Configuration options for systems with restricted policies for domain controller credentials
Users with appropriate remote access permissions might be able to collect events from remote systems without using domain administrator credentials. Depending on what information you collect, the user might need extra permissions. For example, a user might need to collect Security event logs remotely. Therefore, the user that is configured in the QRadar® log source must have remote access to the Security event log from the server where the Agent is installed.
- Logs for security, system, and application events
- The remote registry
- Any directories that contain .dll or .exe files that contain message string information
With certain combinations of Windows operating system and group policies in place, alternative configurations might not be possible.
Remote collection inside or across a Windows domain might require domain administrator credentials to ensure that events can be collected. If your corporate policies restrict the use of domain administrator credentials, you might need to complete more configuration steps for your WinCollect deployment.
Permissions | Log Sources |
---|---|
The service account needs to be able to access the folder that the log file is in and open the file. |
|
The log source user must be a member of the Event Log Readers group. If this group is not configured, then domain administrative privileges are usually required to poll a Windows event log across a domain. | Microsoft Windows Security Event Log |
When WinCollect agents collect events from the local host, the event collection service uses the Local System account credentials to collect and forward events. Local collection requires that you install a WinCollect agent on a host where local collection occurs.