Product Documentation

About LogicMonitor
- Overview
- Technical Support
  - Technical Support Overview
  - Accessing Support Resources
Getting Started
- Implementation Readiness
  - LogicMonitor Implementation Readiness Recommendations for Enterprise Customers
  - Top Dependencies for LogicMonitor Enterprise Implementation
- LogicMonitor Tutorial
- Advanced LogicMonitor Setup
LogicMonitor Concepts
- Limits, Quotas, and Constraints
Collectors
- Collector Overview
- Collector Installation
- Collector Configurations
- Collector Management
- Collector Integrations
- Collector Troubleshooting
Devices
- Adding and Managing Devices
- Device Groups
- Resources Page Overview
- Device DataSources and Instances
- Netscans
Dashboards and Widgets
- Managing Dashboards
- Managing Widgets
- Widget Types
Alerts
- About Alerts
- Alert Discovery
- Responding to Alerts
AIOps
- Anomaly Detection
  - Anomaly Detection Visualization
- Forecasting
  - Data Forecasting
- Topology Mapping
- AIOps for Alerting
LM Service Insight
- About LM™ Service Insight
- Adding Services
- Managing Services
LogicModules
- LogicModule Overview
- LM Exchange
  - LM Exchange
- Modules
- DataSources
- Data Collection Methods
- Datapoints
- Active Discovery
- Groovy Support
- Powershell Support
  - Creating PowerShell Script Datasources
  - Using PowerShell Scripts in LogicMonitor
- ConfigSources
- EventSources
- PropertySources
  - Creating PropertySources
  - External Resource IDs Source Output Scripts
- TopologySources
  - TopologySource Overview
  - TopologySources Scripts
- AppliesTo
  - AppliesTo Scripting Overview
  - User-Defined AppliesTo Functions
- JobMonitors
- SNMP sysOID Maps
  - SNMP SysOID Maps
Reports
- Which report should I use?
- Creating & Managing Reports
- Scheduling a Report for Auto-Delivery
- Creating a Report Group
- Report Types
Security
- Two-Factor Authentication
- Single Sign On
- Multi Sign-On
- Configuring the Azure Active Directory SSO Integration
- LogicMonitor Security Best Practices
- Log4j Security Vulnerabilities
Settings
- About the Account Information Page
- Notification Center
- About Audit Logs
- Message Templates
  - Alert Messages
  - New User Message
- Users and roles
Terminology and Syntax
- Scripting Support
LM Logs
- LM Logs Overview
- Log Ingestion
- Log Processing
- Log Anomaly Detection
- Logs Query Language
- Reviewing Logs and Log Anomalies
- Log Processing Pipelines
- Log Alert Conditions
- LM Logs Roles and Permissions
- LM Logs Usage Monitoring
- Troubleshooting Logs
LM APM
- LM APM Overview
- Push Metrics
- OpenMetrics Integration
  - OpenMetrics DataSource Wizard
  - OpenMetrics Monitoring
- Distributed Tracing
- Synthetics
Cloud Monitoring
- Getting Started
- Amazon Web Services
- Microsoft Azure
- Google Cloud Platform (GCP)
SaaS Monitoring
- Airbrake Monitoring
- Microsoft Office 365 Monitoring
- SaaS Lite Monitoring
- Salesforce Monitoring
- Slack Monitoring (Open Beta)
- Webex Monitoring (Open Beta)
- Zoom Monitoring
Container Monitoring
- About LogicMonitor Container Monitoring
- Kubernetes
- Docker
  - Docker Monitoring
Website Monitoring
- About Websites
- Adding and Managing Websites
- Website Groups
  - Adding Website Groups
  - Editing and Deleting Website Groups
Monitoring Solutions
- Applications and Databases
- Backup and Recovery Systems
- Networking and Firewalls
- Operating Systems and Virtualization
- Server and operations Hardware
- Storage Systems
- Network Traffic Flow
LM Integrations
- LogicMonitor Integrations Overview
- Communication Integrations for LogicMonitor
- Workflow Integrations for LogicMonitor
- Automation Integrations for LogicMonitor
- Custom Integrations for LogicMonitor
- Logs for LM Integrations
  - Logs for Integrations Overview
  - Integrations Logs Filtering and Sorting
Mobile
- About LogicMonitor’s Mobile View and Application
- Responding to Alerts from a Mobile Device
- Viewing Alerts from a Mobile Device
- Viewing Dashboards from a Mobile Device
- Viewing Graphs from a Mobile Device
REST API Developers Guide
- Rest API Overview
- REST API v3
- REST API v2
  - About REST API v2
  - Creating Services via the API
- Rest API v1
RPC API - Deprecated
- About LogicMonitor’s RPC API (Deprecated)
Training and Certification
- LogicMonitor Certified Professional Exam Information
- LogicMonitor Training and Certification

Microsoft recommends Administrator group membership to ensure remote WMI functionality. However, you can run the remote WMI functionality without administrator privileges with some additional settings. This method works in most cases but not for all cases. Therefore, the assistance provided by your LogicMonitor support team may be limited and on a best-effort basis.

Note: This information also applies to Active Directory Domain Controllers. Also, you can run the group membership adjustments for domain controllers via “Active Directory Users and Computers” rather than “Local Users and Groups”. When a Windows host is promoted to a Domain Controller local group memberships are migrated into the BUILTIN groups within ADUC.

