https://community.splunk.com/t5/Getting-Data-In/How-to-attach-a-group-read-access-to-the-Windows-Eventlog-when/m-p/285424#M54512 <P>We are trying to collect data from certain secure Windows Systems and the team have requested to install "Splunk Universal Forwarder" with minimal permissions within a domain group. (svcSplunkSecureWindows)<BR /> We are getting below Error: </P> <PRE><CODE>splunk-winevtlog - WinEventLogChannel::subscribeToEvtChannel: Could not subscribe to Windows Event Log channel 'security' </CODE></PRE> <P>The real question may be is not a Splunk query, but to Windows Guru's out there:<BR /> - How to attach a group read access to particular Windows Eventlog? so that "svcSplunkSecureWindows" group can read it.</P> Thu, 15 Sep 2016 16:22:01 GMT koshyk 2016-09-15T16:22:01Z https://community.splunk.com/t5/Getting-Data-In/How-to-attach-a-group-read-access-to-the-Windows-Eventlog-when/m-p/285424#M54512 <P>We are trying to collect data from certain secure Windows Systems and the team have requested to install "Splunk Universal Forwarder" with minimal permissions within a domain group. (svcSplunkSecureWindows)<BR /> We are getting below Error: </P> <PRE><CODE>splunk-winevtlog - WinEventLogChannel::subscribeToEvtChannel: Could not subscribe to Windows Event Log channel 'security' </CODE></PRE> <P>The real question may be is not a Splunk query, but to Windows Guru's out there:<BR /> - How to attach a group read access to particular Windows Eventlog? so that "svcSplunkSecureWindows" group can read it.</P> Thu, 15 Sep 2016 16:22:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-attach-a-group-read-access-to-the-Windows-Eventlog-when/m-p/285424#M54512 koshyk 2016-09-15T16:22:01Z https://community.splunk.com/t5/Getting-Data-In/How-to-attach-a-group-read-access-to-the-Windows-Eventlog-when/m-p/285425#M54513 <P>Group Policy can be used to deploy the changes you need, but IIRC the changes themselves are not trivial. Some hints that all lead to the same non-trivial answer are <A href="http://stackoverflow.com/questions/34750374/unable-to-grant-server-operators-permission-via-wevtutil-to-log-events-in-system">here</A>, <A href="http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/">here</A>, <A href="http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/">here</A> and <A href="https://support.microsoft.com/en-us/kb/323076">here</A>. Those all seem to refer to server 2003 and 2008, a cursory search for 2012 isn't clear whether it's different or not, but surely more searching will help that. I found <A href="http://wp.sjkp.dk/assign-writeread-permissions-to-application-event-log-to-none-admin-users/">this powershell script</A> which does something that may help you figure out what you need, too.</P> <P>A bigger note - the only things I know about your various teams structure is the tiny little bit you wrote above, but it seems to me that the security team responsible for declaring that the Splunk UF must run under a non-privileged account should be responsible for assigning permissions to the account they'd like you to use. You should only have to request that the account they install the UF under have read permission to the Security Event Log. "If you'd like me to collect the event logs as a non-privileged user, please provide a non-privileged user account that has read permission to the Security Event Log". <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>One other potential option that may sideskirt this issue: You could use Windows' built in <A href="https://msdn.microsoft.com/en-us/library/cc748890(v=ws.11).aspx">Event Log Forwarding</A> to forward all those event log entries you want to a central event server. On THAT server you could run a UF as a local admin and grab all those forwarded events. That's a bit finicky to get set up, but frankly I think it may be less finicky than trying to change permissions on the security event logs.</P> Sat, 17 Sep 2016 14:04:19 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-attach-a-group-read-access-to-the-Windows-Eventlog-when/m-p/285425#M54513 Richfez 2016-09-17T14:04:19Z https://community.splunk.com/t5/Getting-Data-In/How-to-attach-a-group-read-access-to-the-Windows-Eventlog-when/m-p/285426#M54514 <P>Thanks Rich. valuable points. I'm feeling we know more than our Windows admin team <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> Going through your links, it seems Windows changes are painful (as it is always be). But thanks again.</P> Sun, 18 Sep 2016 10:44:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-attach-a-group-read-access-to-the-Windows-Eventlog-when/m-p/285426#M54514 koshyk 2016-09-18T10:44:41Z https://community.splunk.com/t5/Getting-Data-In/How-to-attach-a-group-read-access-to-the-Windows-Eventlog-when/m-p/285427#M54515 <P>Hi @koshyk - If @rich7177 was helpful in answering your question, please don't forget to resolve this post by clicking "Accept" below the answer. Thank you! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 19 Sep 2016 22:27:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-attach-a-group-read-access-to-the-Windows-Eventlog-when/m-p/285427#M54515 aaraneta_splunk 2016-09-19T22:27:09Z