Downgrade Collector Privileges

Linux

By default, the observiq-otel-collector service runs as the root user. This is required for some sources to read things like host metrics and log files owned by other users.

Network-based sources (such as OTLP receivers bound to port 4317) are excellent candidates for running with reduced privileges, as they don't require access to host resources.

To run the agent as the observiq-otel-collector user instead of root, you may create a systemd override.

sudo systemctl edit observiq-otel-collector

Paste the following config:

[Service]
User=observiq-otel-collector

Note: The group is already set to observiq-otel-collector by default

Reload Systemd and restart the collector:

sudo systemctl daemon-reload
sudo systemctl restart observiq-otel-collector

Verifying

Check that the collector is running as the new user:

ps aux | grep observiq-otel-collector

Important Considerations

• Ensure the observiq-otel-collector user has the necessary permissions to access any required resources

• Some collector components may not function properly without root access

• If you experience issues, check the collector logs for permission-related errors

Common examples of operations that require specific permissions:

• Binding to network ports below 1024 (e.g., syslog on port 514) requires root privileges

• Reading log files owned by other users requires the collector user to be added to the appropriate group that has read access to those files

Troubleshooting

If you encounter permission issues after downgrading privileges:

1. Check the collector logs:

   Copy

   journalctl -u observiq-otel-collector

2. Verify the user has access to required directories and files

3. If problems persist, you may need to revert to root privileges by removing the override file:

   Copy

   sudo rm /etc/systemd/system/observiq-otel-collector.service.d/override.conf
   sudo systemctl daemon-reload
   sudo systemctl restart observiq-otel-collector

Windows

By default, the observIQ Distro for OpenTelemetry Collector service runs with admin privileges. Some OpenTelemetry components require elevated permissions to read certain logs and metrics.

To run the agent as a less privileged user:

1. Create a dedicated service account with the minimum required permissions

2. Open the Windows Services console (services.msc)

3. Find and right-click on the observIQ Distro for OpenTelemetry Collector service

4. Select "Properties"

5. Go to the "Log On" tab

6. Select "This account"

7. Enter the service account credentials

8. Click "Apply" and "OK"

9. Restart the service

Verifying

Check that the collector is running as the new user:

Get-WmiObject Win32_Service -Filter "Name='observIQ Distro for OpenTelemetry Collector'" | Select-Object Name, StartName

Important Considerations

• Ensure the service account has the necessary permissions to access any required resources

• Some collector components may not function properly without admin privileges

• The service account should be a member of the Event Log Readers group if collecting Windows Events

• If collecting Windows Events remotely, the account needs DCOM and WMI permissions

• If you experience issues, check the Windows Event Logs for permission-related errors

Troubleshooting

If you encounter permission issues after downgrading privileges:

1. Check the Windows Event Logs:

   • Open Event Viewer

   • Look under "Windows Logs" > "Application" for collector-related errors

2. Verify the service account has access to required resources:

   • Event Logs

   • Performance Counters

   • Configuration files

   • Network resources

3. If problems persist, you may need to revert to admin privileges:

   • Open Services (services.msc)

   • Find the collector service

   • Set it back to "Local System Account" in the Log On tab

   • Restart the service

macOS

Not currently supported