Access Denied reading from Security log on Windows 2012

Elastic Stack Beats
1

winlogbeat 1.2.1
windows 2012
configuration : most are the defaults. just the output for logstash.
[
winlogbeat:
registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml
event_logs:
- name: Application
ignore_older: 72h
- name: Security
- name: System
]
In this way, the winlogbeat.exe can be started without getting any messages from Security. if Application and System are removed, then the winlogbeat will not be started.

But , in windows2008, the winlogbeat.exe can be started in both ways, and the three kinds of logs can be got.

Can anyone help?

2

Can you provide the log output from Winlogbeat when it fails to start?

How are you starting Winlogbeat? What user are you starting Winlogbeat as? The Security log requires administrator privileges to read. If it's a permissions problem it should be logged.

3

It seems to be a permission problem.

when i type in "winlogbeat.exe -e"

There is one output "WARN EventLog[Security] Open() error. No events will be read from this source. Accessis denied."

And PowerShell "get-eventlog" can't get any messages.But windows2008 can do it.

Do you happen to have the conresponding solutions on windows2012?

thanks.

4

the user is "administrator"

5

it's solved.

The winlogbeat.exe is runned as Administrator.

:slight_smile:

6

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.