Author Posts

October 4, 2016 at 2:58 pm

Hi ,

I'm trying to use ElasticSearch to send logs from C:\Windows\System32\Configuration\ConfigurationStatus .

Filebeat which is the part of ElasticSearch is running as a service under Local System account .

When I copy ConfigurationStatus Folder to C drive and point filebeat to send those logs it works .

Is there some extra security settings on "C:\Windows\System32\Configuration\ConfigurationStatus" that prevents the access ?

Regards

Mariusz

October 4, 2016 at 6:33 pm

Yes it has different security settings than default system settings. You can see the security settings using get-acl

(get-acl $env:windir\system32\configuration\configurationstatus).AccessToString

October 5, 2016 at 2:03 pm

@Nitin: Isn't the LCM itself running as local system ?
why would then, other services using local system, have issues accessing that folder ?

October 5, 2016 at 4:30 pm

Yes, LCM is running as Local System and any process/service running as Local System can access ConfigurationStatus folder. I was trying to make a point that this folder has different security settings than System32 folder.
I am able to copy the files as Local System outside of DSC using Task scheduler. I am not sure how Filebeat is copying files though.

October 7, 2016 at 1:46 pm

I had to share "C:\Windows\System32\Configuration\ConfigurationStatus" folder and then point filebeat to \\localhost\ and the logs appeared in ElasticSearch !!

Thanks for help !

Regards

Mariusz