Enabling Windows event collection without administrator privileges (Linux collection host)

This topic contains configuration steps required for enabling event collection in the following scenarios:

  • If you are using a Linux computer as your collection host.
  • While creating the data collector, if you plan to specify credentials of a user that is not part of the Administrator group.

Note

The instructions in this topic pertain to the Windows 2012 operating system. These steps might change depending on the Windows operating system that you are using.

The following steps need to be performed before you create the data collector for collecting Windows events remotely.

Before you begin

Ensure that a user (without Administrator privileges) is created. For more information, see Managing user accounts in the Microsoft Windows documentation portal.   

Set log access policy

  1. Go to the Administrative Tools.
  2. Select Local Security Policy.
  3. Navigate to Security Settings > Local Policies > User Rights Assignment.
  4. On the right, double click Manage auditing and security log.
  5. Add the user that you created earlier.

For more information, see Manage auditing and security log in the Microsoft Windows documentation portal.

Grant DCOM remote launch and activation permissions to a user or group

  1. Navigate to Start > Run > DCOMCNFG.
  2. In the Component Services dialog box, in the console tree, open Component Services and navigate to Computers > My Computer.
  3. Right-click My Computer and click Properties.
  4. In the My Computer Properties dialog box, click the COM Security tab.
  5. Under Launch and Activation Permissions, click Edit Limits/Defaults.
  6. In the Launch Permission dialog box, if your group name or user name does not appear in the Groups or user names list, follow these steps to add the name:
    1. Under the Group or user names list, click Add.
    2. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select box, add the user name and the group, and then click OK.
    3. Under the Group or user names list, select the user and group, and then under the Permissions for User list, under the Allow column, select the check boxes for Remote Launch and Remote Activation.
    4. Click OK.
  7. Under Launch and Access Permissions, click Edit Limits/Defaults.
  8. In the Access Permissions dialog box, if your group name or user name does not appear in the Groups or user names list, follow these steps to add the name:
    1. Under the Group or user names box, click Add.
    2. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select box, add the user name and the group, and then click OK.
    3. Under the Group or user names list, select the user and group, and then under the Permissions for User list, under the Allow column, select Remote Access.
    4. Click OK.
  9. On the COM Security tab, Click OK.

For more information, see Configuring DCOM permissions in the Microsoft Windows documentation portal.

Set namespace security with WMI control

  1. Navigate to  Start > Run > wmimgmt.msc.
  2. In the console tree, right-click WMI Control and click Properties.
  3. On the Security tab, open the Root node.
  4. Click CIMV2 and the click Security at the bottom-right of the dialog box.
  5. Click Advanced.
  6. On the Permission tab, click Add.
  7. On the Select Users, Computers, or Groups dialog box, in the Enter the object names to select box, add the user name and group, and click OK.   
  8. Under the Apply to column, select the This namespace and subnamespaces option and click OK.
  9. Under the Allow column, select Enable Account and Remote Enable and click OK.
  10. Click OK and exit the WMI control panel.

For more information, see Authorizing WMI users and setting permissions in the Microsoft Windows documentation portal.

Add user to Event Log Readers group

  1. On the Start menu, right-click Computer and select Manage.
    The Computer Management dialog box is displayed.
  2. On the left navigation tree, open Local Users and Groups, and double-click Users.
    On the right, a list of users is displayed.
  3. Right-click the user that you want to add to the Event Log Readers group and select Properties.
  4. On the Member of tab, click Add.
  5. In the Enter the object names to select box, enter Event Log Readers and click Check Names to search for the group.
  6. Click OK and exit all open windows.

For more information, see Configuring computers to forward and collect events in the Microsoft Windows documentation portal.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*