4

We are trying to implement some data logging to CSV files using a Data Collector Set in PerfMon (on a windows Server 2008R2 system).

The issue we are running into is that we (seemingly) can't control the permissions being set on the log files created by perfmon.

What we want is for the log files created by perfmon to have Everyone:F permissions (Full Control for Everyone). So, we have a directory structure setup where all logs go into a folder:

c:\vms\PerfMonLogs\%MACHINENAME% (e.g. c:\vms\PerfMonLogs\EvaluationG2)

In the above example, c:\vms\PerfMonLogs\EvaluationG2 has permissions Everyone:F (below is the icacls for this directory)

EVALUATIONG2/ Everyone:(OI)(CI)(F) NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Performance Log Users:(OI)(R)

When the data collector set runs, it creates new sub folders and files within c:\vms\PerfMonLogs\EvaluationG2, e.g. (C:\vms\PerfMonLogs\EVALUATIONG2\M11d26y2012N3)

Each of these directories and files has the following permissions:

M11d26y2012N3 NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Performance Log Users:(OI)(R)

So these new folders and not simply inheriting permissions from the parent folder (don't know why).

Now, we tried adding Everyone:F using the security tab on the collector set (No dice).

Any ideas? How do we control the permissions on the log files generated by perfmon data collector set?

Brent Pabst
  • 6,059
  • 2
  • 23
  • 36
SvrGuy
  • 1,002
  • 3
  • 16
  • 29

1 Answers1

2

Data Collector Sets can contain sensitive information about the computer, so access to them typically requires the user at least be a member of the Performance Log Users group. I don't believe you can make a DCS with automatically modified permissions (Everyone FullControl) like you're talking about.

How's this for a workaround:

Run this PS script as a Scheduled Task:

$Path = "C:\PerfLogs\Admin\New Data Collector Set"
$ACL  = (Get-Item $Path).GetAccessControl("Access")
$ACE  = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$ACL.AddAccessRule($ACE)
ForEach($_ In Get-ChildItem $Path -Recurse)
{
    Set-Acl -ACLObject $ACL $_.FullName
}

I tested this on Windows 7 with PS 2.0 (same as 2008R2) and confirmed that it does place an "Everyone Full Control" ACE on every object recursively under the directory defined in the $Path variable.

edit: At first I thought to use the Task tab in the Properties page of the DCS, "Run this scheduled task when the data collector set stops," but that is not for Scheduled Tasks, but rather WMI tasks.

edit #2: Alright, this is getting pretty crazy, but you could create a new Scheduled Task, and its trigger will be to start "On an event." Then click Custom, and click "New Event Filter." Then manually edit the XML filter:

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-TaskScheduler/Operational">
    <Select Path="Microsoft-Windows-TaskScheduler/Operational">
        *[System[TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]
         and
        *[System[(EventID='102')]]
         and
        *[EventData[Data and (Data='YOUR DATA COLLECTOR SET NAME')]] 
    </Select>
  </Query>
</QueryList>

Now you will have created a scheduled task that will fire when your Data Collector Set finishes running, and it will modify the ACLs of the directory structure recursively to "Everyone Full Control."

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197