Run Winlogbeat service under a custom account

Hi, I've been having some difficulties setting up winglobeat to run as a service under a custom domain account with logon as a service rights on a windows 2016 server. The reason we are doing that is to be compliant with the companies security policies that state that the built in system account cannot be used to run services that are not Windows Server built in service. In that regard i set up a domain account and enabled it to log-on as a service via local GPO setting, and added the BUILTIN\Event Log Readers group, however when starting the service it fails with an error code 1067, but the service can run under that account when the account is granted Local administrator rights which beats the purpose of the custom account. My question is: Is there a minimum of rights that need to be granted to an account so that it could run the Winlogbeat service and if so is there a list?

In case someone needs this information in the future, i managed to find the solution in order to get a service to start the following is needed:

  • "Manage auditing and security log" + "Logon as a service" in the local GPO settings
  • Full control in the C:\Program Files\Winlogbeat location
  • Full control in the C:\ProgramData\Winlogbeat location

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.