NXLog docs page backgorund
Request Trial
6.03

Hardening NXLog Agent on Windows

On Windows, the NXLog Agent installer always sets up the NXLog Agent service to run under the Local System account. However, you might want to run it under a dedicated service account, especially if you also use the system account to run other processes. This approach can improve security by limiting the privileges that the NXLog Agent requires to run.

For the remainder of the article, we use the svc-nxlog service account name, but you can use any name that is allowed.

In environments managed by Group Policy, the domain administrator must manage the dedicated user account and its permissions.

Follow these steps to run the NXLog Agent service under a dedicated service account:

  1. Create a new user account:

    1. Open the Computer Management console (compmgmt.msc).

    2. Expand Local Users and Groups.

    3. Right-click Users and click New User.

      Create a new Windows user

    4. In the New User dialog box, do the following:

      1. Enter the user account’s user name, description, and password.

      2. Uncheck User must change password at next login.

      3. Check Password never expires

      4. Click Create.

        New user properties

  2. Update the nxlog service user:

    1. Open the Services console (services.msc).

    2. Right-click the nxlog service and click Properties.

      Windows service properties context menu

  3. On the Log On tab, click This Account, select the user account that you created (svc-nxlog), and click OK.

    The operating system warns you that you must restart the service.

    Change the NXLog Agent service log on user

  4. Add the user account to the required local policies:

    1. Open the Local Security Settings console (secpol.msc).

    2. Expand Local Policies > User Rights Assignment in the left pane.

    3. Do the following for the Log on as a service and Manage auditing and security log policies:

      1. Right-click the policy name and click Properties.

        Windows Local Security Policy console

      2. Click Add User or Group and select the new user account.

        The user account appears in the list.

        Log on as a service

      3. Click OK.

  5. Add the user account to the required groups:

    1. Open the Local Users and Groups console (lusrmgr.msc).

    2. Click Groups and add the user account to these groups:

      Event Log Readers

      This group is required for collecting events from the Security channel.

      Performance Monitor Users

      If you manage the agent from NXLog Platform, also add the user to this group.

      Adding a user to the Event Log Readers group

  6. Edit the permissions of the NXLog Agent folder:

    1. In Windows Explorer, browse to the NXLog Agent installation directory (C:\Program Files\nxlog by default on 64-bit systems), right-click it, and click Properties.

    2. On the Security tab, click Edit and add the user account to the Group or user names list.

    3. Check Allow for the following permissions:

      • Modify

      • Read & Execute

      • List Folder Contents

      • Read

      • Write

      nxlog folder permissions

    4. Click OK.

    5. Click Advanced.

    6. In the Advanced Security Settings for nxlog window, do the following:

      • Click the Enable Inheritance button. If the button already reads Disable Inheritance, skip this step.

      • Check Replace all child object permission entries with inheritable permission entries from this object.

      Set recursive permissions on the NXLog Agent directory

      Windows can sometimes fail to propagate the folder permissions to all child objects, resulting in the following error during the NXLog Agent service startup:

      Windows could not start the nxlog service on Local Computer.

      Error 1053; The service did not respond to the start or control request in a timely fashion

      If you see this error, try repeating the step or manually changing the folder’s permissions.

    7. Click OK.

  7. In the Services console (services.msc), right-click the nxlog service and select Restart.

    Restarting the NXLog Agent service

  8. Check the NXLog Agent log file for startup errors.

    A successful startup should look like this:

    nxlog.log
    2024-07-08 11:36:09 INFO [CORE|main] nxlog-6.2.9212 (0330cd3e3@REL_v6.2) started on Windows
2024-07-08 11:36:09 INFO [CORE|main] ID: 60c79978-3d00-11ef-8000-9568355e9ffd, signed
2024-07-08 11:36:09 INFO [xm_admin|admin] connecting to agents.tenant.example.com(10.0.0.32):5515
2024-07-08 11:36:09 INFO [xm_admin|admin] tcp connection established with agents.tenant.example.com(10.0.0.32):5515

On some Windows systems, this procedure may result in one of the following access denied errors when attempting to access Windows Event Log:

WARNING [im_msvistalog|windows] failed to subscribe to msvistalog events,access denied [error code: 5]: Access is denied.

or

WARNING [im_msvistalog|windows] ignoring source as it cannot be subscribed to (error code: 5)

See the Access denied to a Windows Event Log channel troubleshooting section for how to resolve this error.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS