Windows Security logs are one of the most valuable data sources for security monitoring because they contain authentication attempts, privilege changes, account management events, logon failures, and many other audit records that security teams rely on for threat detection.
When the Wazuh agent cannot access these logs, one of the most common problems administrators encounter is an “Access is denied” error.
Unlike the System or Application event logs, the Windows Security log is heavily protected by the operating system.
Microsoft intentionally restricts access because the log contains sensitive information about user accounts, authentication activity, privilege escalation, and system auditing.
If the Wazuh agent lacks the required permissions, Windows blocks access before any events can be collected.
As a result, the Wazuh manager may appear healthy, Windows Event Viewer may display Security events normally, yet the Wazuh dashboard remains missing login events, failed authentication attempts, privilege changes, or other critical audit records.
This can create dangerous monitoring blind spots that reduce your organization’s visibility into security incidents.
Some of the most common symptoms include:
- Security events never appearing in Wazuh
- The Wazuh agent log repeatedly displaying “Access is denied”
- Missing authentication, logon, audit policy, and privilege escalation events
- Windows Event Viewer successfully displaying Security logs while Wazuh fails to collect them
- Compliance dashboards showing incomplete audit information
Fortunately, these issues are almost always caused by permission or configuration problems that can be identified and corrected.
In this guide, you’ll learn exactly why Wazuh encounters Access Denied errors when collecting Windows Security logs, how Windows protects these logs, how to identify the underlying cause, and the step-by-step solutions to restore Security event collection. You’ll also learn best practices to prevent the problem from occurring again in future deployments.
Understanding Why Wazuh Gets Access Denied on Windows
Before fixing the problem, it’s important to understand how Windows event logging works and why the Security log is treated differently from other log channels.
How Wazuh Collects Windows Event Logs
On Windows systems, the Wazuh agent continuously monitors configured Event Log channels and forwards matching events to the Wazuh manager for analysis.
The process relies on the Windows EventChannel API (Windows Event Log API), which provides a supported interface for applications to subscribe to event streams without directly reading the underlying log files.
The collection workflow generally looks like this:
- Wazuh starts the Logcollector component.
- Logcollector connects to the Windows Event Log service.
- It subscribes to configured channels such as:
- Security
- System
- Application
- Microsoft-Windows-* operational logs
- Windows validates whether the calling process has permission to access the requested channel.
- Authorized events are streamed to the Wazuh agent and forwarded to the manager.
Because Wazuh relies entirely on Windows APIs, it cannot bypass Windows security restrictions.
If Windows refuses access, Wazuh cannot collect the events regardless of its own configuration.
Microsoft’s official Event Log documentation explains that applications must use the Event Log service and appropriate security permissions when subscribing to protected channels.
Why Security Logs Are Protected
The Security event log is significantly more restricted than other Windows logs because it contains information that could expose sensitive security operations.
Examples include:
- Successful and failed logon events
- Kerberos authentication
- NTLM authentication
- Privilege escalation
- User account creation
- Password changes
- Group membership modifications
- Audit policy changes
- Object access auditing
If ordinary applications could freely read these events, attackers could gather valuable intelligence about authentication activity, privileged accounts, or security controls.
Windows therefore enforces a strict security model that limits access to trusted system processes and highly privileged service accounts.
This design aligns with Microsoft’s implementation of the principle of least privilege, where applications receive only the permissions necessary to perform their intended function.
Security-sensitive resources require explicit authorization before access is granted.
Microsoft’s Windows security architecture documentation provides additional details on protected event logs and service permissions.
Typical Error Messages
When permissions are insufficient, Wazuh may generate different error messages depending on the Windows version and the API call that failed.
Common examples include:
Access is denied.Error 5: Access is denied.Cannot subscribe to Security channel.Failed to read event log.WinEvt API returned access denied.You may also notice entries in:
ossec.logwazuh-agent.log- Windows Service logs
The wording varies slightly across Windows releases, but they all indicate that Windows denied the Wazuh agent permission to read the Security channel.
If you’re experiencing broader Windows log collection problems beyond Security events, see How to Monitor Windows Event Logs Using Wazuh for a complete overview of Windows event collection architecture.
Common Causes of Wazuh Agent Access Denied Errors
Most Access Denied errors originate from one of only a handful of configuration problems.
Identifying the correct cause early can dramatically reduce troubleshooting time.
Wazuh Agent Service Running Without Administrative Privileges
The most common cause is that the Wazuh Agent Windows service is not running with sufficient privileges.
Although the agent itself may be installed correctly, Windows evaluates the permissions of the service account that is currently executing the Wazuh processes.
If the service runs under a restricted account, Windows prevents it from subscribing to the Security log, even if the account belongs to a user with elevated permissions.
This often occurs after:
- Manual service modifications
- Group Policy changes
- Security hardening
- Endpoint management software changes
- Migration from older Wazuh versions
How to Verify the Service Account
You can quickly verify the account used by the Wazuh Agent service:
- Open Services (services.msc).
- Locate Wazuh Agent.
- Right-click the service and select Properties.
- Open the Log On tab.
- Review the account configured to run the service.
PowerShell can also display the configured account:
Get-CimInstance Win32_Service |
Where-Object {$_.Name -eq "WazuhSvc"} |
Select Name, StartNameIf the service is using a custom account, verify that the account has the necessary permissions to access protected Windows event channels.
Why LocalSystem Is Normally Required
In most Wazuh deployments, the recommended service account is LocalSystem.
LocalSystem has the privileges required to:
- Read protected Security logs
- Access Windows Event Log APIs
- Monitor operating system resources
- Collect security auditing information
- Interact with protected Windows services
Running under LocalSystem also aligns with the official Wazuh installation defaults, reducing compatibility issues after upgrades or configuration changes.
The official Wazuh documentation recommends retaining the default service configuration unless there is a specific operational requirement to change it.
How Incorrect Service Accounts Cause Failures
Organizations sometimes replace the default LocalSystem account with:
- Local User accounts
- Domain Users
- Service accounts
- Managed service accounts (gMSA)
- Restricted security principals
While these changes may satisfy internal security policies, they frequently remove the permissions required to access the Security event channel.
The result is a partially functioning Wazuh agent that can successfully collect:
- Application logs
- System logs
- Custom logs
while consistently failing to collect Security events.
If you’ve recently modified the agent configuration or upgraded the endpoint, you may also want to review How to Upgrade a Wazuh Agent and How to Fix ossec.conf Syntax Errors in Wazuh Agents to rule out related deployment or configuration issues.

Be First to Comment