Ok our current desire is to not utilize forwarders/agents to collect eventlogs. Also the splunkd,web accounts are not in the local administrators groups by any means anywhere.
Ok here's what I've done so far.
the host OS is w2k8r2 sp1
both splunkd and web are using virtual service accounts -> new feature for win7 and above
neither of these accounts are in the local administrators group. I've given both splunkd and web virtual accounts full access to the SPLUNK directory.
accessing remote security logs with a low priviledge account has a few more configuration steps then if you access with admin privs. it involves editing (on the remote server in question) the security log registry keys customsd string which I've done. It also involves dcom and wmi security changes. I did all this with a non admin normal user and I could access the security logs just fine. I then added the machine$ account name that the splunk* virtual service account accesses remote servers as, note that prior to doing this step I was unable to view the security logs of the remote server when doing a new data input. Anyway after completing these steps I was able to add a new data input. But here comes the SEEMS part, none of the data is being logged by splunk I can't find any of the data at all.
if I run a wireshark on both ends I can see the wmi traffic just fine I just can't see it within splunk, what did I screw up?
"There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know."
Ok I answered this myself!
my CUSTOMSD string
located here HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\customsd
O:BAG:SYD:(D;;0xf0007;;;AN*) (*D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x1;;;S-1-5-21-2029144138-882258566-4231760919-7851;NS)
had an extra space in it!
this is only neccesary on pre vista devices since there is now a event log reader group which handles this.
Ok I answered this myself!
my CUSTOMSD string
located here HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\customsd
O:BAG:SYD:(D;;0xf0007;;;AN*) (*D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x1;;;S-1-5-21-2029144138-882258566-4231760919-7851;NS)
had an extra space in it!
this is only neccesary on pre vista devices since there is now a event log reader group which handles this.