Hi,
I am trying to install winlogbeat and run as user who is not an Adminsitrator
Saw a link - request for enhancement ([Winlogbeat] Document minimum permissions for Windows service user · Issue #15773 · elastic/beats · GitHub)
I have
- provided full access to folder structure for the user
- add user to “Manage auditing and security log”
- add user to “Logon as a service” permissions for the service to start correctly
- add user to BUILTIN\Event Log Readers
Still not able to start the service and see this error in the log.
{"log.level":"info","@timestamp":"2023-09-08T16:04:35.070-0400","log.origin":{"file.name":"instance/beat.go","file.line":426},"message":"winlogbeat stopped.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-09-08T16:04:35.078-0400","log.origin":{"file.name":"instance/beat.go","file.line":1274},"message":"Exiting: unable to try a lock of the data path: open C:\ProgramData\winlogbeat\winlogbeat.lock: Access is denied.","service.name":"winlogbeat","ecs.version":"1.6.0"}
Dont see any winlogbbeat.lock file. It says it doesn't have access, but the user has full access on the folder structure