You can complete the following steps to run the services without administrator privileges.

Create the new user, commonly an active directory service account or a Windows local user for each monitored host.
Granting the user remote WMI rights.
Granting the user remote DCOM rights, if applicable.
Granting Windows Service Permissions.

Granting Remote WMI Rights

To give the user remote WMI rights, log on to each system to be monitored and complete the following procedure:

In the Control Panel, double-click Administrative Tools.
In the Administrative Tools window, double-click Computer Management.
In the Computer Management window, expand the Services and Applications tree and double-click the WMI control.
Right-click the WMI Control icon and select Properties, and then select the Security tab.
Select the Root object, then click Security.
Click Add to add the user that the service is to run as to the list.
Check Execute Methods and Remote Enable.
Click Advanced.
Select the new user, and click Edit.
Change the Apply To drop-down menu to This namespace and subnamespaces.
Click OK three times to close the dialog boxes.

Granting Remote DCOM Rights

If any of the following apply to the LogicMonitor Collector services, you may need to grant DCOM rights:

Collector service running as a non-domain account
Collector resides in a different domain that is untrusted by the monitored host
Collector connects to remote computers, not as a local administrator

To grant the user DCOM rights, log on to each system to be monitored and complete the following procedure:

Click Start, click Run, type DCOMCNFG, then click OK.
In the Component Services dialog box, expand Component Services > Computers, then right-click My Computer and click Properties.
In the My Computer Properties dialog box, select the COM Security tab.
Under Launch and Activation Permissions, click Edit Limits.
In the Launch Permission dialog box, complete the following steps if your name or your group does not appear in the Groups or user names list:

a. Click Add.

b. In the Select Users, Computers, or Groups dialog box, add the account name in the Enter the object
names to select field and then click OK.
In the Launch Permission dialog box, select your user in the Group or user names box.
Navigate to Permissions for User > Allow, select Remote Launch and Remote Activation, and click OK.

Granting DCOM remote access for certain users and groups

The following procedure describes how to grant DCOM remote access permissions for certain users and groups. If you are connecting computer A to computer B remotely. You can set permissions on computer B to allow a user group that is not a part of the Administrator’s group on computer B to connect to computer B.

Click Start, click Run, type DCOMCNFG, then click OK.
In the Component Services dialog box, expand Component Services > Computers, then right-click My
Computer and click Properties.
In the My Computer Properties dialog box, select the COM Security tab.
Under Access Permissions, click Edit Limits.
In the Access Permission dialog box, select ANONYMOUS LOGON in the Group or user names box.
In the Allow column under Permissions for User, select Remote Access, and then click OK.

For more information, see Securing a Remote WMI Connection.

Granting Windows Service Permissions

Even after employing the mentioned methods, you may be required to review and adjust Windows Service permissions.

You can use one of the following tools to adjust Windows service permissions granting read-only access to the account in which you are using to monitor the host.

Process Explorer

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

subinacl.exe

https://social.technet.microsoft.com/wiki/contents/articles/51625.subinacl-a-complete-solution-to-configure-security-permission.aspx

sc.exe

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754599(v=ws.11)

Manually Changing Permissions for Windows Services

To change the permissions of Service Control Manager (SCManager) and the Win32_services, complete the following steps:

Note: The steps to change permissions for SCManager and Win32_services are the same.

1. To get the SID of the LogicMonitor user, run the following command in Powershell to retrieve the SID.

[wmi] "win32_useraccount.domain='<domainName>',name='<userName>'"

2. To get the SDDL of a SCManager, run the following command in the cmd prompt.

sc sdshow scmanager

Sample of the retrieved SDDL:

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

3. Modify the retrieved SDDL.

Note: You can either create your own ACL’s or you can copy the segment from the SDDL which ends with Interactive Users (IU), i.e (A;;CCLCRPRC;;;IU). For more information on creating ACLs, see ACE Strings.

4. Once you retrieve the SDDL using the sc sdshow scmanager command, copy the segment that ends with IU in SDDL. For eg. (A;;CCLCRPRC;;;IU).

5. Replace IU with the SID of the LogicMonitor user.

Example: (A;;CCLCRPRC;;;S-1-5-21-265800110-2195697097-2714329818-1112).

6. After replacing SID, paste the new segment after the IU segment in the retrieved SDDL.

Following is the example of the new SDDL:

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU) (A;;CCLCRPRC;;;S-1-5-21-265800110-2195697097-2714329818-1112)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA) S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Note: The earlier example allows various permissions to the LogicMonitor user. You can either restrict the user from having multiple permissions or grant minimal permissions.

For example, the ACL (A;;RPRC;;;IU) allows the Read Permissions to read all the properties of a Windows Service. If you want to grant more permissions, refer to ACE Strings and add the strings between double semi colons(;;) and triple semi colons(;;;) of the ACL.

6. Set the new SDDL as the security descriptor of the SCManager.

sc sdset scmanager “D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU) (A;;CCLCRPRC;;;S-1-5-21-265800110-2195697097-2714329818-1112)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA) S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Note : To change the Win32_services, you can perform all the steps for changing permissions of SCManager. Ensure to replace scmanager with serviceName of your windows service.

Example:
The following command would display the security descriptor of the App-Management service.

sc sdshow AppMgmt