Security Event Log Backup via script

J

JohnBates

Hello,

I have a problem I am beating my head against. I have a script that will
backup the security event log and then clear it. It works perfectly as an
administrator but a standard user cannot successfully run it.

Script:
---------------------------------------------------------------
'Arguments
fileName = WScript.Arguments.Item(0)
logType = WScript.Arguments.Item(1)
fullPathName = filename & ".evt"

'Display args passed
Wscript.echo "Argument 0 - fileName :" & fileName
Wscript.echo "Argument 1 - logType :" & logType
Wscript.echo "fullPathName :" & fullPathName

strComputer = "."
Set objWMIService = GetObject("winmgmts:" &
"{impersonationLevel=impersonate,(Backup,security)}!\\" & strComputer &
"\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("SELECT * FROM
Win32_NTEventLogFile WHERE LogFileName='" & logType & "'")


For Each objLogfile in colLogFiles
errBackupLog = objLogFile.BackupEventLog(fullPathName)

If errBackupLog = 0 Then
Wscript.Echo "The Security event log was backed up."
objLogFile.ClearEventLog()
End If
If errBackupLog = 8 Then
Wscript.Echo "Privilege missing!"
End If
If errBackupLog = 21 Then
Wscript.Echo "Invalid Parameter in call"
End If

If errBackupLog = 183 Then
Wscript.Echo "The archive file already exists."
End If
Next
----------------------------------------------------------------

I have tried assigning the following rights to my test user:

Manage Auditing and Security Rights
Impersonate a client after authentication
backup files and directories

From what I could find (which is somewhat sparse) it may have to do with
needing to set a CustomSD to the security event log. I have no experience
what so ever in regards to working with the windows security subsystems at
that level. Nor am I sure you could do that on a stand alone machine that is
not under a domain.

The user can view the security event log in the event viewer but not save it
it returns the error message "A required privilege is not held by the client".

Anyone have any ideas?

Thanks

John Bates
Raytheon
 
J

JohnBates

We got it fixed!

The user has to have the following permissions:

1) member of backup operators group
2) Manage Auditing and Security log via policy
3) (and the one I never would have guessed) User must have Full permissions
to the key that governs the Security Log:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security

"JohnBates" wrote:

> Hello,
>
> I have a problem I am beating my head against. I have a script that will
> backup the security event log and then clear it. It works perfectly as an
> administrator but a standard user cannot successfully run it.
>
> Script:
> ---------------------------------------------------------------
> 'Arguments
> fileName = WScript.Arguments.Item(0)
> logType = WScript.Arguments.Item(1)
> fullPathName = filename & ".evt"
>
> 'Display args passed
> Wscript.echo "Argument 0 - fileName :" & fileName
> Wscript.echo "Argument 1 - logType :" & logType
> Wscript.echo "fullPathName :" & fullPathName
>
> strComputer = "."
> Set objWMIService = GetObject("winmgmts:" &
> "{impersonationLevel=impersonate,(Backup,security)}!\\" & strComputer &
> "\root\cimv2")
> Set colLogFiles = objWMIService.ExecQuery ("SELECT * FROM
> Win32_NTEventLogFile WHERE LogFileName='" & logType & "'")
>
>
> For Each objLogfile in colLogFiles
> errBackupLog = objLogFile.BackupEventLog(fullPathName)
>
> If errBackupLog = 0 Then
> Wscript.Echo "The Security event log was backed up."
> objLogFile.ClearEventLog()
> End If
> If errBackupLog = 8 Then
> Wscript.Echo "Privilege missing!"
> End If
> If errBackupLog = 21 Then
> Wscript.Echo "Invalid Parameter in call"
> End If
>
> If errBackupLog = 183 Then
> Wscript.Echo "The archive file already exists."
> End If
> Next
> ----------------------------------------------------------------
>
> I have tried assigning the following rights to my test user:
>
> Manage Auditing and Security Rights
> Impersonate a client after authentication
> backup files and directories
>
> From what I could find (which is somewhat sparse) it may have to do with
> needing to set a CustomSD to the security event log. I have no experience
> what so ever in regards to working with the windows security subsystems at
> that level. Nor am I sure you could do that on a stand alone machine that is
> not under a domain.
>
> The user can view the security event log in the event viewer but not save it
> it returns the error message "A required privilege is not held by the client".
>
> Anyone have any ideas?
>
> Thanks
>
> John Bates
> Raytheon
>
 
