BR /> Permission to log on as a service<BR /> Permission to log on as a batch job<BR /> Permission to replace a process-level token<BR /> Permission to act as part of the operating system<BR /> Permission to bypass traverse checking</P> Thu, 29 Sep 2016 15:53:20 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-unable-to-fetch-Windows-Security-eventlogs/m-p/217429#M42776 dmaislin_splunk 2016-09-29T15:53:20Z https://community.splunk.com/t5/Getting-Data-In/Splunk-unable-to-fetch-Windows-Security-eventlogs/m-p/217430#M42777 <P>with admin permissions everything works perfect. I will update this to the main query</P> Thu, 29 Sep 2016 16:03:19 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-unable-to-fetch-Windows-Security-eventlogs/m-p/217430#M42777 koshyk 2016-09-29T16:03:19Z https://community.splunk.com/t5/Getting-Data-In/Splunk-unable-to-fetch-Windows-Security-eventlogs/m-p/217431#M42778 <P>So just work with your various permissions until you find the right settings and you should be good.</P> Thu, 29 Sep 2016 16:10:39 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-unable-to-fetch-Windows-Security-eventlogs/m-p/217431#M42778 dmaislin_splunk 2016-09-29T16:10:39Z https://community.splunk.com/t5/Getting-Data-In/Splunk-unable-to-fetch-Windows-Security-eventlogs/m-p/217432#M42779 <P>I listed the proper settings above.</P> Thu, 29 Sep 2016 16:12:28 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-unable-to-fetch-Windows-Security-eventlogs/m-p/217432#M42779 dmaislin_splunk 2016-09-29T16:12:28Z https://community.splunk.com/t5/Getting-Data-In/Splunk-unable-to-fetch-Windows-Security-eventlogs/m-p/217433#M42780 <P>thanks mate. We have requested the same to Windows Admin already. I'm not sure how to verify these permissions afterwards (full control is done &amp; verified, read access to files verified, long as service is verified). rest of the things, I'm not sure how to verify, though they said has been done.</P> Thu, 29 Sep 2016 16:15:34 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-unable-to-fetch-Windows-Security-eventlogs/m-p/217433#M42780 koshyk 2016-09-29T16:15:34Z https://community.splunk.com/t5/Getting-Data-In/Splunk-unable-to-fetch-Windows-Security-eventlogs/m-p/217434#M42781 <P>Our Windows Admin found the reason<BR /> This happens when your Windows Server Systems were migrated from Windows 2003 to Windows 2008</P> <UL> <LI>In Win2003, there are lot of SDDL's for custom controls and eventlog access. With advent of Win2008R2, Microsoft replaced it with the 'Event Log Readers' group and group policies expected to remove the old SDDL's. However, in Win2003 it had forced it originally it was tattooed in the registry and therefore the new 'Event Log Readers' group did not appear in that SDDL</LI> <LI>Splunk UF was succesfully gaining access to Application and System logs due to 'Service User' (any account that has 'logon as a service' permission) being present in SDDLs, but not present in the Security log.</LI> <LI>The solution was to export the old SDDLs for each log and appended the access for event log readers</LI> </UL> Fri, 21 Oct 2016 19:27:14 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-unable-to-fetch-Windows-Security-eventlogs/m-p/217434#M42781 koshyk 2016-10-21T19:27:14Z https://community.splunk.com/t5/Getting-Data-In/Splunk-unable-to-fetch-Windows-Security-eventlogs/m-p/217435#M42782 <P>We had a similar problem: Splunk running as local system could not access WinEventLog:Security (But it could access "all" the other logs)</P> <P>Eventually we ran "wevtutil gl security" and realised that "Local System" did not have access.</P> Fri, 01 Sep 2017 06:07:10 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-unable-to-fetch-Windows-Security-eventlogs/m-p/217435#M42782 jonny_lyse 2017-09-01T06:07:10Z