Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Winlogbeat] Document minimum permissions for Windows service user #15773

Closed
jguay opened this issue Jan 23, 2020 · 5 comments · Fixed by #37176
Closed

[Winlogbeat] Document minimum permissions for Windows service user #15773

jguay opened this issue Jan 23, 2020 · 5 comments · Fixed by #37176
Assignees
@kcreddy
Labels
docs enhancement :Windows Winlogbeat

Comments

@jguay
Copy link
Contributor

jguay commented Jan 23, 2020
edited by andrewkroh

Describe the enhancement:
At the moment, we document to install winlogbeat as service running by Local System account.

However there is no documentation for which permission to use with account with minimum permission or whether changing the account for the service is supported or not.

Describe a specific use case for the enhancement or feature:
From a quick test on Windows 2016, I needed to add “Manage auditing and security log” + “Logon as a service” permissions for the service to start correctly with a user which is not administrator.
@johncollaros
Copy link

This issue would seem pertinent to other beats such as metricbeat.
Our organisation is applying least privilege model securing our systems, and running as Local System account won't be possible. How can we find out what permissions are needed?

@andrewkroh andrewkroh mentioned this issue Feb 11, 2021
Closed
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@andrewkroh andrewkroh changed the title [winlogbeat] Document minimum permissions for windows service user [Winlogbeat] Document minimum permissions for Windows service user Feb 11, 2021
@andrewkroh
Copy link
Member

I think the minimum permissions is membership in BUILTIN\Event Log Readers. That will need to be tested before updating the docs. It is possible to modify the permissions of logs by changing their security descriptors using SDDL so if someone has done that then the default Event Log Readers group may no longer be sufficient for access.

@JumpyWizard404
Copy link

Hey guys if anyone is looking for information on this i managed to start the service after granting the account the following:

  • “Manage auditing and security log” + “Logon as a service” via local GPO setting
  • Full Control under two windows location: "C:\Program Files\Winlogbeat" and "C:\ProgramData\Winlogbeat"

@botelastic
Copy link

botelastic bot commented Dec 21, 2022

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Dec 21, 2022
@botelastic botelastic bot closed this as completed Jun 19, 2023
@narph narph reopened this Oct 4, 2023
@botelastic botelastic bot removed the Stalled label Oct 4, 2023
@kcreddy kcreddy mentioned this issue Nov 22, 2023
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kcreddy kcreddy

Labels
docs enhancement :Windows Winlogbeat
Projects
None yet
Milestone
No milestone
8 participants
@narph @andrewkroh @johncollaros @kcreddy @kaiyan-sheng @elasticmachine @jguay @JumpyWizard404