C

Claus Greck [MVP]

Why so complicated? :)

Try eventsave, it is freeware: http://www.heysoft.de/nt/eventlog/dp-es.htm
(sorry, only ingerman, but a very good software for this purpose)

Claus Greck
[MVP - Server Directory Services]


"JohnBates" <JohnBates@discussions.microsoft.com> schrieb im Newsbeitrag
news:E5F29A6B-5AF5-4DC2-8DFB-A831FD678D52@microsoft.com...
> Hello,
>
> I have a problem I am beating my head against. I have a script that will
> backup the security event log and then clear it. It works perfectly as an
> administrator but a standard user cannot successfully run it.
>
> Script:
> ---------------------------------------------------------------
> 'Arguments
> fileName = WScript.Arguments.Item(0)
> logType = WScript.Arguments.Item(1)
> fullPathName = filename & ".evt"
>
> 'Display args passed
> Wscript.echo "Argument 0 - fileName :" & fileName
> Wscript.echo "Argument 1 - logType :" & logType
> Wscript.echo "fullPathName :" & fullPathName
>
> strComputer = "."
> Set objWMIService = GetObject("winmgmts:" &
> "{impersonationLevel=impersonate,(Backup,security)}!\\" & strComputer &
> "\root\cimv2")
> Set colLogFiles = objWMIService.ExecQuery ("SELECT * FROM
> Win32_NTEventLogFile WHERE LogFileName='" & logType & "'")
>
>
> For Each objLogfile in colLogFiles
> errBackupLog = objLogFile.BackupEventLog(fullPathName)
>
> If errBackupLog = 0 Then
> Wscript.Echo "The Security event log was backed up."
> objLogFile.ClearEventLog()
> End If
> If errBackupLog = 8 Then
> Wscript.Echo "Privilege missing!"
> End If
> If errBackupLog = 21 Then
> Wscript.Echo "Invalid Parameter in call"
> End If
>
> If errBackupLog = 183 Then
> Wscript.Echo "The archive file already exists."
> End If
> Next
> ----------------------------------------------------------------
>
> I have tried assigning the following rights to my test user:
>
> Manage Auditing and Security Rights
> Impersonate a client after authentication
> backup files and directories
>
> From what I could find (which is somewhat sparse) it may have to do with
> needing to set a CustomSD to the security event log. I have no experience
> what so ever in regards to working with the windows security subsystems at
> that level. Nor am I sure you could do that on a stand alone machine that
> is
> not under a domain.
>
> The user can view the security event log in the event viewer but not save
> it
> it returns the error message "A required privilege is not held by the
> client".
>
> Anyone have any ideas?
>
> Thanks
>
> John Bates
> Raytheon
>
 
J

JohnBates

That link is nice (and thank you it may be helpful for some unclassified
stations) but this is for the classified stations I admin where allowing
admin rights is an issue. Ironically I found out that if you take a standard
user and give them the "Manage Auditing and Security Log" privilege via
policy they can...

1) Open the Event Viewer and View the Security Log (good so far)
2) Clear the Security Log (2 of 3 check)
3) They -cannot- save the Security log (If they can -clear- it why can't
they save it???)

From a security standpoint clearing it is much worse than saving it. From
an ideal security standpoing viewing, saving and clearing would be separate
events you could regulate. But I can certainly see saving going hand in hand
with viewing as saving is simply allowing you to view at a later time. But
clearing whoa the auditors would frown on that.

