Error Code 1314 - required privilege is not held by the client

Hello,

What PRTG version are you currently using?
What sensor shows this error? You can see the sensor type in it's Overview tab on the right side.

Kind regards,
Sasa Ignjatovic, Tech Support Team

Hi,

21.2.1

its an event log (Windows API) sensor. Its monitoring security events for event id 4070

other windows api sensors on the same server are working, only this sensor has stopped working. Any server that has this sensor setup has stopped working overnight. its setup on each Domain Controller to catch active directory user account lockouts

thanks,

version is 21.2.1

Event log (Windows API)

Did you perhaps install any recent windows updates?
We have cases where the security hardening changes relating to Event Tracing for Windows (ETW) for CVE-2021-31958 cause the Windows API sensor to stop working.

Currently, there is not much we can do about this from our side, a update of the probe and target system to the same patch level might solve the issue.

Kind regards,
Sasa Ignjatovic, Tech Support Team

Hi Sasa,

Yes the latest security updates where installed 09/06/21 on both the probe and the target servers. Sensor hasn't worked since. hopefully we here of a solution soon

Hello,

Currently we have an internal bugfix ticket open for this issue. We hope to have it fixed as soon as possible. Please check the release notes for the next releases of PRTG to see when this is fixed.

Benjamin Day
[Paessler Support]

Same issue on our side as well

Hi,

I have the same issue here. I only want to be alerted when critical events occur on my servers... Please update this KB if a fix is available or if a workaround is found.

Thanks,

This is only impacting the Windows API Eventlog sensor. The WMI Eventlog sensor is not impacted by this. If you are only filtering for a single event ID, then I would recommend switching to the WMI variant of the sensor as it will work fine. If you have a need for filtering on multiple event IDs, then you will need to wait for a fix to the Windows API.

Apologies for this inconvenience, but we are at the mercy of Microsoft when it comes to patches they roll out.

Benjamin Day
[Paessler Support]

Any news about that issue? Still not able to monitor my servers with the Windows API Eventlog sensor. Thank you,

We are still working on a fix.

Benjamin Day
[Paessler Support]

Hello guys!

I've had this problem after installing the latest updates aswell...

So I've tried to find other solution, such as forwarding the logs from my source machine to the PRTG probe using the Windows Event Viewer.

Since the eventViewer subscription needs some settings to work, my PRTG Sensor got back from the dead as I was configuring the Windows Event Forwarding.

What I did is this:

On the Source Machine: - Run the "winrm quickconfig" using a elevated CMD and follow trought with a couple of confirmations; - Add the PRTG Computer account in the Administrator group (windows lusrmgr.msc) of the Source Machine; - Add the "NETWORK SERVICE" account in the Event Log Readers group;

On the PRTG Server: Run "wecutil qc" using a elevated CMD and follow trought with a couple of confirmations;

That's what I was doing when the sensor got back to work...

Don't ask exactly what did the trick, I honestly don't know... hahaha

Robson,

Thanks for the information!!

Benjamin Day
[Paessler Support]