Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

winlogbeat/docs/getting-started.asciidoc: Document minimum permissions required for local user account #37176

Merged
merged 12 commits into from
Dec 4, 2023
Merged

winlogbeat/docs/getting-started.asciidoc: Document minimum permissions required for local user account #37176

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
61472f6
Add permissions required for local user account
kcreddy Nov 22, 2023
185ed66
update changelog
kcreddy Nov 22, 2023
175c42a
Merge remote-tracking branch 'upstream/main' into winlog-local-perm
kcreddy Nov 22, 2023
3f5ba24
grammar corrections
kcreddy Nov 22, 2023
8fbd5c4
address PR comments
kcreddy Nov 23, 2023
75edb8b
update
kcreddy Nov 23, 2023
fdbb1f9
Merge remote-tracking branch 'upstream/main' into winlog-local-perm
kcreddy Nov 23, 2023
5f86857
Merge remote-tracking branch 'upstream/main' into winlog-local-perm
kcreddy Nov 27, 2023
3c6fdf0
Address PR comments
kcreddy Dec 4, 2023
18c8eb2
Merge remote-tracking branch 'upstream/main' into winlog-local-perm
kcreddy Dec 4, 2023
879f77a
Merge remote-tracking branch 'upstream/main' into winlog-local-perm
kcreddy Dec 4, 2023
a0d4b31
Merge branch 'main' into winlog-local-perm
kcreddy Dec 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -254,6 +254,7 @@ Setting environmental variable ELASTIC_NETINFO:false in Elastic Agent pod will d
*Winlogbeat*

- Make ingest pipeline routing robust to letter case of channel names for forwarded events. {issue}36670[36670] {pull}36899[36899]
- Document minimum permissions required for local user account. {issue}15773[15773] {pull}37176[37176]

*Functionbeat*

Expand Down
20 changes: 20 additions & 0 deletions winlogbeat/docs/getting-started.asciidoc
View file
Open in desktop
kcreddy marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,26 @@ Before starting {beatname_uc}, modify the user credentials in
+{beatname_lc}.yml+ and specify a user who is
<<privileges-to-publish-events,authorized to publish events>>.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Either use {beatname_uc} or {beatname_lc} instead of "Winlogbeat" and "winlogbeat" respectively.

Copy link
Contributor Author

@kcreddy kcreddy Nov 23, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@andrewkroh I updated them. But in the PR, I don't see them getting transformed into "Winlogbeat" and "winlogbeat". Is that applied during the CI?


kcreddy marked this conversation as resolved.
Show resolved Hide resolved
By default, the `winlogbeat` service runs as `Local System` account. If you want to run `winlogbeat` service as a local user account which is not an Administrator, follow the below steps. By following these steps, your local user account will be granted `Log on as a service` security policy and made part of group `Event Log Readers` to read the event log. (You can skip these steps if you want to continue running Winlogbeat as an Administrator.)
kcreddy marked this conversation as resolved.
Show resolved Hide resolved
kcreddy marked this conversation as resolved.
Show resolved Hide resolved

. Open the Services Management console in Windows, if not already open by running this command:
kcreddy marked this conversation as resolved.
Show resolved Hide resolved
[source,shell]
----------------------------------------------------------------------
PS C:\Program Files\Winlogbeat> services.msc
----------------------------------------------------------------------
. Right-click on service named `winlogbeat` and select `Properties`
. Under `Log On` tab, select `This account:` and browse for your local account user that you want to run `winlogbeat` service.
. Enter local user account's password and click `Apply`.
. Search and open `Local Group Policy Editor` in Windows search or run `gpedit.msc` from Powershell.
. Navigate to path: `Computer Settings -> Security Settings -> Local Policies` and open `User Rights Assignment` under it.
. Inside `User Rights Assignment`, add your local user account to the policy named `Log on as a service`. This should allow your local user account log on as a service.
. Open `Local Users and Group Manager` by running `lusrmgr.msc` in Powershell.
. Under `Users`, right-click on your local account user and open `Properties`.
. Select `Member of` tab and click on `Add..`
. Find and select the group named `Event Log Readers` and click `Apply`. This should allow your local account user to read the event log.

NOTE: A force apply maybe required to apply the policy selected from `Local Group Policy Editor`. Run `gpupdate /force` from Powershell if you are having trouble starting up the `winlogbeat` service in next step.
kcreddy marked this conversation as resolved.
Show resolved Hide resolved

To start the {beatname_uc} service, run:

// tag::start-step[]
Expand Down