如何在Windows Server 2016上使用本地帐户获得对安全事件日志的完全读取访问权限 [英] How can I get full read access to the Security event log with a local account on Windows Server 2016

问题描述

我有一个应用程序，可以在2016 Windows Server v1607的事件日志中创建新的事件源.尚不清楚源将使用哪个名称.要对此进行归档，该帐户需要对所有事件源具有读取权限，以确保源名称尚不存在(为什么另一个日志中不允许使用双源名称是另一个有趣的问题).默认情况下，本地帐户被阻止读取安全事件日志，因此，创建新源时会导致错误，即对该安全日志没有读取权限.

I have an application that creates new event sources in an event log on a 2016 Windows Server v1607. It is not known which names the sources will have. To archive this the account needs read access to all the event sources to assure the source name does not already exist (why double source names in different logs are not allowed is another interesting question). By default a local account is blocked from reading the Security event log, so the creation of a new source ends up with an error that there is no read access to the Security log.

最有前途的方法似乎是该问题的答案: https://stackoverflow.com/a/3138269/2091030

The most promising approach seemed to be the answer to this question: https://stackoverflow.com/a/3138269/2091030

我遵循步骤1-5，通过添加本地帐户的读取权限来更改HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Eventlog \ Security的注册表权限.我检查了安全性"文件夹中的所有子密钥，它们都显示了对该帐户的正确读取访问权限.但是，当使用简单的C#程序添加带有新源的事件时，我现在又遇到另一个错误:

I followed the steps 1-5 changing the registry permissions of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security by adding read permissions for the local account. I checked all the sub-keys in the Security folder and they all show proper read access for the account. Nevertheless I get another error now when using a simple C# program to add an event with a new source:

using System;
using System.Diagnostics;

namespace EventlogTest {
    public class Test {
        public static void Main() {
            var log = new EventLog("SomeLog", ".", "SomeNewSource");
            log.WriteEntry("Test 123", EventLogEntryType.Information);
        }
    }
}

System.Security.SecurityException: Der angeforderte Registrierungszugriff ist unzulässig.
   bei System.ThrowHelper.ThrowSecurityException(ExceptionResource resource)
   bei Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
   bei System.Diagnostics.EventLog.CreateEventSource(EventSourceCreationData sourceData)
   bei System.Diagnostics.EventLogInternal.VerifyAndCreateSource(String sourceName, String currentMachineName)
   bei System.Diagnostics.EventLogInternal.WriteEntry(String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
   bei System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType type)
   bei EventlogTest.Test.Main()

我错过了什么吗?

推荐答案

本地帐户的以下设置允许我在事件日志"MyLog"中添加新来源:

The following settings for the local account allowed me to add new sources in my event-log "MyLog":

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Eventlog:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog:

• 添加具有以下权限的本地帐户:查询值，设置值，创建子项，枚举子项

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Eventlog \ Security:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security:

• 此文件夹不继承其父文件夹的权限.添加具有普通读取访问权限的本地帐户.

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Eventlog \ MyLog:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\MyLog:

• 停用继承并复制值，然后添加具有完全访问权限的本地帐户

这篇关于如何在Windows Server 2016上使用本地帐户获得对安全事件日志的完全读取访问权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！