Allowing collector-sidecar to run as LocalService/NetworkService instead of LocalSystem

[lowngcawt]

Hi,

For security reasons i would like to be able to run the Collector-Sidecar service as LocalService, NetworkService and/or my own AD account instead of LocalSystem which isnt a really safe account that you want to give access to.

[mariussturm]

Afaik the underlying service library doesn't support that at the moment, so this will not change in the near future I guess: https://github.com/kardianos/service

[ke1satsu]

Hi,

I too am interested in being able to run the sidecar under a service account. The sidecar is really sweet but the risk of running it as local system is sadly a dealbreaker for me.

Have you heard anything from the service library maintainers or are you aware of any work-arounds?

Thanks!

[oct3net]

Just a side note if/when it becomes possible to use LocalService or NetworkService: Both of these accounts lack the permissions to read from the Security event log, as doing so requires membership of either the local "Administrators" group or the "Event Log Readers" group.

A better approach might be to use a Virtual Service Account (in this case, it would be NT SERVICE\graylog-sidecar). During installation, the installer can add this account to the "Event Log Readers" group, granting it the necessary rights to read the Security event log. Alternatively, this process could be included during the execution of graylog-sidecar.exe -service install.

[oct3net]

Additionally, it would appear that kardianos/service now supports declaring a specific username: https://godoc.org/github.com/kardianos/service#Config

[oct3net]

Following some research, it does not seem possible to run the sidecar service at a privilege level lower than LocalSystem. This is because the service needs rights to create further services for each module (winlogbeat/filebeat/etc) it is asked to maintain.

In theory, it might be possible for the code be rewritten to use a single service and execute the modules beneath the sidecar service, but I am not versed well enough in Go to make these changes myself.