Our security team is installing a log management appliance that needs access to domain controller event logs. We have Windows Server 2008 R2 DCs. The appliance is able to retrieve event logs from the DCs if the appliance authenticates with domain administrator credentials.
I'd like to use a more restricted, non-administrator service account for log collection, though. I've created a service account and have given it the following permissions/rights:
1. Added it to the domain built-in security group Event Log Readers.
2. Granted it the Manage auditing and security log user right assignment in the Default Domain Controllers GPO.
3. Granted it the Generate security audits user right assignment in the Default Domain Controllers GPO.
Even with these three changes, the appliance is not able to connect to a DC to retrieve events. Can you provide some guidance?