Windows – Grant access to Event Viewer “Application and Services Logs” via GPO

active-directoryeventviewergroup-policywindowswindows-event-log

My monitoring team has requested to be able to read the logs under "Application and Services" in 2008/2012/2016 event viewer. These are the logs that reside in "%SystemRoot%\System32\Winevt\Logs\". Specifically, they're interested in the "Operations Manager" log, which deals with the MS SCOM client's health and activities.

I've tried:

  • Adding them to the "Event Log Readers" group on each server via GPO. This lets them get to the Application event log and System event log, but not the other logs.
  • Granting them read access to the "%SystemRoot%\System32\Winevt\Logs\Operations Manager.evtx" file
  • Granting them read access to the "%SystemRoot%\System32\Winevt\Logs\" folder.

    • None of these have helped, they get an access denied.

    The ideal solution would be deployable by GPO, not require admin rights, and allow them to connect to a server remotely via Event Viewer without going through Remote Desktop, command line, or powershell.

    I'm stuck. Any help is appreciated!

    Best Answer

    Granting permission to the files is not going to provide access.

    If you find that Event Log Readers does not have access to any of the logs under Applications and Services Logs, you can create a list of the log names and use wevtutil to grant your custom permission:

    REM %%i in a cmd script, or %i if running interactively
FOR /F %%i in (Lognames.txt) DO (
  REM Event Log Readers (S-1-5-32-573) security principal
  wevtutil sl %%i /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;BO)(A;;0x1;;;SO)(A;;0x1;;;S-1-5-32-573)
)

    You may want to confirm which Event Log Readers the accounts have been added to. For member servers, they need to be added to the local Event Log Readers group. For domain controllers, the domain builtin Event Log Readers group.

    Related Topic