Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

AppInsight for SQL Permissions

The documentation for AppInsight for SQL states:

'Following are required permissions needed for AppInsight for SQL. See also SAM port requirements.

Administrator permission at the host level.

If utilizing a domain user for AppInsight for SQL, the domain user must be a member of the SQL server's local admin group.

All our Windows servers are monitored using agents as our security team don't wish to open WMI through the firewalls and also we use ADM (application dependency mapping) to build our Orion maps. We use SQL authentication to monitor using SAM. How can we then provide host level permission? Why is host level permission even required to monitor the SQL layer? Assume this refers to the account the agent run's under as the AppInsight for SQL template is set to 'Inherit Credentials from Node'

Find more posts tagged with

Accepted answers

jm_sysadmin

Have you missed anything? I don't know, let walk through it, because it sounds like you should be able to do what needs to be done.

Hopefully the screenshot shows up correctly or this won't make sense.

At #1 you have the ability to tell the template to use the agent if its there, and I think Agent is the default and Agentless (Wmi, SNMP, etc) would be manually changed. If the agent is there, and this is selected, performance counters and Windows Events should work. To my knowledge the SQL template doesn't run any powershell like exchange.

At #2 is the account to run the SQL queries, and #3 is where you tell it Windows, SQL or try them. I think it tries SQL first, so if you use a windows account, update this so it says windows, and you won't get a hit in the event log for a failed sign in every polling cycle.

With the agent and an Account with rights to SQL, you should be good. Its a set up I use successfully.

All comments

jhandberg

I have looked at the components in AppInsight for SQL and it seems to have mixed components. Some are SQL components, but some seem to be Windows OS performance counters. So host level in this case is to get the OS counters working I think. I have seen mixed results with accounts that were designed for the SQL portion not retrieving the Windows counters.

shocko

Hmm, thanks for the reply. Security team are not keen on granting host level admin privileges just for monitoring.

jm_sysadmin

So the host in this case is windows, which means that if you won't get admin rights to the server, you can do 2 things. First, install the agent with admin rights. Then that service runs with System privileges and can access the events and performance counters. The next thing is something I don't do, but can be done. You can build a group/ user and make a custom role to grant rights to it for the event logs and performance counters. For performance counters the built in 'Performance Monitor Users' might be enough and for event, 'Event Log Readers' might do it, but you will still need to allow remote connections, maybe 'Remote Management Users'.

Mostly we have service accounts that have access to specific systems, that get managed tightly (incidents generated from Siem if the account gets unapproved use). Those get the admin rights where its needed. When that isn't ok, the agent has made it practical to do real monitoring, and its our only approved method in the DMZ. Security isn't a "good" vs "bad" its a how do we meet the needs in the best way we can conversation. Hopefully you can make the needed argument.

jhandberg

I agree with @jm_sysadmin about using agents to fix this mixed SQL/Host account issue. This seems to be easiest, and there is an agent/agentless drop down in the template settings to account for this. Otherwise if the node is monitored with WMI that also picks up the Windows components. The trouble with WMI is the firewall ports that have to be open.

shocko

I should have been clearer so I have updated the original post. We have the agent running under SYSTEM and it's deployed to all Windows server builds by the build team. It's set to agent initiated communication.

There's a different team running SolarWinds NPM and SAM. Whilst we technically have admin access to the servers via this agent we only have a SQL (local or domain) account with JIT permissions to the MS SQL layer to do the monitoring.

As such, the agent has enough permissions to gather the host level metrics. Looking at the AppInsight for SQL template you can only set an overall credential for it and not credentials per component so I think the only reasonable solution is:

Define a domain account for this template to use to monitor
Grant it JIT on host
Grant it JIT o SQL
Grant it 'Logon as batch Job' permissions

This seems silly albeit because the agent already has the permissions to monitor the host. It's a pity the template cannot leverage this in some way. Have I missed anything?