We know that in enterprise environment a service user with full administrator privileges is a bad idea, and every high level security manager will refuse it. So here's the task, collection via WMI with non-admin user. I followed these steps below, and added some extra steps described even below.
In command line:
- winrm quickconfig
- wevtuil sl security /ca:existedSDDL(A;;0x3;;;serviceuserSID) / giving the service user READ and WRITE permission to security event log
- winrm configsddl wmi
- In the prompted window: added the service user with full access
- Manage auditing and security logs
- Allow log on locally
- Impersonate a client after authentication
/these GPO settings should be enough, or maybe not needed, but for testing purpose i set all of the same privilege (tons of another policy, i wont list all of them) what a built in administrator get during a network logon, but still no success. I get the following error on ESM side:
When i add the service user to the Administrators group, set up the ESM for WMI and write out the settings to the Receiver it works. Then i remove the service user from the Administrators group, and it continue to work fine. All the logs are collected, even Security logs. Of course, the connection test unsuccessful, and the "Get logs" query doesnt see the security log. Just for sure, i rebooted the Receiver to clear all cache and reset all sessions, and its still working, no admin group, no "all-privs" just what i mentioned above. This workaround seems to be ok, but its very ugly. Any idea?