I'm using MSRPC to pull Windows server log to QRadar. Does anyone know which group policy settings to add Event Log Reader group to a global group policy setting? As of now, we keep adding the service account to the local event log reader group on the new host machine. This has been setup that way prior I came onboard and want to be more efficient using global policy instead of local policy.

------------------------------
Hendry
------------------------------

MSRPC is OK to use for windows logs as long as no individual log source is generating above 50 EPS.

------------------------------
Richard Gingras
QRadar SME
IBM Security
Cambridge MA
------------------------------

Original Message:
Sent: Tue April 14, 2020 09:42 AM
From: Hendry
Subject: MSRPC Group POlicy

I'm using MSRPC to pull Windows server log to QRadar. Does anyone know which group policy settings to add Event Log Reader group to a global group policy setting? As of now, we keep adding the service account to the local event log reader group on the new host machine. This has been setup that way prior I came onboard and want to be more efficient using global policy instead of local policy.

------------------------------
Hendry
------------------------------

Ok.

What I'm trying to figure out is, where to assign/add Event Log Reader group in the gpo to deploy it to the windows server. Instead of adding the service account to the local event log reader group in each host.

My suspicion is to add it to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups


------------------------------
Hendry
------------------------------

Original Message:
Sent: Wed April 15, 2020 09:34 AM
From: Richard Gingras
Subject: MSRPC Group POlicy

MSRPC is OK to use for windows logs as long as no individual log source is generating above 50 EPS.

------------------------------
Richard Gingras
QRadar SME
IBM Security
Cambridge MA

Original Message:
Sent: Tue April 14, 2020 09:42 AM
From: Hendry
Subject: MSRPC Group POlicy

I'm using MSRPC to pull Windows server log to QRadar. Does anyone know which group policy settings to add Event Log Reader group to a global group policy setting? As of now, we keep adding the service account to the local event log reader group on the new host machine. This has been setup that way prior I came onboard and want to be more efficient using global policy instead of local policy.

------------------------------
Hendry
------------------------------