Skip navigation
16914 Views 9 Replies Latest reply: Feb 25, 2010 10:55 AM by Justin Shepard RSS
Justin Shepard Rank: White Belt 14 posts since
Feb 24, 2010
Currently Being Moderated

Feb 24, 2010 5:47 PM

Modifying ZenEventLog for non-privileged accounts

There has been some activity lately regarding how to set up a non-admin account with access to Windows event logs. Here is my understanding of the situation, based on the comments here and some testing that I have done:


In order to prevent the "WBEM_E_ACCESS_DENIED" error when using a nonprivileged account to access event logs, you must do one of two things...


  1. Grant the Zenoss service account at least read access to *ALL* event logs on the system.
  2. Grant the Zenoss service account local administrator privileges on each system (which accomplishes [1]).


...unless you specify, within the code ($ZENHOME/Products/ZenWin/, that only the specific event logs you've allowed access to are included:


wql = """SELECT * FROM __InstanceCreationEvent where """\
              """TargetInstance ISA 'Win32_NTLogEvent' """\
              """and TargetInstance.EventType <= %d"""\

              """and (TargetInstance.LogFile = 'Application' OR TargetInstance.LogFile = 'System')"""\

              % device.zWinEventlogMinSeverity


It would be great if there were some way to phrase the query such that only the events a user has access to are displayed. Unfortunately, I can't tell from the documented properties how exactly to do that. Ideally, the WMI provider itself should return only entries to which you have access... but that's not how it behaves. So, we're forced to either grant read access to all logs or restrict what Zenoss queries.


I plan to play around with the WQL and see if there's some way to modify the query beyond just specifying "Application" and "System". I'm sure there are plenty of people that like to monitor other logs (DNS Server, File Replication Service, etc) that it's not worthwhile to place an arbitrary restriction in the Zenoss core code itself.


Here's an idea: what if there were a zProperty added that allowed you to specify which event logs Zenoss would attempt to hook? Perhaps set the default options to 'Application', 'Security', and 'System', and then on an individual device determine the available options by doing a query against Win32_NTEventlogFile.LogfileName and populating a listbox. That way, administrators could grant the permissions required (via GPO or otherwise) and then make selections per-device as needed.


I'm still trying to build up my Zenpack creation knowledge, so I don't know how difficult it would be to do this, or even if it is possible to modify code purely via ZenPack. Feedback appreciated.

  • kerickson ZenossEmployee 75 posts since
    Sep 14, 2009

    I'm pretty sure that to support differing security levels by log you'd have to test the access rights for each log then build a precise eventh query based on the results.  I don't think you can craft the query itself.  Microsoft assumed you'd want to know if there was an access failure in the query.


    It's an interesting problem deciding how to approach all this.  There's lots of different cases, and how you should handle all the different situations is open to debate. For example, if you expect to have access to the application log and don't, should you process events from the system log only, silently? Or should you create an event and fail everything?  Different people make different choices, and I'm sure we've all seen them all!

  • alzoo Rank: White Belt 74 posts since
    May 11, 2009
    Currently Being Moderated
    2. Feb 25, 2010 3:44 AM (in response to kerickson)
    Re: Modifying ZenEventLog for non-privileged accounts

    It's true that everybody will have different expectations for the desired outcome.


    In my case it is to modify Zenoss to only read the desired event logs which I have selected/scripted.  Anything else can be ignored regardless of the granted access to the log or not.


    At the moment, the way it works is each different event log has to have its security access modified for the zenoss user to access it. If you miss out on one, the ZenEventlog fails and you got none of the eventlogs.  Now to me, this is not logical.  Why miss out on everything, just because one log is not set.


    Zenoss should be able to ignore the event logs it doesn't have access to, and if it can't do that, it should be able to specify which event logs it can read.


    makes sense no?



  • alzoo Rank: White Belt 74 posts since
    May 11, 2009

    Count me out, I'm just a simple end user....


    thanks for going into detail.


    If I understand correctly, what you need is to reprgoam the Zenventlog deamon or perhaps not use it at all and create a subsitute one....

  • alzoo Rank: White Belt 74 posts since
    May 11, 2009

    Let's hope someone form the Zenoss Team reads this post and kindly gets one of their colleagues or themselves to respond.

More Like This

  • Retrieving data ...


  • Correct Answers - 4 points
  • Helpful Answers - 2 points