Cannot read Security logs

robert-blankenship · November 16, 2017, 12:00am

When I right click winlogbeat executable and select Run As Administrator, I get the following message in the log file:

WARN EventLog[Security] Open() error. No events will be read from this source. Accessis denied."

I am able to view security logs both through the Event Viewer and the command line. Any ideas? When I select non-Security logs in the config, it works fine.

andrewkroh · November 16, 2017, 4:18pm

The access restrictions on the Security log are different than other event logs. On a vanilla Windows install a process running as Administrator should be able to access the Security log.

Have you tried running Winlogbeat as a service?

PS C:\Users\me> Get-WinEvent -ListLog Security | Format-List -Property *


FileSize                       : 1118208
IsLogFull                      : False
LastAccessTime                 : 1/13/2015 9:26:10 AM
LastWriteTime                  : 11/16/2017 7:52:42 AM
OldestRecordNumber             : 1
RecordCount                    : 1293
LogName                        : Security
LogType                        : Administrative
LogIsolation                   : Custom
IsEnabled                      : True
IsClassicLog                   : True
SecurityDescriptor             : O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)
LogFilePath                    : %SystemRoot%\System32\Winevt\Logs\Security.evtx
MaximumSizeInBytes             : 20971520
LogMode                        : Circular
OwningProviderName             :
ProviderNames                  : {DS, LSA, SC Manager, Security...}
ProviderLevel                  :
ProviderKeywords               :
ProviderBufferSize             : 64
ProviderMinimumNumberOfBuffers : 0
ProviderMaximumNumberOfBuffers : 16
ProviderLatency                : 1000
ProviderControlGuid            :

The above output shows the SecurityDescriptor that controls the access to the Security log. I'm curious if your is different? If so did someone modify the registry? See CustomSD.

robert-blankenship · November 16, 2017, 10:42pm

We get the following error when running that command:

PS C:\Users\Administrator> Get-WinEvent -ListLog Security | Format-List -Property *
Get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized
operation..
At line:1 char:1
+ Get-WinEvent -ListLog Security | Format-List -Property *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], Exception
   + FullyQualifiedErrorId : LogInfoUnavailable,Microsoft.PowerShell.Commands.GetWinEventCommand

Get-WinEvent : There is not an event log on the localhost computer that matches "Security".
At line:1 char:1
+ Get-WinEvent -ListLog Security | Format-List -Property *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   + CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
   + FullyQualifiedErrorId : NoMatchingLogsFound,Microsoft.PowerShell.Commands.GetWinEventCommand

We checked the registry for HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Eventlog\\Security, those permissions look fine.

We also check the file permissions in C:\Windows\System32\winevt\Logs. Those all looked fine.

This is a 2016 Windows AD server. We were logged in as the domain admin.

andrewkroh · November 16, 2017, 10:58pm

The domain admin is most likely different than a local admin. The domain admin probably isn't a member of the Event Log Readers group.

Winlogbeat is going to be running as the local service account if you use the provided install scripts. This account should be able to read from the Security log.

robert-blankenship · November 16, 2017, 11:49pm

Here are the CustomSD values in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Eventlog\\Security for three different hosts. The first host is getting the Get-WinEvent error, and the other two work.:

// Doesn't work
O:BAG:SYD:(A;;CC;;;S-1-5-80-1717699148-1527177629-2874996750-2971184233-2178472682)(A;;CC;;;NS)

// Works
O:BAG:SYD:(A;;CCLCSDRCWDWO;;;SY)(A;;CCLC;;;BA)(A;;CC;;;ER)(A;;CC;;;S-1-5-80-1717699148-1527177629-2874996750-2971184233-2178472682)(A;;CC;;;NS)

// Works
O:BAG:SYD:(A;;CCLCSDRCWDWO;;;SY)(A;;CCLC;;;BA)(A;;CC;;;ER)(A;;CC;;;NS)

We are definitely in an administrator shell, i.e., right click on the Power Shell shortcut and select "Run As Administrator" when running the Get-WinEvent command on each host. Which API does winlogbeat use to grab the Security logs? Does winlogbeat, perhaps because of some dependency, actually need access to a functioning "Event Log Readers" group?

andrewkroh · November 17, 2017, 12:09am

It uses EvtSubscribe and EvtNext.

Have you tried running Winlogbeat as a service? Getting Started: Step 6 - Starting Winlogbeat I would expect this to work.

Regarding running as the a Domain Administrator, does your GPO give the admin group the user right to "Manage auditing and security log"? I believe this is where the SE_SECURITY_NAME privilege comes from that allows a user to access the Security log (as specified here).

robert-blankenship · November 17, 2017, 12:23am

We do run it as a Windows service. I looked at the Windows "Services" GUI, and it was running as "Local System".

