Unable to save event log file (Network Steve Forum)

Unable to save event log file

I want to create a role as "security log administrator" on a stand-alone XP machine. Basically a regular user with the permission to view, backup and configure the security event log. My approach was to assign the User right "Manage auditing and security log" to that particular account. The secadmin can view the security log without problem, but when i right click "Save Log File as", i get the error message "Unable to save event log to file [path]. A required privlege is not held by the client." The path is local. Instead, i right click and choose "Clear all events", which give me tje question: "Do you want to save 'Security' before clearing it?". If I choose yes, the same save as dialog appears, but this time i can save the file without problem, but I cannot open the saved .evt file "Access is denied". However i can open the file with an administrator account. I have recreated the problem on a Server 2003 machine. What is wrong? Thanks in advance, Jonas

April 26th, 2010 4:58pm

This article may help. How to set event log security locally or by using Group Policy in Windows Server 2003 http://support.microsoft.com/kb/323076 Regards, Dave Patrick .... Microsoft Certified Professional -Microsoft MVP [Windows]

Free Windows Admin Tool Kit Click here and download it now

April 26th, 2010 5:54pm

I have checked it out, it seems a bit complicated though with the SDDL syntax. Isn't it strange that i can save a copy through the "Save as" dialog in one case, but not the other? And in my world, if I can read a file (the event log) i should also be able to make a copy. I can save the list as a .txt file. Regards, Jonas

April 26th, 2010 6:39pm

Ditto that on complicated. It may be the SDDL in place is incorrect and is why you can read and not save. Regards, Dave Patrick .... Microsoft Certified Professional -Microsoft MVP [Windows]

Free Windows Admin Tool Kit Click here and download it now

April 26th, 2010 6:50pm

I still thinks it is strange, I have tried it on different machines, xp sp2, sp3, 2003 server, and they all have exact the same problem. This implies that you cannot let a user manage the security log without first editing hexadecimal code in the registry? Well, i will investigate the reg key later and see what happens! Thank you! /Jonas

April 28th, 2010 11:49am

This topic is archived. No further replies will be accepted.