Backup Security Event Log via script Problem

  • Thread starter Thread starter JohnBates
  • Start date Start date
J

JohnBates

Hello,

I have a problem I am beating my head against. I have a script that will
backup the security event log and then clear it. It works perfectly as an
administrator but a standard user cannot successfully run it.

Script:
---------------------------------------------------------------
'Arguments
fileName = WScript.Arguments.Item(0)
logType = WScript.Arguments.Item(1)
fullPathName = filename & ".evt"

'Display args passed
Wscript.echo "Argument 0 - fileName :" & fileName
Wscript.echo "Argument 1 - logType :" & logType
Wscript.echo "fullPathName :" & fullPathName

strComputer = "."
Set objWMIService = GetObject("winmgmts:" &
"{impersonationLevel=impersonate,(Backup,security)}!\\" & strComputer &
"\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("SELECT * FROM
Win32_NTEventLogFile WHERE LogFileName='" & logType & "'")


For Each objLogfile in colLogFiles
errBackupLog = objLogFile.BackupEventLog(fullPathName)

If errBackupLog = 0 Then
Wscript.Echo "The Security event log was backed up."
objLogFile.ClearEventLog()
End If
If errBackupLog = 8 Then
Wscript.Echo "Privilege missing!"
End If
If errBackupLog = 21 Then
Wscript.Echo "Invalid Parameter in call"
End If

If errBackupLog = 183 Then
Wscript.Echo "The archive file already exists."
End If
Next
----------------------------------------------------------------

I have tried assigning the following rights to my test user:

Manage Auditing and Security Rights
Impersonate a client after authentication
backup files and directories

From what I could find (which is somewhat sparse) it may have to do with
needing to set a CustomSD to the security event log. I have no experience
what so ever in regards to working with the windows security subsystems at
that level. Nor am I sure you could do that on a stand alone machine that is
not under a domain.

The user can view the security event log in the event viewer but not save it
it returns the error message "A required privilege is not held by the client".

Anyone have any ideas?

Thanks

John Bates
Raytheon

Note: I originally posted this in public.security...not sure if that forum
or this would be the right place.
 
We got it fixed!

The user has to have the following permissions:

1) member of backup operators group
2) Manage Auditing and Security log via policy
3) (and the one I never would have guessed) User must have Full permissions
to the key that governs the Security Log:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security
 
Back
Top