Windows Access Rights-Getting some Log data but not security events
I am reviewing the enVision Windows Agentless Collection Troubleshooting guide.
But I can't seem to determine the particular issue that I am having for certain servers in one region....I am getting "application event" log data and "system event" log data but I am not getting "security event" log data.
I have enVision configured to gather all logs by default....yet no security log data is captured... I know it is being produced, because I generated some security_529 events and the admin said that he saw them appear ....
I am 100% certain that my issue is caused by a lack of privileges....can anyone guide me on which privileges are missing? Our server admin in the region is struggling to find the cause.. Also, I read somewhere within enVision
its recommended to ensure the account used by enVision is granted "local admin privileges"........but I cannot find that documented..now that I am looking for it ...can some one send me a link or document where RSA recommends this level of access ?
There are a couple of things you can do to help.
1. From the Event Viewer, do a search against the NIC System, and specify one of the Search boxes the string "agentless" (you can click regex) and do a search. That will provide records that relate to the NIC Windows Service, and should give you an idea as to what the exact error message is regarding your access to the Security Logs for the Windows Servers.
2. To grant "Local Admin Privileges" to the user account you created for retrieving Windows Logs from your Windows Servers to enVision, you will need to start up your "Local Users and Groups" from the Control Panel of the Windows server. Conversely you can use the compmgmt.msc MMC console. You can add the user you created locally and assign Administrator priviliges to the account. Once that is done, you should be able to retrieve logs.
Good luck. Let me know how it goes.