Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 4004 Source: CitrixHealthMon

Level
Description
The file C:\Program Files\Citrix\HealthMon\Tests\Citrix\RequestTicket.exe does not have the correct permissions. In SDDL the expected ACL was O:BAD:AI(AID0x1200a9LS)(AIDFABA). The actual ACL was O:BAD:AI(AFABA)(AIDFABA)(AIDFASY)(AID0x1200a9BU)(AID0x1200a9LS)(AIDFRNS). For reference the files placed in the test folder should have inheritable permissions turned on which will result in the file have full control access for the Administrators group Read and Execute access for the Local Service user account and the owner will be the Administrators group.
Comments
 
File can be:
C:\Program Files\Citrix\HealthMon\Tests\Citrix\RequestTicket.exe
C:\Program Files\Citrix\HealthMon\Tests\Citrix\CheckTermSrv.exe
C:\Program Files\Citrix\HealthMon\Tests\Citrix\LogonMonitor.dll
C:\Program Files\Citrix\HealthMon\Tests\Citrix\IMATest.exe

CTX115682 was not the solution in my case as the owner was already local admin group.

The problem is to set the permissions to the correct order Citrix requires. The GUI cannot do that it reorders the permissions.

First make sure the the owner of the Tests\Citrix directory is set to the local administrator group
Open a command prompt and navigate to C:\Program Files\Citrix\HealthMon\Tests.

Run these commands:

icacls citrix /remove "NT AUTHORITY\LOCAL SERVICE"
icacls citrix /remove "BUILTIN\Administrators"
cacls citrix /G "NT AUTHORITY\LOCAL SERVICE":R
cacls citrix /E /G "BUILTIN\Administrators":F

Restart the Citrix Health Monitoring and Recovery and check the event log. Do not touch the permissions on this directory or the files within it otherwise you have to rerun the commands above.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...