GFI EventsManager collects events and data from the following data sources:
- Microsoft Windows Event Logs
- W3C Log files
- W3SVC Log files
- SNMP Traps
- Microsoft SQL Server Audit
This article explains what security permissions are required by the GFI EventsManager service to collect data from each data source:
Microsoft Windows Event Logs
GFI EventsManager will only require administrative privileges to access and collect Microsoft Security Event Logs. In order to access the Microsoft Security event log, one needs administrative privileges. This security feature has been implemented by Microsoft to protect the Microsoft Security event logs. If you have not configured GFI EventsManager to collect security event logs, the GFI EventsManager service does not need to run on administrative privileges.
W3C Log files
GFI EventsManager collects W3C log files from remote computers via Windows Shares. In order to collect the W3C log files, the account which is being used by the GFI EventsManager service must have read NTFS and Share permissions on the folder where the W3C logs are stored.
No user account is required to collect SNMP Traps
No user account is required to collect Syslogs.
Microsoft SQL Server Audit
In order for GFI EventsManager to perform an SQL Server audit on a Microsoft SQL Server, the account which is being used by the GFI EventsManager service requires the 'sysadmin' server role. You can confirm the users which have a sysadmin server role by performing the following on your Microsoft SQL Server:
- Open the Microsoft SQL Server Management Studio
- Expand Security > Server Roles
- Right click on the sysadmin server role and select Properties
- You can find the Role Members in the right pane
In order for GFI EventsManager to collect and process Oracle events, the account which is being used by the GFI EventsManager service requires the 'SYSDBA' server role.