Why does Dynatrace require privileged access to your operating system?

To fully automate the monitoring of your operating systems, processes, and network interfaces Dynatrace requires privileged access to your operating system during both installation and operation.

Note
Dynatrace OneAgent is tested extensively to ensure that it has minimal performance impact on your system and conforms to the highest security standards.

Linux

During installation

Dynatrace OneAgent requires root privileges for:

  • Installing Dynatrace OneAgent components in system library directories.
  • Setting up /etc/ld.so.preload to automatically monitor processes.
  • Adapting SELinux policies to allow for the monitoring of processes.

If you have Log analytics enabled, root privileges are also required for:

  • Creating the Dynatrace Log analytics OneAgent configuration file, which stores security flags (for example, log content access and log auto-detection) and rules that define files that should be treated as log files (based on file extension and location).

During operation

Dynatrace OneAgent requires root privileges for:

  • Accessing the list of open sockets for each process.
  • Accessing the list of libraries loaded for each process.
  • Accessing the name and path of the executable file for each process.
  • Accessing command line parameters for each process.
  • Monitoring network traffic.
  • Reading application configuration files.
  • Parsing executables for Go Discovery.
  • Gathering monitoring data related to Docker containers.

If you have Log analytics enabled, root privileges are also required for:
  • Accessing system logs: /var/log/syslog and /var/log/messages.
  • Accessing the list of open file handlers for each process (/proc file system).
  • Accessing the log file for each process.

System logs downloaded by OneAgent

Dynatrace OneAgent downloads specific system logs so that Dynatrace can diagnose issues that may be caused by conditions in your environment. Most often such issues are related to deep monitoring or auto-update installations.

Windows

During installation

Dynatrace OneAgent requires admin privileges for:

  • Creating the Dynatrace OneAgent service.
  • Modifying certain registry keys.
  • Installing WinPcap.
  • Installing oneagentmon device.

If you have Log analytics enabled, admin privileges are also required for:
  • Creating the Dynatrace Log analytics OneAgent configuration file, which stores security flags (for example, log content access and log auto-detection) and rules that define files that should be treated as log files (based on file extension and location).

During operation

Dynatrace OneAgent requires admin privileges for:

  • Listing all processes.
  • Getting memory statistics for all processes.
  • Reading each process command line and environments.
  • Viewing the description of executable files.
  • Reading application configuration for Apache and IIS
  • Viewing the list of libraries loaded for each process.
  • Reading Windows registry keys.
  • Reading .NET application domain for .NET 2.0, 3.0 and 3.5.
  • Starting monitoring network traffic.
  • Parsing executables for Go Discovery.
  • Gathering monitoring data related to Docker containers.

If you have Log analytics enabled, admin privileges are also required for:
  • Accessing system logs: System/Application/Security Event logs.
  • Accessing the list of open file handlers for each process (low-level WinAPI calls).
  • Accessing the log file for each process.