We still saw the following error:

WARN EventLog[Security] Open() error. No events will be read from this source. Accessis denied."

andrewkroh · November 17, 2017, 12:26am

Earlier you said that you ran it in a different manner. Perhaps you should stop it, clear the logs, start the service, and then check the logs to see if it is giving a "Access denied".

robert-blankenship · November 17, 2017, 12:41am

We tried both

andrewkroh · November 17, 2017, 12:48am

Is this problem occurring exclusively on the machines where Get-WinEvent fails?

I haven't seen this problem before. The closest issue I have seen is when a user installed a security update and the CustomSD value became empty. They were getting access denied until they restored the CustomSD value.

andrewkroh · November 17, 2017, 12:52am

I think I would probably fire up Process Explorer from Sysinternals and check to see if the winlogbeat.exe process has the SeSecurityName. And compare that to another machine where it is working.

robert-blankenship · November 17, 2017, 1:04am

Thanks for the advice Andrew!

We can try that.

Is this problem occurring exclusively on the machines where Get-WinEvent fails?

I haven't seen this problem before. The closest issue I have seen is when a user installed a security update and the CustomSD value became empty. They were getting access denied until they restored the CustomSD value.

We have run it on 3 machines. winlogbeat is working on 1 machine, and not on the other 2. The command only fails on the non-functioning machine. So, plausibly, there is a connection the command failing and winlogbeat failing.

robert-blankenship · November 17, 2017, 1:14am

One can decode the CustomSD from the command line:

// From the broken host
PS C:\Users\Administrator> ConvertFrom-SddlString "O:BAG:SYD:(A;;CC;;;S-1-5-80-1717699148-1527177629-2874996750-2971184233-2178472682)(A;;CC;;;NS)"


Owner            : BUILTIN\Administrators
Group            : NT AUTHORITY\SYSTEM
DiscretionaryAcl : {NT AUTHORITY\NETWORK SERVICE: AccessAllowed (ListDirectory), : AccessAllowed (ListDirectory)}
SystemAcl        : {}
RawDescriptor    : System.Security.AccessControl.CommonSecurityDescriptor

// From the first functioning host:
PS C:\Users\Administrator> ConvertFrom-SddlString "O:BAG:SYD:(A;;CCLCSDRCWDWO;;;SY)(A;;CCLC;;;BA)(A;;CC;;;ER)(A;;CC;;;S-1-5-80-1717699148-1527177629-2874996750-2971184233-2178472682)(A;;CC;;;NS)"


Owner            : BUILTIN\Administrators
Group            : NT AUTHORITY\SYSTEM
DiscretionaryAcl : {NT AUTHORITY\SYSTEM: AccessAllowed (ChangePermissions, CreateDirectories, Delete, GenericExecute, ListDirectory, ReadPermissions, TakeOwnership), NT AUTHORITY\NETWORK SERVICE: AccessAllowed (ListDirectory), BUILTIN\Administrators:
                   AccessAllowed (CreateDirectories, ListDirectory), BUILTIN\Event Log Readers: AccessAllowed (ListDirectory)...}
SystemAcl        : {}
RawDescriptor    : System.Security.AccessControl.CommonSecurityDescriptor

// From the second functioning host
PS C:\Users\Administrator> ConvertFrom-SddlString "O:BAG:SYD:(A;;CCLCSDRCWDWO;;;SY)(A;;CCLC;;;BA)(A;;CC;;;ER)(A;;CC;;;NS)"


Owner            : BUILTIN\Administrators
Group            : NT AUTHORITY\SYSTEM
DiscretionaryAcl : {NT AUTHORITY\SYSTEM: AccessAllowed (ChangePermissions, CreateDirectories, Delete, GenericExecute, ListDirectory, ReadPermissions, TakeOwnership), NT AUTHORITY\NETWORK SERVICE: AccessAllowed (ListDirectory), BUILTIN\Administrators:
                   AccessAllowed (CreateDirectories, ListDirectory), BUILTIN\Event Log Readers: AccessAllowed (ListDirectory)}
SystemAcl        : {}
RawDescriptor    : System.Security.AccessControl.CommonSecurityDescriptor

robert-blankenship · November 20, 2017, 8:20pm

@andrewkroh I was able to get onto a test Windows system, and I tried the registry values out. It does look like the customSD of O:BAG:SYD:(A;;CC;;;S-1-5-80-1717699148-1527177629-2874996750-2971184233-2178472682)(A;;CC;;;NS) out.

It did reproduce the issue; the Administrator user cannot access the log. Deleting the registry value entirely seemed to have no impact on the system, and it restores access to the logs.

andrewkroh · November 20, 2017, 10:47pm

Thanks for the update. Probably this will be helpful to next person that encounters a similar issue. And the ConvertFrom-SddlString util is quite useful to know about.

system · December 18, 2017, 10:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.