WinSecWiki > Security Settings > Local Policies > User Rights > User Rights In-Depth > Manage auditing and security log

Manage auditing and security log

AKA: SeSecurityPrivilege, Manage auditing and security log

Default assignment: Administrators

This right allows you to:

  • Modify the object level audit policy on files, folders, registry keys, services and any other non Active Directory object. To access the object level audit policy open the object’s Properties window, select the Security tab, click Advanced and select the Auditing tab. This is where you define which permissions are audited for this object and for whom.
  • View or dump the security log
  • Clear the security log

This right gives you the above authority regardless of the security log's CustomSD/Channel Access value which is explained below.  

Interestingly, use of this right generates event ID 578/4674 for this privilege when you clear the log but not if you clear the log by way of the Clear permission defined in CustomSD/Channel Access. Regardless Windows does log event ID event ID 517/1102 whenever the log is cleared regardless of whether you did it with this privilege or with the Clear permission.

Delegating security log authority using CustomSD/Channel Access

To delegate the ability to view the security log without also giving the user ability to clear the log or modify audit policy, the method varies between Windows Server 2003 and Windows Server 2008.

  • Windows Server 2003: Use the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD registry value.  See for more information on this value.
  • Windows Server 2008: Use the wevtutil command using the sl switch which means "set log".  To get get help on this command run "wevtutil sl /?".  You'll want to find the bit about the /ca switch which means "channel access".  Also check out "wevtutil gl" where gl means "get log". 

Back to top


Upcoming Webinars
    Additional Resources