Monitoring Service Security

The SentryOne monitoring service is a Windows service that runs in the context of a domain account.

  • The account must have SysAdmin privileges on each Watched SQL Server.
  • The account must also have Windows Administrator privileges on any computer with a Watched Windows Task Scheduler instance, or to collect system level performance metrics with SentryOne Performance Analysis.
  • The monitoring service does not support using MSA (Managed Service Accounts) or GMSA (Group Managed Service Accounts) for the monitoring service account.

It isn't necessary for this account to be a domain administrator account. It's recommended that the service account be a standard user domain account that's added to the local administrators group of each monitored target. For more information about security and SentryOne Performance Analysis, see the Performance Analysis Security Requirements topic.

Note:  As of SQL Server 2008 the local administrators group of a Windows server isn't automatically given access to a SQL Server instance installed on that Windows server. Keep this in mind when installing SentryOne for use with SQL Server 2008 and above.

Important:  Adding the service account to the local Windows Administrators group for the SentryOne database server doesn't automatically grant the service user access to the SentryOne database.

Changing the Monitoring Service Credentials

After the initial installation, the Service Configuration utility is used to update or change the credentials of the SentryOne monitoring service account. The Service Configuration utility is accessed within the SentryOne program group in the Windows Start menu.

SentryOne Service Configuration Utility

Important:  Using the Service Configuration utility is the only supported way of changing the SentryOne monitoring service credentials. For more information, see the Monitoring Service Logon Account topic.

Monitoring Service Connection Properties

If the Monitor Performance setting is set to False for a target, and you don't need to utilize General Performance Monitoring features, you may configure the monitoring service to use SQL Server Authentication. This is done through an instance's Monitoring Service Connection Properties.

To access the Monitoring Service Connection Properties for an instance complete the following steps: 

  1. Open the Navigator pane (View > Navigator).
    SentryOne Navigator pane
  2. Right-click the desired instance, and then select the Monitoring Service Connection Properties command to open the Service Connection Properties dialog.
    SentryOne select Monitoring Service Connection Properties in the Navigator
  3. Uncheck Use Integrated Authentication, and then enter the SQL Server Authentication account you'd like the monitoring service to use for the instance. Select Ok to save your changes.
    SentryOne Service Connection Properties

Adjusting Target Access Level

You may wish to monitor an instance where OS level metrics through WMI and/or the Windows Performance Library are inaccessible. This is occasionally the case for cloud based or hosted servers. In these circumstances, a target may be added with Limited Access. This suspends attempts to access resources that are required for some functionality like the Disk Space and Activity tabs, and Windows Metrics on the Performance Analysis Dashboard. If access to those resources have been resolved, the Access Level can be set to Full in the Monitoring Service Connection Properties at the target level in the Navigator pane. Similarly, if a Watched target starts generating errors due to connectivity issues with the OS level resources that can't be resolved, changing the Access Level to Limited allows you to continue monitoring non-OS metrics without triggering connectivity errors for the target.

Important:  If you configure SQL Authentication for an instance that's being monitored with SentryOne Performance Analysis, Performance Analysis won't be able to collect Windows level metrics for that instance. This is because Performance Analysis collects various performance and configuration data directly from Windows, and requires a higher level of access to the operating system than Event Calendar. For more information, see the Performance Analysis Security Requirements topic.

Starting the Monitoring Service

The SentryOne monitoring service starts automatically after installation. It becomes active upon detecting a valid license on the SentryOne database. If the service fails to start, complete the following steps to start the service manually: 

  1. Open the Services window in Windows by selecting Control Panel > System and Security >Administrative Tools > Services.
    Control Panel > System and Security > Administrative Tools
  2. Select SentryOne Monitoring Service from the list of services. Right-click SentryOne Monitoring Service, and then select Start from the context menu or select the Play button on the toolbar to start the service.
Start SentryOne Monitoring Service
Start SentryOne Monitoring Service
Select Play

Success: You've manually started the SentryOne Monitoring Service.

SentryOne Monitoring Service Running