Using UNC Paths with WinSyslog, EventReporter and MonitorWare Agent
This article explains how to configure WinSyslog, EventReporter, and MonitorWare Agent to write log files to network shares using UNC (Universal Naming Convention) paths.
Question: Does UNC path support work in WinSyslog, EventReporter and MonitorWare Agent?
Answer: Yes, UNC paths are supported, but they require additional configuration because these products run as Windows services under the Local System account by default.
The Challenge
WinSyslog, EventReporter, and MonitorWare Agent are installed to run as Windows services under the Local System account. For security reasons, Windows restricts this account from accessing network resources. Therefore, UNC paths like \\servername\sharename\path will not work in the default configuration.
Solution: Configure a Service Account
To enable UNC path support, you need to configure the service to run under a domain or local account that has network access permissions. Follow these steps:
Step 1: Create or Select a Service Account
Create a dedicated Windows account (local or domain) that will be used to run the service. This account should:
- Have read/write permissions to the UNC share where you want to write log files
- Have sufficient permissions for any local operations the service needs to perform
- Have a password that does not expire (or ensure password is regularly updated)
Step 2: Grant Log On as a Service Right
The service account must have the “Log on as a service” privilege. To grant this:
- Open the Local Security Policy editor (
secpol.msc) or Group Policy Management - Navigate to: Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment
- Find and double-click “Log on as a service”
- Click “Add User or Group” and add your service account
- Click “OK” to save
Step 3: Grant Network Share Permissions
Ensure the service account has appropriate permissions on the target UNC share:
- Navigate to the network share where logs will be written
- Right-click the folder and select “Properties”
- Go to the “Security” tab
- Add your service account with “Modify” or “Full Control” permissions
Step 4: Configure the Service
Change the service to run under the new account:
- Open Windows Services Manager (
services.msc) - Locate the service (WinSyslog Service, EventReporter Service, or MonitorWare Agent Service)
- Right-click and select “Properties”
- Go to the “Log On” tab
- Select “This account”
- Enter the service account username and password
- Click “OK” and restart the service
Step 5: Update Configuration
Now you can configure your “Write to File” action to use a UNC path, for example:
\\servername\logs\winsyslog\application.logImportant Notes
- Password Management: If the service account password expires or changes, you must update it in the service properties. Consider using a managed service account or set passwords to never expire.
- Network Connectivity: Ensure the server running the service can reach the UNC share over the network.
- Permissions: Verify the service account has all necessary permissions before starting the service.
- Testing: Test UNC access manually using the service account credentials before configuring the service.
- Security: Use a dedicated service account with minimal required permissions (principle of least privilege).
Alternative: Use Local Path with Network Drive Mapping
If UNC paths cause issues, you can map a network drive and use the mapped drive letter in your configuration. However, mapped drives are user-specific and can be unreliable in service contexts, so using a service account with UNC paths is the recommended approach.
Troubleshooting
If you encounter issues:
- Check the Event Viewer for service-related errors
- Verify the service account password is correct and has not expired
- Test UNC access using Windows Explorer while logged in as the service account
- Ensure firewall rules allow access to the UNC share
- Check that the share is accessible and not restricted by network policies