By making this script work I do not have to make my ISSO's (Information
Systems Security Officers) members of the administrator group to backup and
review the security logs each week for each station I administer. I have a
VB.Net app I have created that utilizes this script behind the scenes so that
when they click the archive button it creates the appropriate path and saves
the .evt and then launches another scipt calling xcacls to set permissions to
only allow specified users to access them with read-only and only admins
having full control.


"Claus Greck [MVP]" wrote:

> Why so complicated? :)
>
> Try eventsave, it is freeware: http://www.heysoft.de/nt/eventlog/dp-es.htm
> (sorry, only ingerman, but a very good software for this purpose)
>
> Claus Greck
> [MVP - Server Directory Services]
>
>
> "JohnBates" <JohnBates@discussions.microsoft.com> schrieb im Newsbeitrag
> news:E5F29A6B-5AF5-4DC2-8DFB-A831FD678D52@microsoft.com...
> > Hello,
> >
> > I have a problem I am beating my head against. I have a script that will
> > backup the security event log and then clear it. It works perfectly as an
> > administrator but a standard user cannot successfully run it.
> >
> > Script:
> > ---------------------------------------------------------------
> > 'Arguments
> > fileName = WScript.Arguments.Item(0)
> > logType = WScript.Arguments.Item(1)
> > fullPathName = filename & ".evt"
> >
> > 'Display args passed
> > Wscript.echo "Argument 0 - fileName :" & fileName
> > Wscript.echo "Argument 1 - logType :" & logType
> > Wscript.echo "fullPathName :" & fullPathName
> >
> > strComputer = "."
> > Set objWMIService = GetObject("winmgmts:" &
> > "{impersonationLevel=impersonate,(Backup,security)}!\\" & strComputer &
> > "\root\cimv2")
> > Set colLogFiles = objWMIService.ExecQuery ("SELECT * FROM
> > Win32_NTEventLogFile WHERE LogFileName='" & logType & "'")
> >
> >
> > For Each objLogfile in colLogFiles
> > errBackupLog = objLogFile.BackupEventLog(fullPathName)
> >
> > If errBackupLog = 0 Then
> > Wscript.Echo "The Security event log was backed up."
> > objLogFile.ClearEventLog()
> > End If
> > If errBackupLog = 8 Then
> > Wscript.Echo "Privilege missing!"
> > End If
> > If errBackupLog = 21 Then
> > Wscript.Echo "Invalid Parameter in call"
> > End If
> >
> > If errBackupLog = 183 Then
> > Wscript.Echo "The archive file already exists."
> > End If
> > Next
> > ----------------------------------------------------------------
> >
> > I have tried assigning the following rights to my test user:
> >
> > Manage Auditing and Security Rights
> > Impersonate a client after authentication
> > backup files and directories
> >
> > From what I could find (which is somewhat sparse) it may have to do with
> > needing to set a CustomSD to the security event log. I have no experience
> > what so ever in regards to working with the windows security subsystems at
> > that level. Nor am I sure you could do that on a stand alone machine that
> > is
> > not under a domain.
> >
> > The user can view the security event log in the event viewer but not save
> > it
> > it returns the error message "A required privilege is not held by the
> > client".
> >
> > Anyone have any ideas?
> >
> > Thanks
> >
> > John Bates
> > Raytheon
> >
>
>
 
You must log in or register to reply here.

Similar threads

A
Security Log Failure Event ID 4771 Kerberos pre-authentication failed. Mapped Drives not working
Replies
0
Views
128
AllquestionsNoAnswers
A
E
Event Log > Security Event ID 5156 and 5158 filling it up
Replies
0
Views
391
esullivanasd
E
M
Windows 10 BSOD Event log shows "Source: BugCheck" and "I.D: 1001"
Replies
0
Views
245
MuhammadYousaf7
M
A
Bugcheck after sleeping - Event Log and WinDGB stack
Replies
0
Views
324
ab_530
A
J
Getting Warning message in event log
Replies
0
Views
150
JoannWilliamson
J
Back
Top Bottom