Install Winlogbeat with user account


I am trying to install winlogbeat and run as user who is not an Adminsitrator
Saw a link - request for enhancement ([Winlogbeat] Document minimum permissions for Windows service user · Issue #15773 · elastic/beats · GitHub)

I have

  1. provided full access to folder structure for the user
  2. add user to “Manage auditing and security log”
  3. add user to “Logon as a service” permissions for the service to start correctly
  4. add user to BUILTIN\Event Log Readers

Still not able to start the service and see this error in the log.
{"log.level":"info","@timestamp":"2023-09-08T16:04:35.070-0400","log.origin":{"":"instance/beat.go","file.line":426},"message":"winlogbeat stopped.","":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-09-08T16:04:35.078-0400","log.origin":{"":"instance/beat.go","file.line":1274},"message":"Exiting: unable to try a lock of the data path: open C:\ProgramData\winlogbeat\winlogbeat.lock: Access is denied.","":"winlogbeat","ecs.version":"1.6.0"}

Dont see any winlogbbeat.lock file. It says it doesn't have access, but the user has full access on the folder structure

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.