Archived community.zenoss.org | full text search
Skip navigation
Up to Discussions in zenoss-windows
16909 Views 9 Replies Latest reply: Feb 25, 2010 10:55 AM by Justin Shepard RSS
Justin Shepard Rank: White Belt
Justin Shepard
14 posts since
Feb 24, 2010
Currently Being Moderated

Feb 24, 2010 5:47 PM

Modifying ZenEventLog for non-privileged accounts

There has been some activity lately regarding how to set up a non-admin account with access to Windows event logs. Here is my understanding of the situation, based on the comments here and some testing that I have done:

 

In order to prevent the "WBEM_E_ACCESS_DENIED" error when using a nonprivileged account to access event logs, you must do one of two things...

 

  1. Grant the Zenoss service account at least read access to *ALL* event logs on the system.
  2. Grant the Zenoss service account local administrator privileges on each system (which accomplishes [1]).

 

...unless you specify, within the code ($ZENHOME/Products/ZenWin/zeneventlog.py), that only the specific event logs you've allowed access to are included:

 

wql = """SELECT * FROM __InstanceCreationEvent where """\
              """TargetInstance ISA 'Win32_NTLogEvent' """\
              """and TargetInstance.EventType <= %d"""\

              """and (TargetInstance.LogFile = 'Application' OR TargetInstance.LogFile = 'System')"""\

              % device.zWinEventlogMinSeverity

 

It would be great if there were some way to phrase the query such that only the events a user has access to are displayed. Unfortunately, I can't tell from the documented properties how exactly to do that. Ideally, the WMI provider itself should return only entries to which you have access... but that's not how it behaves. So, we're forced to either grant read access to all logs or restrict what Zenoss queries.

 

I plan to play around with the WQL and see if there's some way to modify the query beyond just specifying "Application" and "System". I'm sure there are plenty of people that like to monitor other logs (DNS Server, File Replication Service, etc) that it's not worthwhile to place an arbitrary restriction in the Zenoss core code itself.

 

Here's an idea: what if there were a zProperty added that allowed you to specify which event logs Zenoss would attempt to hook? Perhaps set the default options to 'Application', 'Security', and 'System', and then on an individual device determine the available options by doing a query against Win32_NTEventlogFile.LogfileName and populating a listbox. That way, administrators could grant the permissions required (via GPO or otherwise) and then make selections per-device as needed.

 

I'm still trying to build up my Zenpack creation knowledge, so I don't know how difficult it would be to do this, or even if it is possible to modify code purely via ZenPack. Feedback appreciated.

Tags: windows, event, zenwin, zeneventlog, unprivileged, eventlog, nonadmin
  • kerickson ZenossEmployee
    kerickson
    75 posts since
    Sep 14, 2009
    Currently Being Moderated
    1. Feb 25, 2010 12:10 AM (in response to Justin Shepard)
    Re: Modifying ZenEventLog for non-privileged accounts

    I'm pretty sure that to support differing security levels by log you'd have to test the access rights for each log then build a precise eventh query based on the results.  I don't think you can craft the query itself.  Microsoft assumed you'd want to know if there was an access failure in the query.

     

    It's an interesting problem deciding how to approach all this.  There's lots of different cases, and how you should handle all the different situations is open to debate. For example, if you expect to have access to the application log and don't, should you process events from the system log only, silently? Or should you create an event and fail everything?  Different people make different choices, and I'm sure we've all seen them all!

  • alzoo Rank: White Belt
    alzoo
    74 posts since
    May 11, 2009
    Currently Being Moderated
    2. Feb 25, 2010 3:44 AM (in response to kerickson)
    Re: Modifying ZenEventLog for non-privileged accounts

    It's true that everybody will have different expectations for the desired outcome.

     

    In my case it is to modify Zenoss to only read the desired event logs which I have selected/scripted.  Anything else can be ignored regardless of the granted access to the log or not.

     

    At the moment, the way it works is each different event log has to have its security access modified for the zenoss user to access it. If you miss out on one, the ZenEventlog fails and you got none of the eventlogs.  Now to me, this is not logical.  Why miss out on everything, just because one log is not set.

     

    Zenoss should be able to ignore the event logs it doesn't have access to, and if it can't do that, it should be able to specify which event logs it can read.

     

    makes sense no?

     

    Alzoo

  • Justin Shepard Rank: White Belt
    Justin Shepard
    14 posts since
    Feb 24, 2010
    Currently Being Moderated
    3. Feb 25, 2010 7:39 AM (in response to Justin Shepard)
    Re: Modifying ZenEventLog for non-privileged accounts

    Unfortunately, the true problem does not lie with Zenoss, it lies in Microsoft's implementation of __InstanceCreationEvent. You get the same "access denied" behavior whether you run the notification query in Zenoss or via VBScript or via wbemtest.

     

    That's why I suggested what I did in the OP. I'll elaborate a bit more: what if another parameter was added to the method that executes the notification query in zeneventlog, so that instead of having to edit the code and add the extra criterion to the WHERE clause, you can specify it via a zProperty? I plan to test that a bit today. The behavior should be that the default "hook everything" is attempted unless the zEventlogFilter property is set (in which case the contents of that property are added to the end of the WQL).

