question

reuvygroovy avatar image
0 Votes"
reuvygroovy asked reuvygroovy commented

Event Forwarding - Security Log Permissions

We are trying to do event log forwarding.

On my computer, Windows 10, before I changed anything, this is what I see:

C:\WINDOWS\system32>wevtutil gl security
name: security
enabled: true
type: Admin
owningPublisher:
isolation: Custom
channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)
logging:
logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx
retention: false
autoBackup: false
maxSize: 102367232
publishing:
fileMax: 1

But in this article, https://docs.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/security-event-log-forwarding-fails-error-0x138c-5004
they mention another access identifier:
Value: O:BAG:SYD:(D;; 0xf0007;;;AN)(D;; 0xf0007;;;BG)(A;; 0xf0007;;;SY)(A;; 0x7;;;BA)(A;; 0x7;;;SO)(A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;; 0x2;;;NS)(A;; 0x7;;;DA)(A;; 0x1;;;S-1-5-21-xxx-xxx-xxx-xxx)

Questions:
1. How does one interpret these identifiers?
2. What should be deployed to computers for auditing to work - the default value, the value mentioned in the article, both? Can you give me a complete string?
3. Is there / should there, be any difference between workstations and servers?


windows-10-security
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HI reuvygroovy,

1.Did you have the same "Security event log forwarding fails with Error 0x138C and 5004 in Windows Server" error?

2.Are you forwarding security log from win10 computers to windows server 2012r2?

3.Are you using source Initiated Subscription or collector Initiated Subscription?

0 Votes 0 ·

HI reuvygroovy,

Is there any progress on your question?

0 Votes 0 ·

Sorry.

We are forwarding from Windows 10 to Windows 2019.

Using a collector.

0 Votes 0 ·
JiaYou-MSFT avatar image
0 Votes"
JiaYou-MSFT answered reuvygroovy commented

HI reuvygroovy,

"Still not clear how to intepret this string:"
There is answer:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x5;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x2;;;BA)(A;;0x2;;;LS)(A;;0x2;;;NS)

Entry meanings:
O:BA Object owner is Built-in Admin (BA).
G:SY Primary group is System (SY).
D: It's a discretionary access control list (DACL), rather than an audit entry or SACL.
(D;;0xf0007;;;AN) Deny Anonymous (AN) all access. (1=Read + 2=Write + 4=Clear) (First ACE string in this SDDL).
(D;;0xf0007;;;BG) Deny Built-in Guests (BG) all access.
(A;;0xf0005;;;SY) Allow System Read and Clear (1=Read + 4=Clear), including DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER (indicated by the 0xf0000).
(A;;0x7;;;BA) Allow Built-in Admin READ, WRITE, and CLEAR.
(A;;0x7;;;SO) Allow Server Operators READ, WRITE, and CLEAR.
(A;;0x3;;;IU) Allow Interactive Users READ and WRITE.
(A;;0x3;;;SU) Allow Service accounts READ and WRITE.

2.How do you break up each group (permission, user, etc.)?

The Security Descriptor Definition Language of Love (Part 1)
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/the-security-descriptor-definition-language-of-love-part-1/ba-p/395202

The Security Descriptor Definition Language of Love (Part 2)
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/the-security-descriptor-definition-language-of-love-part-2/ba-p/395258

Fail to write to the Windows event log from an ASP.NET or ASP application
https://docs.microsoft.com/en-us/troubleshoot/aspnet/fail-write-event-log

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Awesome! Thanks!

0 Votes 0 ·
JiaYou-MSFT avatar image
0 Votes"
JiaYou-MSFT answered reuvygroovy commented

HI reuvygroovy,

1.Are both win10 and server 2019 joined to the same AD domain?

2.How does one interpret these identifiers?
You can see below an example of the SDDL you’ll need for the Security event log. The channelAccess line represents the permissions set on the event log
109316-11.png



3.What should be deployed to computers for auditing to work - the default value, the value mentioned in the article, both? Can you give me a complete string?
Do you add the host name of w2019 and NT network service account to "event log readers" group on win10?


Security Descriptor Definition Language
https://docs.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language



There are 2 documents for your reference, I still work on this issue.

How To Set Up Windows Event Log Forwarding In Windows Server 2016
https://adamtheautomator.com/windows-event-collector/

How to set event log security locally or by using Group Policy
https://docs.microsoft.com/en-us/troubleshoot/windows-server/group-policy/set-event-log-security-locally-or-via-group-policy



11.png (232.3 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HI

Is there any update for your issue?

0 Votes 0 ·

Hi

Still not clear how to intepret this string:
channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)
Value: O:BAG:SYD:(D;; 0xf0007;;;AN)(D;; 0xf0007;;;BG)(A;; 0xf0007;;;SY)(A;; 0x7;;;BA)(A;; 0x7;;;SO)(A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;; 0x2;;;NS)(A;; 0x7;;;DA)(A;; 0x1;;;S-1-5-21-xxx-xxx-xxx-xxx)

Even as mentioned here:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/group-policy/set-event-log-security-locally-or-via-group-policy
The following is a sample SDDL that shows the default SDDL string for the Application log. The access rights (in hexadecimal) are bold-faced for illustration:
O:BAG:SYD:(D;; 0xf0007 ;;;AN)(D;; 0xf0007 ;;;BG)(A;; 0xf0007 ;;;SY)(A;; 0x5 ;;;BA)(A;; 0x7 ;;;SO)(A;; 0x3 ;;;IU)(A;; 0x2 ;;;BA)(A;; 0x2 ;;;LS)(A;; 0x2 ;;;NS)
For example, the first ACE denies Anonymous Users read, write, and clear access to the log. The sixth ACE permits Interactive Users to read and write to the log.

How do you break up each group (permission, user, etc.)

0 Votes 0 ·