The Heartbeat Agent is running under the LocalSystem account.

Article ID: 135
Category: Self-Support Diagnosis
Applies to: All Versions
Updated: 2017-04-21

It is not recommended to run the Heartbeat Agent under the LocalSystem account if you are monitoring the status of the EventSentry service (agent) on remote computers.

This is because the LocalSystem account does not, in most cases, have permission to query the status of the EventSentry service. This results in "Access Denied" error messages in the heartbeat status page of the web reports and Audit Failure events in the Security log with event id 560 or 4625 being logged on the remote machines running the EventSentry agent.

If you are not monitoring the EventSentry agent on remote hosts, then you can leave the default configuration and continue to run the EventSentry Heartbeat Agent under the LocalSystem account. Otherwise, we recommend that you change the service to an account that has both administrative permissions on the local host and on the remote machines that are being queried.

To change the account the service is running under follow the steps below:

  • Navigate to Start -> Programs -> Administrative Tools -> Services
  • Locate the "EventSentry Heartbeat Monitor" service
  • Right-Click the entry and select "Properties"
  • Select the "Log On" tab
  • Change the setting to "This Account" and specify a user account that has Administrator rights on the EventSentry server and has permissions to query the status of services on the remote host(s). Please see the links below for more detailed options.

This should not be a problem in security-sensitive environments since the heartbeat agent has little attack surface.