Why does Dynatrace require privileged access to my operating system?

To fully automate the monitoring of your operating systems, processes, and network interfaces Dynatrace requires privileged access to your operating system during both installation and operation.

Note
Dynatrace OneAgent is tested extensively to ensure that it has minimal performance impact on your system and conforms to the highest security standards.

Linux

During installation

Dynatrace OneAgent requires root privileges for:

  • Installing Dynatrace OneAgent components in system library directories.
  • Setting up /etc/ld.so.preload to automatically monitor processes.
  • Adapting SELinux policies to allow for the monitoring of processes.

If you have Log Analytics enabled, root privileges are also required for:

  • Creating the Dynatrace Log Analytics OneAgent configuration file, which stores security flags (for example, log content access and log auto-detection) and rules that define files that should be treated as log files (based on file extension and location).

During operation

Dynatrace OneAgent requires root privileges to:

  • Access the list of open sockets for each process.
  • Access the list of libraries loaded for each process.
  • Access the name and path of the executable file for each process.
  • Access command line parameters for each process.
  • Monitor network traffic.
  • Read application configuration files.
  • Parse executables for Go Discovery.
  • Gather monitoring data related to Docker containers.

If you have Log Analytics enabled, root privileges are also required for:
  • Accessing system logs: /var/log/syslog and /var/log/messages.
  • Accessing the list of open file handlers for each process (/proc file system).
  • Accessing the log file for each process.

System logs downloaded by OneAgent

Dynatrace OneAgent downloads specific system logs so that Dynatrace can diagnose issues that may be caused by conditions in your environment. Most often such issues are related to deep monitoring or auto-update installations.

Windows

During installation

Dynatrace OneAgent requires admin privileges for:

  • Creating the Dynatrace OneAgent service.
  • Modifying certain registry keys.
  • Installing WinPcap.
  • Installing oneagentmon device.

If you have Log Analytics enabled, admin privileges are also required for:
  • Creating the Dynatrace Log Analytics OneAgent configuration file, which stores security flags (for example, log content access and log auto-detection) and rules that define files that should be treated as log files (based on file extension and location).

During operation

Dynatrace OneAgent requires admin privileges to:

  • List all processes.
  • Get memory statistics for all processes.
  • Read each process command line and environment.
  • View the descriptions of executable files.
  • Read application configuration for Apache and IIS
  • View the list of libraries loaded for each process.
  • Read Windows registry keys.
  • Read .NET application domain for .NET 2.0, 3.0, and 3.5.
  • Start monitoring network traffic.
  • Parse executables for Go Discovery.
  • Gather monitoring data related to Docker containers.

If you have Log Analytics enabled, admin privileges are also required to:
  • Access system logs: System/Application/Security Event logs.
  • Access the list of open file handlers for each process (low-level WinAPI calls).
  • Access the log file for each process.