Chapter 6. Remote Security Log Collection in a Least Privilege Environment
Information in this chapter:
▪ Log Fetcher Architecture
Products, Tools, and Methods
▪ Distributed Component Object Model (DCOM)
▪ Windows Management Instrumentation (WMI)
This chapter focuses on using a low privileged service user to harvest Windows event log data and to warehouse it in a SQL database. This is done with the minimum of permissions over an encrypted Distributed Component Object Model (DCOM) call via Windows Management Instrumentation (WMI), using Security Descriptor Definition Language (SDDL) for individual event log permissions. It includes a fully functional ...