locked
modification of sensitive groups not working, eventlog exceptions in gateway log RRS feed

  • Question

  • I am testing sensitive account modification and it isn't working. When I looked at the logs, I see the following event over and over. I am running lightweight gateways, version 1.9.7312.32791. Does the lightweight gateway service need special permissions to read the event logs? 

    2018-05-31 21:51:43.9737 2664 102 Error [EventLogException] System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
       at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
       at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
       at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
       at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
       at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
       at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
       at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
       at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)

    Thursday, May 31, 2018 10:07 PM

All replies

  • Hello,

    Firstly, please make sure you configured the sensitive accounts correctly by referring to the following article.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/tag-sensitive-accounts

    Then, please make sure the lightweight gateway is up and running, and it can communicate with ATA Center successfully. You can check out the status of the gateway from the ATA Center console.

    Please refer to the following documentations for the troubleshooting.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/troubleshooting-service-startup

    https://docs.microsoft.com/en-us/advanced-threat-analytics/troubleshooting-ata-using-logs

    Best regards,
    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 1, 2018 8:43 AM
  • I do have a couple groups in sensitive groups under entity tags but any modifications to those groups do not show up in the report. It shows "No modifications of sensitive groups were observed, make sure that events forwarding is properly configured". 

    I'm getting the error that it can't read event logs about 10k times in a couple days so I'm wondering if there is an issue reading event logs but I can't find any documentation on what is required for the lightweight gateway to read the event log. 

    Friday, June 1, 2018 8:57 PM
  • Yes, The service account needs to be able to read from the security log.

    The deployment should have added the required permissions.

    Check the deployment logs for any issues.

    Also, try to reinstall the GW and see if the problem get fixed.

    Any chance you have some 3rd installed that manipulates the event log access permissions?

    maybe via the CustomSD registry value?

    Friday, June 1, 2018 9:15 PM
  • I'm confused as to which account is the service account? Is it the user configured under directory services in the ATA Center configuration? The service account the Lightweight Gateway is running under on the DC? Something else?
    Wednesday, June 13, 2018 4:35 PM
  • The Gateway service is running under a virtual service account (Local Service)

    The Gateway Updater is running under Local System

    The Gateway uses the credentials supplied in the console UI to remotely connect to DCs via LDAP,

    to read sysvol policy data and to check endpoints group memberships via SAMR.

    Wednesday, June 13, 2018 7:45 PM
  • I've figured it out. I needed to grab the service SID for ATAGateway. 
    PS C:\> sc.exe showsid atagateway
    NAME: atagateway
    SERVICE SID: S-1-5-80-1717699148-1527177629-2874996750-2971184233-2178472682
    STATUS: Active

    Then I needed to add the SID to the DACL on the event log. It was set in CustomSD in the registry, but we have a group policy that overwrote that, so I added the DACL to our GPO and it is working now.

    This link has more information https://docs.microsoft.com/en-us/advanced-threat-analytics/whats-new-version-1.8#lightweight-gateway-event-log-permissions

    Thursday, June 14, 2018 6:17 PM
  • check out:

    https://docs.microsoft.com/en-us/advanced-threat-analytics/whats-new-version-1.8#lightweight-gateway-event-log-permissions

    it's a left over from 1.8.0 probably.

    Thursday, June 14, 2018 7:19 PM