Access Denied reading from Security log on Windows 2012

xiaozhuqq48 · April 26, 2016, 3:13pm

winlogbeat 1.2.1
windows 2012
configuration : most are the defaults. just the output for logstash.
[
winlogbeat:
registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml
event_logs:
- name: Application
ignore_older: 72h
- name: Security
- name: System
]
In this way, the winlogbeat.exe can be started without getting any messages from Security. if Application and System are removed, then the winlogbeat will not be started.

But , in windows2008, the winlogbeat.exe can be started in both ways, and the three kinds of logs can be got.

Can anyone help?

andrewkroh · April 26, 2016, 3:30pm

Can you provide the log output from Winlogbeat when it fails to start?

How are you starting Winlogbeat? What user are you starting Winlogbeat as? The Security log requires administrator privileges to read. If it's a permissions problem it should be logged.

xiaozhuqq48 · April 27, 2016, 12:29am

It seems to be a permission problem.

when i type in "winlogbeat.exe -e"

There is one output "WARN EventLog[Security] Open() error. No events will be read from this source. Accessis denied."

And PowerShell "get-eventlog" can't get any messages.But windows2008 can do it.

Do you happen to have the conresponding solutions on windows2012?

thanks.

xiaozhuqq48 · April 27, 2016, 12:32am

the user is "administrator"

xiaozhuqq48 · April 27, 2016, 12:45am

it's solved.

The winlogbeat.exe is runned as Administrator.

system · May 18, 2016, 12:46am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.