     

    So, for example, setting zEventlogFilter to "AND (TargetInstance.LogfileName = 'Application' OR TargetInstance.LogfileName = 'System')" would add that filter to the WQL, which would only hook those two logs. In my own use case, I would set that on /Devices/Windows and then make an adjustment to /Devices/Windows/Domain Controllers to also grab the File Replication Service and DNS Server logs.

     

    Make sense?

  • Justin Shepard Rank: White Belt
    Justin Shepard
    14 posts since
    Feb 24, 2010
    Currently Being Moderated
    4. Feb 25, 2010 9:53 AM (in response to Justin Shepard)
    Re: Modifying ZenEventLog for non-privileged accounts

    Okay, I've modified the code as follows:

     

    1. I entered zendmd and created a new zProperty (this can also be done from the Zope manager:

      # zendmd
      cl = devices
      cl._setProperty('zWinEventlogFilter','',type='string')
      commit()
      cl = devices.Server.Windows
      cl._setProperty('zWinEventlogFilter',"AND (TargetInstance.LogFile = 'Application' OR TargetInstance.LogFile = 'System')",type='string')
      commit()

    2. Then, I edited $ZENHOME/Products/ZenWin/zeneventlog.py:

      wql = """SELECT * FROM __InstanceCreationEvent where """\
                    """TargetInstance ISA 'Win32_NTLogEvent' """\
                    """and TargetInstance.EventType <= %d %s"""\
                    % (device.zWinEventlogMinSeverity, device.zWinEventlogFilter)

    3. Finally, I added the new property to the createDeviceProxy method in $ZENHOME/Products/ZenWin/services/WMIConfig.py:

      for prop in (
          'zWmiMonitorIgnore',
          'zWinUser',
          'zWinPassword',
         'zWinEventlogFilter',
          'zWinEventlogMinSeverity'):

     

    Restart zenoss and it now only pulls Application and System event logs from Windows servers.

     

    If you want to add additional logs (in my case, NTDS, DNS, and FRS on domain controllers), just modify the filter in the desired device class through the UI:

    zWinEventlogFilter = AND (TargetInstance.LogFile = 'Application' OR TargetInstance.LogFile = 'System' OR TargetInstance.LogFile = 'Directory Service'' OR TargetInstance.LogFile = 'DNS Server' OR TargetInstance.LogFile = 'File Replication Service')

     

    I hope this helps anyone seeking the same goal as me: granting a non-administrator Zenoss service account access to Windows event logs without having to touch every single server that you want to monitor. With the above modifications, I can now create Group Policy objects that will grant the service account read access to App and System on all of my member servers, and all of the AD/DNS logs on my domain controllers. If anyone is interested, I'll post how to do that as well.

     

    Message was edited by: felbane  Worked out the solution on my own, revising post with details.

  • alzoo Rank: White Belt
    alzoo
    74 posts since
    May 11, 2009
    Currently Being Moderated
    5. Feb 25, 2010 8:40 AM (in response to Justin Shepard)
    Re: Modifying ZenEventLog for non-privileged accounts

    Count me out, I'm just a simple end user....

     

    thanks for going into detail.

     

    If I understand correctly, what you need is to reprgoam the Zenventlog deamon or perhaps not use it at all and create a subsitute one....

  • Justin Shepard Rank: White Belt
    Justin Shepard
    14 posts since
    Feb 24, 2010
    Currently Being Moderated
    6. Feb 25, 2010 8:48 AM (in response to alzoo)
    Re: Modifying ZenEventLog for non-privileged accounts

    Well, not so much 'reprogram' as 'give it a shove in the right direction'. All I'm trying to achieve here is adding another zProperty and then use it as a variable in the zeneventlog collector. Shouldn't be terribly difficult, but I'm not familiar enough with the inner workings yet to be able to get it perfect on the first try.

  • Justin Shepard Rank: White Belt
    Justin Shepard
    14 posts since
    Feb 24, 2010
    Currently Being Moderated
    7. Feb 25, 2010 9:56 AM (in response to Justin Shepard)
    Re: Modifying ZenEventLog for non-privileged accounts

    Edited my post above with the solution (at least, the one that works for me).

     

    I'm going to see about filing this as a feature request for future versions of Zenoss. I'm sure there are some tweaks that the dev team will come up with that I haven't, but I think this is a useful feature for any Core/Community installation.

  • alzoo Rank: White Belt
    alzoo
    74 posts since
    May 11, 2009
    Currently Being Moderated
    8. Feb 25, 2010 10:04 AM (in response to Justin Shepard)
    Re: Modifying ZenEventLog for non-privileged accounts

    Let's hope someone form the Zenoss Team reads this post and kindly gets one of their colleagues or themselves to respond.

  • Justin Shepard Rank: White Belt
    Justin Shepard
    14 posts since
    Feb 24, 2010
    Currently Being Moderated
    9. Feb 25, 2010 10:55 AM (in response to Justin Shepard)
    Re: Modifying ZenEventLog for non-privileged accounts

    I created a feature request: http://dev.zenoss.org/trac/ticket/6225

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 4 points
  • Helpful Answers - 2 points