Enable remote Event Log access for Agentless monitoring

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth Idp Version affected: 9.0.2 onwards
    Since 9.0.2, the OVA that new customers are sent contains a locked down environment which prevents remote access to the Event Log. We recommend keeping these lock down settings as it allows for a more secure machine. 

    However, some agentless monitoring tools require remote access to the Event log. 

    Cause: Lock down settings


    1. On the IdP Open up the "Windows Firewall with Advanced Security"

    2. On the Inbound Rules,
    2i. Enable Com+ Network Access (DCOM-In)

    2ii. Enable Remote Event Log Management (NP-In)
    2iii. Enable Remote Event Log Management (RPC)
    2iv. Enable Remote Event Log Management (RPC-EPMAP)


    3. Open Services.msc and set the Server Service​ to Automatic and then Start the Server service.

    4. Open Regedit, Expand the tree to HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft\ Windows \ CurrentVersion \ policies \ system.

    5. Look for “LocalAccountTokenFilterPolicy” and give it the value of “1”. Click OK. If it didn't exist, Create a new key (Right click -> New -> choose “DWORD Value (32bit)”) and name it LocalAccountTokenFilterPolicy and give it the value of 1

    6. Reboot the IdP 


    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful



    Please sign in to leave a comment.