Locking down Event Viewer Security log clearing

Question

I need to lock down the Event Viewer ability to clear logs for all users. I have successfully completed this for the Application, System, and Setup logs using GPO and an SDDL string. The same string is used for the Security log however I am still able to clear the logs, whereas the other three log files deny that ability. I have gone as far as the set an SDDL string to deny everyone, I have updated the system using gpupdate and looked at the SDDL string using wevtutil gl Security and I am still able to clear the logs. Any help would be appreciated in figuring out why this particular log behaves differently than the other three.

I am fully aware, as an admin on the system that I can change the GPO or local policy to allow me to gain access to the logs so please don't respond with "This is arbitrary as an Admin you can do what you want." This is a security request and I am trying to tick a box, nothing more.

Answer 1

Hello there,

You can customize security access rights to their event logs in Windows Server 2012. These settings can be configured locally or through Group Policy. This article describes how to use both of these methods.

You can use an Administrative Template Policy for the purpose. The path for the System Eventlog, for example, is:

Computer Configuration\Administrative Templates\Windows Components\Event log Service\System

The setting is configured log access and it takes the same Security Descriptor Definition Language (SDDL) string.

Detailed explanation here https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/set-event-log-security-locally-or-via-group-policy

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer–