From 07c6c6a7c5c7b2122e8c209dfe352bf9a96c48a4 Mon Sep 17 00:00:00 2001 From: Krishna Chaitanya Reddy Burri Date: Mon, 4 Dec 2023 20:40:21 +0530 Subject: [PATCH] winlogbeat/docs/getting-started.asciidoc: Document minimum permissions required for local user account (#37176) * Document minimum permissions required for running winlogbeat as local user account (cherry picked from commit 0baba390152f8206a0295459037409537531cfef) --- CHANGELOG.next.asciidoc | 9 ++++++ winlogbeat/docs/getting-started.asciidoc | 35 ++++++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b8a504e2918..adcf7a3b53d 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -78,6 +78,15 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Packetbeat* +- Add metrics for TCP flags. {issue}36992[36992] {pull}36975[36975] + +*Packetbeat* + + +*Winlogbeat* + +- Make ingest pipeline routing robust to letter case of channel names for forwarded events. {issue}36670[36670] {pull}36899[36899] +- Document minimum permissions required for local user account. {issue}15773[15773] {pull}37176[37176] *Functionbeat* diff --git a/winlogbeat/docs/getting-started.asciidoc b/winlogbeat/docs/getting-started.asciidoc index 3142a1f727c..3aa0d5bb45c 100644 --- a/winlogbeat/docs/getting-started.asciidoc +++ b/winlogbeat/docs/getting-started.asciidoc @@ -57,6 +57,8 @@ NOTE: If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: `PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1`. +NOTE: To use a local non-Administrator account to run Winlogbeat, follow <>. + [float] [[set-connection]] === Step 2: Connect to the {stack} @@ -185,6 +187,39 @@ include::{libbeat-dir}/shared/opendashboards.asciidoc[tag=open-dashboards-intro] include::{libbeat-dir}/shared/opendashboards.asciidoc[tag=open-dashboards] +[float] +[[local-user-account-setup]] +=== Using a local non-Administrator account to run Winlogbeat + +By default, the +{beatname_uc}+ service runs as the `Local System` account. +If you want to run the +{beatname_uc}+ service as a local user account +that is not an Administrator, then follow the steps below. The local user account +must be granted `Log on as a service` in the security policy +and be made part of the `Builtin\Event Log Readers` group to read the event log. + +. Open the Services Management console with this command: ++ +[source,shell] +---------------------------------------------------------------------- +PS C:\Program Files\Winlogbeat> services.msc +---------------------------------------------------------------------- ++ +. Right-click on service named +{beatname_lc}+ and select `Properties` +. Under `Log On` tab, select `This account:` and browse for the local account user +that you want to run {beatname_uc} service as. +. Enter local user account's password and click `Apply`. +. Search and open `Local Group Policy Editor` in Windows search or +run `gpedit.msc` from Powershell. +. Navigate to path: `Computer Settings → Security Settings → Local Policies` +and open `User Rights Assignment` under it. +. Inside `User Rights Assignment`, add your local user account to the policy named +`Log on as a service`. This should allow your local user account log on as a service. +. Open `Local Users and Group Manager` by running `lusrmgr.msc` in Powershell. +. Under `Users`, right-click on your local account user and open `Properties`. +. Select `Member of` tab and click on `Add...` +. Find and select the group named `Event Log Readers` and click `Apply`. +This should allow your local account user to read the event log. + [float] === What's next?