Page 1 of 2
Trying to monitor custom windows file -> access denied
Posted: Mon Jan 18, 2016 11:27 am
by heskez
Hi i'd like to monitor a custom Windows file on a server. So I installed nxlog and edited the nxlog file as follows:
Code: Select all
# Watch your own files
<Input windowsfile>
Module im_file
File 'C:\path\to\target\file'
SavePos TRUE
Exec $Message = $raw_event;
</Input>
<Route 1>
Path internal, eventlog, windowsfile => out
</Route>
I start the nxlog service and I noticed within the /data/nx.log:
2016-01-18 17:06:55 ERROR failed to open d:\test\server1; Access is denied.
2016-01-18 17:07:11 ERROR failed to open d:\test\server1; Access is denied.
2016-01-18 17:07:43 ERROR failed to open d:\test\server1; Access is denied.
2016-01-18 17:08:47 ERROR failed to open d:\test\server1; Access is denied.
2016-01-18 17:10:56 ERROR failed to open d:\test\server1; Access is denied.
2016-01-18 17:15:14 ERROR failed to open d:\test\server1; Access is denied.
2016-01-18 17:23:47 ERROR failed to open d:\test\server1; Access is denied.
Event logs are coming in the dashboard overview though..
I'm curious about what permissions are exactly needed on that particalur file?
Re: Trying to monitor custom windows file -> access denied
Posted: Mon Jan 18, 2016 12:47 pm
by rkennedy
Can you please clarify what your actual file path is set to here? File 'C:\path\to\target\file'
Do you have d:\test\server1 defined anywhere in your configuration? I believe it ends up running as a local service, and NTFS permissions would apply.
Re: Trying to monitor custom windows file -> access denied
Posted: Tue Jan 19, 2016 4:37 am
by heskez
Hi I'll paste the original config file
Code: Select all
## See the nxlog reference manual at
## http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
# Module xm_fileop
#</Extension>
<Extension json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input internal>
Module im_internal
</Input>
# Watch your own files
<Input error.log>
Module im_file
File 'd:\test\server1'
SavePos TRUE
Exec $Message = $raw_event;
</Input>
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog
# Uncomment im_mseventlog for Windows XP/2000/2003
# Module im_mseventlog
</Input>
<Output out>
Module om_tcp
Host x.x.x.x
Port 3515
Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec $raw_event = to_json();
# Uncomment for debug output
# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>
<Route 1>
Path internal, file1, eventlog => out, error.log => out
</Route>
Re: Trying to monitor custom windows file -> access denied
Posted: Tue Jan 19, 2016 11:05 am
by rkennedy
Can you verify the permissions of the directory using powershell on the windows machine?
Code: Select all
Get-Acl d:\test\server1|format-list
Re: Trying to monitor custom windows file -> access denied
Posted: Tue Jan 19, 2016 11:52 am
by heskez
Hi,
I use srv_nxlog as account for the nxlog service to start.
srv_nxlog is also local admin on the same server where this directory resides as well the nagios log server itself.
Code: Select all
Path : Microsoft.PowerShell.Core\FileSystem::D:\test\server1
Owner : BUILTIN\Administrators
Group : DOMAIN\Domain Users
Access : Everyone Allow Modify, Synchronize
BUILTIN\Administrators Allow FullControl
DOMAIN\srv_nxlog Allow ReadAndExecute, Synchronize
BUILTIN\Administrators Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize
BUILTIN\Users Allow AppendData
BUILTIN\Users Allow CreateFiles
Re: Trying to monitor custom windows file -> access denied
Posted: Tue Jan 19, 2016 12:43 pm
by jolson
2016-01-18 17:10:56 ERROR failed to open d:\test\server1; Access is denied.
This is almost certainly a permission problem - check the parent directories of d:\test\server1 for permissions inconsistencies - the nxlog service needs to be able to tunnel through d:\ and test to get to the server1 log file. After you've verified those permissions, report back with your results.
Re: Trying to monitor custom windows file -> access denied
Posted: Thu Jan 21, 2016 5:32 am
by heskez
Hi,
I've set the same permissions for d:\test'\server1 on d:'\ so the service is able to tunnel through d:\
Stopped and reran the nxlog service.
Still the same error message.. Access denied
Re: Trying to monitor custom windows file -> access denied
Posted: Thu Jan 21, 2016 9:47 am
by rkennedy
This is really odd, let's verify a couple more permissions -
Code: Select all
Get-Acl D:\test\server1\*|format-list
Get-Acl D:\test|format-list
Get-Acl C:\Program Files (x86)\nxlog|format-list
Re: Trying to monitor custom windows file -> access denied
Posted: Thu Jan 21, 2016 10:11 am
by heskez
Code: Select all
Path : Microsoft.PowerShell.Core\FileSystem::D:\test\server1
Owner : BUILTIN\Administrators
Group : domain\Domain Users
Access : Everyone Allow Modify, Synchronize
BUILTIN\Administrators Allow FullControl
domain\srv_nxlog Allow ReadAndExecute, Synchronize
BUILTIN\Administrators Allow FullControl
CREATOR OWNER Allow FullControl
domain\srv_nxlog Allow ReadAndExecute, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow CreateFiles, Synchronize
BUILTIN\Users Allow AppendData, Synchronize
BUILTIN\Users Allow ReadAndExecute, Synchronize
Path : Microsoft.PowerShell.Core\FileSystem::D:\test
Owner : BUILTIN\Administrators
Group : domain\Domain Users
Access : BUILTIN\Administrators Allow FullControl
BUILTIN\Administrators Allow FullControl
CREATOR OWNER Allow FullControl
domain\srv_nxlog Allow ReadAndExecute, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow CreateFiles, Synchronize
BUILTIN\Users Allow AppendData, Synchronize
BUILTIN\Users Allow ReadAndExecute, Synchronize
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\nxlog
Owner : NT AUTHORITY\SYSTEM
Group : NT AUTHORITY\SYSTEM
Access : NT SERVICE\TrustedInstaller Allow FullControl
NT SERVICE\TrustedInstaller Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
NT AUTHORITY\SYSTEM Allow 268435456
BUILTIN\Administrators Allow FullControl
BUILTIN\Administrators Allow 268435456
BUILTIN\Users Allow ReadAndExecute, Synchronize
BUILTIN\Users Allow -1610612736
CREATOR OWNER Allow 268435456
Re: Trying to monitor custom windows file -> access denied
Posted: Thu Jan 21, 2016 1:15 pm
by rkennedy
I believe the issue is your permissions that you have for srv_nxlog. Where did you set it to run as srv_nxlog? One thing to add as well, I don't know how the domain vs local account will work in regards to how you have srv_nxlog.
The reason I say that, is because looking here -
Code: Select all
Path : Microsoft.PowerShell.Core\FileSystem::C:\Program Files (x86)\nxlog
Owner : NT AUTHORITY\SYSTEM
Group : NT AUTHORITY\SYSTEM
Access : NT SERVICE\TrustedInstaller Allow FullControl
NT SERVICE\TrustedInstaller Allow 268435456
NT AUTHORITY\SYSTEM Allow FullControl
NT AUTHORITY\SYSTEM Allow 268435456
BUILTIN\Administrators Allow FullControl
BUILTIN\Administrators Allow 268435456
BUILTIN\Users Allow ReadAndExecute, Synchronize
BUILTIN\Users Allow -1610612736
CREATOR OWNER Allow 268435456
There are no permissions for srv_nxlog, yet the program is still being opened.