how to give read only to event viewer logs on Domain controller to a service account

i would like to give read only on event viewer logs on all domain controller in order to monitor eventID. what is the best way without giving too much permission ?

we are running Windows 2012 R2 domain controller
Jimmy WangAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RobertSystem AdminCommented:
Have you tried adding the users to the builtin group "Event log readers"?
0
Jimmy WangAuthor Commented:
I wasn't sure this "Event log readers" group include the domain controller access to read event viewer.  our procedure can change on the fly with production DCs and I don't have a test environment to test this.. can you confirm this is this does include domain controller not just member servers ?
0
RobertSystem AdminCommented:
Yes it should work as long as all your DC's are at least 2008 R2 I believe.
0
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Jimmy WangAuthor Commented:
ok.. thanks for getting back to me. I will give that a try.  

I meant, we can't changes on the fly so I just need to confirm it.. but it does sound like it should..
0
LearnctxEngineerCommented:
i would like to give read only on event viewer logs on all domain controller in order to monitor eventID. what is the best way without giving too much permission ?

Event log forwarding to another host which the service account has access to. Or run an agent like SCOM/Splunk to export or alert on events as they are generated in real time.
0
Jimmy WangAuthor Commented:
tried with  "Event log readers" group didn't work to access domain controller event viewer.

Learnctx,
we not running SCOM here at our company. we are using WindSolar that is why we need to service account that can have access to event viewer.  any other method to give read only on domain controller to read event viewer permission ? any KB ?
0
RobertSystem AdminCommented:
here is another method provided in a TechNet blog.
https://blogs.technet.microsoft.com/janelewis/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008/

I seen some articles indicating the the event log readers group don't work because of permissions on a registry key but I tested it on my environment and it worked with out any modifications.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jimmy WangAuthor Commented:
Hi Robert,
thanks for the KB.. I assume this would also apply to Windows 2012 R2 domain controller or is there another link for windows 2012 DC's ?
0
LearnctxEngineerCommented:
any other method to give read only on domain controller to read event viewer permission ?

Of course, you can delegate the rights very easily, see the link that Robert has posted. Personally I do not give access to domain controllers for external sources. If you don't have SCOM there's the small guys version of event log collecting which is Event Log Forwarding. This comes built into windows and allows you to forward your logs from some or all of your devices to a central log collector server (or a series of log collector servers); see here. Personally I prefer SCOM, OMS, and Splunk but that is not an option for you.
0
RobertSystem AdminCommented:
Yes the steps for the article provides for 2008 should work for server 2012.
That said the process provided is basically manually assigning permissions that the event log readers group should already provide.
0
Jimmy WangAuthor Commented:
thanks Learnctx and Robert.
0
Jimmy WangAuthor Commented:
Thank You both.. ! much appreciated
0
PberSolutions ArchitectCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- Robert (https:#a42423617)
-- Learnctx (https:#a42424184)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Pber
Experts-Exchange Cleanup Volunteer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.