Forum Discussion

lucjad's avatar
lucjad
Icon for Neophyte rankNeophyte
2 months ago

SQL Server Services monitoring for non-admin account

I am trying to add SQL Server Services (SQL Server Agent, SQL Server Browser) for non-admin accounts. For Collector server it is auto discovered because the service account is part of local admin group. I have trouble setting it up for non-admin account.  (WinSQLServices module in Logic Monitor). 
I followed steps from documentation: https://www.logicmonitor.com/support/getting-started/advanced-logicmonitor-setup/windows-server-monitoring-and-principle-of-least-privilege#h-granting-windows-service-permissions-nbsp-sddl-nbsp-changes
It didn't work. SDDL doesn't seem to be changing anything and after running active discovery SQL Server Services are not showing up for other servers with non-admin account. There is not much information about troubleshooting it. Are there specific SDDL string changes needed? Is there an order in which this string supposed to go? Are there specific permissions needed? 

  • Let me just start from beginning:

    I have Collector server that has local admin service account to run SQL Services on Windows. That's Logic Monitor's requirement when adding Collector to monitoring. Under Collector server in Logic Monitor I see DataSource called SQL Server Services (WinSQLServices --> when you go to edit global definition). 

    But it only works on this device added to Logic Monitor because the service account on the Windows Server itself has local admin privileges. That's why the WinSQLServices is discovered by Logic Monitor and it's listed under this device. 

    I am trying to get the WinSQLServices to work on other monitored devices. All other devices monitored by Collector are not getting SQL Server Services discovered. I created non-admin service account so these services can also be monitored on all other servers that are under Collector. Documentation gives the instructions how to do it: make SDDL changes.(https://www.logicmonitor.com/support/getting-started/advanced-logicmonitor-setup/windows-server-monitoring-and-principle-of-least-privilege) I did SDDL changes to non-admin account has the same privileges as the local admin account. I ran active discovery in Logic Monitor but all other devices are still not even recognizing the WinSQLServices(SQL Server Services). 

    Based on this documentation everything should work but it doesn't. Any chance there are more settings to look at? 

    • Mike_Moniz's avatar
      Mike_Moniz
      Icon for Professor rankProfessor

      When you did the WBEM testing (which worked right?), did you use the credentials of the non-admin service account? Was it also run from the Collector server itself?

      • lucjad's avatar
        lucjad
        Icon for Neophyte rankNeophyte

        Do you know what would be the next step to troubleshoot it? 

  • JosiahBenoitI need SQL Server Services (Browser, Agent,...) monitoring for non-admin service account. Logic Monitor documentation doesn't have info about Logic Monitor's Active Discovery related to this specific issue. I set up permissions but Logic Monitor still doesn't pick anything up from server after running active discovery. 

    • JosiahBenoit's avatar
      JosiahBenoit
      Icon for Neophyte rankNeophyte

      Hi Lucjad, Just as a clarifying question in the datasource when you test Active Discovery does the resource you are attempting to monitor appear in the list? 

       

      • lucjad's avatar
        lucjad
        Icon for Neophyte rankNeophyte

        Yes, but the DataSource I am looking for these services is SQLServer Services not the Microsoft Windows Services. 
        I am trying to set it up for non-admin service account. Changed SDDL permissions to have the same access as the local admin service account but Logic Monitor’s Active Discovery doesn’t seem to be picking anything up. 

        after adding permissions I performed WBEM test and non admin account reads all the sql services from admin account but Logic Monitor’s active discovery doesn’t work on this. 

  • Hi LucJad, I just went through this with my DBA's.  LogicMonitor seems to work better with the wmi.user and wmi.pass on the WinSqlServer- module.  What I had to do is add the wmi user and pass on the devices.  The issue is that after I did that, my DBA's were seeing Logon errors which pointed to my service account.  to resolve that they had to give LogicMonitor permissions to access SQL.  By the way WinSqlServer was superseded by Microsoft_SqlServer_GlobalPerformancehttps://www.logicmonitor.com/support/monitoring/applications-databases/microsoft-sql-server

    I hope this helps let us know how it turned out 

    • JosiahBenoit's avatar
      JosiahBenoit
      Icon for Neophyte rankNeophyte

      Sorry I missed this on the databases have the DBA to set the account access to db_datareader that seems to have solved the issue with the login failures. 

  • Are you able to see some services but not others (like when using Add Other Monitoring)? Some services may require modifying their own ACLs on top of modifying scmanager's, and sometimes you need special permissions to even make those changes. I only played with Service SDDLs a little bit so don't know much myself. I would try looking at the thread below, especially comments by Barb that might cover it in a bit more detail. The thread well predates LM's official support page so I don't know how well they align though.

    How WMI, DCOM, RPC and UAC effect access to remote Window Systems for Monitoring