Permission requirements for OneAgent installation and operation on Windows

To fully automate the monitoring of your operating systems, processes, and network interfaces Dynatrace requires privileged access to your operating system during both installation and operation.

Note:
Dynatrace OneAgent is tested extensively to ensure that it has minimal performance impact on your system and conforms to the highest security standards.

Installation

Dynatrace OneAgent requires admin privileges for:

  • Creating the Dynatrace OneAgent service.
  • Modifying certain registry keys.
  • Installing WinPcap.
  • Installing oneagentmon device.

If you have Log Analytics enabled, admin privileges are also required for:

  • Creating the Dynatrace Log Analytics OneAgent configuration file, which stores security flags (for example, log content access and log auto-detection) and rules that define files that should be treated as log files (based on file extension and location).

Operation

Dynatrace OneAgent requires admin privileges to:

  • List all processes.
  • Get memory statistics for all processes.
  • Read each process command line and environment.
  • View the descriptions of executable files.
  • Read application configuration for Apache and IIS
  • View the list of libraries loaded for each process.
  • Read Windows registry keys.
  • Read .NET application domain for .NET 2.0, 3.0, and 3.5.
  • Start monitoring network traffic.
  • Parse executables for Go Discovery.
  • Gather monitoring data related to Docker containers.

If you have Log Analytics enabled, admin privileges are also required to:

  • Access system logs: System/Application/Security Event logs.
  • Access the list of open file handles for each process (low-level WinAPI calls).
  • Access the log file for each process.