Common cause of issue will be the security access rights to their event logs.
*SDDL=security descriptor definition language
*ACE String
*SID String
*Microsoft Support
In order to check the event log machine's access rights, Run>regedit then
browse;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\CustomSD
from the Data, we can see the SDDL configuration of event log. Example from my machine:
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x7;;;NS)
To construct an SDDL string, note that there are three distinct rights that pertain to event logs: Read, Write, and Clear. These rights correspond to the following bits in the access rights field of the ACE string:
1= Read
2 = Write
4 = Clear
(0x3 means read&write, depend on what you want, such as 0x7) Reference the value above. Just copy another set and paste behind, eg.:I bold with blue color..
The word I highlight with red color above "IU" is refer to Interactively logged-on user;now, you may ask how I know which SID string I need to put if I want to allow NETWORK SERVICE user to have write access to event log.
I listed down some of the most common use of SID string and its value, detail please refer to the link i posted above.
(AU)AuthenticatedUser; (NU)Network logon user; (NS)Network service account; (SU)Service logon user
When hit this kind of error, first must find out which account do not have the access rights to event log and then grant the correct rights solved the problem.
Hope this post can help you!
0 comments :
Post a Comment