WMI Event Log Sensor does not show all Logfiles

Hello,

Thank you for your message.

To monitor the log file "Microsoft-Windows-Backup" with the WMI Event Log sensor, I invite you to have a look at the article below which explains how to add log file to the "Win32_NTLogEvent" WMI class (used by the sensor).

https://docs.datadoghq.com/integrations/faq/how-to-add-event-log-files-to-the-win32-ntlogevent-wmi-class/

The log file should then be visible in the list provided by the meta-scan of the sensor.

If you have questions, let us know.

Regards.

When I add the WMI Event Log sensor it doesn't show the Security log as an option. I read the article linked above. When I run that query a Security log entry is returned. So, the Security log is in the Win32_NTLogEvent class.

I also checked the permissions for the Security log compared to the Application and System logs, which do show up when I add the sensor. The permissions match for all three.

Please advise.

Hi there,

I just tested it with the latest version .82 of PRTG and the WMI Eventlog Sensor lists the Security Event logs. Do you use an administrator in the Credentials for Windows Device settings of the parent device?

Kind regards,
Felix Saure, Technical Support Team

Thanks for replying.

We are not using an administrator level account. The domain account we are using is part of the local Event Log Readers, Performance Monitor Users and Performance Log Users groups.

We're trying to avoid just using a domain admin given the security implications.

Thanks again.

Update, that users is also a member of these additional local groups: Distributed DCOM Users and Remote Management Users

Hello MGClark,

The access rights are defined by Microsoft, if you enter a Domain Admin for a test, does this work correctly?

I'm afraid that we do not have a whitepaper nor do we know a particular guide of Microsoft what exact user rights it will require for the monitoring. If you find any, let us know and we can consider to update the documentation accordingly.

Kind regards,
Felix Saure, Technical Support Team

Note from Paessler:
Please ensure that you take a close look at the parameters which are set in the provided calls to change the access rights of the EventLogs, as these could provide a false sense of security if they grant access to classes to which a regular user account would not have access to. Thanks for sharing mgclark!

Success!

I found this page that had the wrong permission changes to access the Security log remotely. So, the user account is not a domain admin and the sensor works as expected.

https://girl-germs.com/?p=1538