Hi ,
I’m trying to use ElasticSearch to send logs from C:\Windows\System32\Configuration\ConfigurationStatus .
Filebeat which is the part of ElasticSearch is running as a service under Local System account .
When I copy ConfigurationStatus Folder to C drive and point filebeat to send those logs it works .
Is there some extra security settings on “C:\Windows\System32\Configuration\ConfigurationStatus” that prevents the access ?
Regards
Mariusz
Yes it has different security settings than default system settings. You can see the security settings using get-acl
(get-acl $env:windir\system32\configuration\configurationstatus).AccessToString
@Nitin: Isn’t the LCM itself running as local system ?
why would then, other services using local system, have issues accessing that folder ?
Yes, LCM is running as Local System and any process/service running as Local System can access ConfigurationStatus folder. I was trying to make a point that this folder has different security settings than System32 folder.
I am able to copy the files as Local System outside of DSC using Task scheduler. I am not sure how Filebeat is copying files though.
I had to share “C:\Windows\System32\Configuration\ConfigurationStatus” folder and then point filebeat to \localhost\ and the logs appeared in ElasticSearch !!
Thanks for help !
Regards
Mariusz