This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
FIRSTNAMELASTNA
Beginner
Beginner
‎2011-01-04 06:07 AM

WIndows collection of Application and System Logs

Hello,

 

I have Windows Machine Integrted with RSA and able to get only Security Logs but can't get any Logs for Application and System. Account which used to collect Security Log have the correct priveleges. On RSA envision - All three category selected to collect logs.

 

Please can any help If am missing any thing on Windows Agentless configuration area ?

 

Thanks.

0 Likes
Reply
7 Replies
RSAAdmin
Beginner
Beginner
‎2011-01-05 04:58 AM

Hi,

 

Please look up the error messages in RSA enVision. Filter in event viewer of enVision on agentless and the IP address of the Windows Server. You will see error messages on the application and system log collection which you  need to investigate.

 

Regards.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-01-05 06:25 AM

hi,

 

i'll save you some time, the only problem that you can read the security event log and not any other logs is because of insufficient privileges. you have to be local admin on the box you like to read logs from other wise you won't be able to read them.

if you only want to read the security event log you need only the manage auditing and security log

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-01-05 10:51 AM

You can read the application and system logs without being local admin! This is done in an environment where least privileges are very important.

 

Add the users SID to this reg key:

HKLM\System\CurrentControlSet\Services\Eventlog\Application\CustomSD\

HKLM\System\CurrentControlSet\Services\Eventlog\System\CustomSD\

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-01-05 12:22 PM

nice!

 

i'll check it out

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-01-05 04:13 PM

This may or may not be helpful in your environment.  Agentless Windows without needing a Doman Admin Account

 

::: on soap-box ::::

If your sales folks or anyone else for that matter told you that you needed admin accounts (local, domain, or otherwise) for Windows, they are not doing a good service and should be slapped around a little.  Not good practice to have security products breaking security practices just collect logs. 

::: off soap-box ::::

 

:robotmad:

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-01-06 12:51 AM

you're right, we just used the manage auditing and security logs permission and that allowed us to read the security event log which is the more interest log most of the time...
0 Likes
Reply
FIRSTNAMELASTNA
Beginner
Beginner
In response to RSAAdmin
‎2011-05-10 12:43 AM

Thanks - It help.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.