Overview
This article explains what security permissions are required for GFI EventsManager to collect events and logs from remote machines.
Information
GFI EventsManager collects events and data from the following data sources:
- Microsoft Windows Event Logs
- World Wide Web Consortium (W3C) Log Files
- Simple Network Management Protocol (SNMP) Traps
- Syslog
- Microsoft SQL Server Audit
- Oracle
Microsoft Windows Event Logs
GFI EventsManager will only require administrative privileges to access and collect Microsoft Security Event Logs. In order to access the Microsoft Security Event Log, one needs administrative privileges. This security feature has been implemented by Microsoft to protect the Microsoft Security Event Logs. If you have not configured GFI EventsManager to collect security event logs, the GFI EventsManager service does not need to run on administrative privileges.
W3C Log Files
GFI EventsManager collects W3C log files from remote computers via Windows Shares. In order to collect the W3C log files, the account which is being used by the GFI EventsManager service must have read New Technology File System (NTFS) and Share permissions on the folder where the W3C logs are stored.
SNMP Traps
No user account is required to collect SNMP Traps.
Syslog
No user account is required to collect Syslogs.
Microsoft SQL Server Audit
In order for GFI EventsManager to perform an SQL Server Audit on a Microsoft SQL Server, the account which is being used by the GFI EventsManager service requires the 'sysadmin' server role. You can confirm the users that have a sysadmin server role by performing the following steps on your Microsoft SQL Server:
- Open the Microsoft SQL Server Management Studio.
- Expand Security > Server Roles.
- Right-click on the sysadmin server role and select Properties.
- You can find the Role Members at the right pane.
Oracle
In order for GFI EventsManager to collect and process Oracle events, the account which is being used by the GFI EventsManager service requires the 'SYSDBA' server role.