I have a couple questions about Windows Event Logs and permissions for server 2008 best practice and what Users is in 2008.
I am trying to write EVTLogs off to another drive instead of the default drive. When I redirect the logs to another drive (via rt-click, properties, change path), instead of the default C:, they fail to write unless server\users has access to the folder the logs are writing into. Specifically users have the following permissions: Create files/write data; create folders/append data; traverse folder/execute file; list folder/read data; read attributes; read extended attributes.
If this permissioning isn’t on the folder then, even as an administrator on the server, the folder shows a lock icon on the folder and EVTLogs won’t write to this folder. In 2003 just having SYSTEM with these permissions seems to do the trick but in 2008 that doesn’t seem to be enough. So what exactly is Users break down to being and what are some best practices for writing EVTLogs off to another drive in 2008?
Best Answer
In Windows Server 2008, there is a new virtual account that is used to manage log files. You will need to give "NT SERVICE\eventlog" the following permissions on the new log folder:
Allow all except "Delete", "Change permissions", and "Take ownership". Apply permissions to "This folder, subfolders and files". "LOCAL SERVICE" should be the owner of the log files.