It is not recommended to run the Heartbeat Agent under the LocalSystem account if you are monitoring the status of the EventSentry service (agent) on remote computers.
This is because the LocalSystem account does not, in most cases, have permission to query the status of the EventSentry service. This results in "Access Denied" error messages in the heartbeat status page of the web reports and Audit Failure events in the Security log with event id 560 or 4625 being logged on the remote machines running the EventSentry agent.
If you are not monitoring the EventSentry agent on remote hosts, then you can leave the default configuration and continue to run the EventSentry Heartbeat Agent under the LocalSystem account. Otherwise, we recommend that you change the service to an account that has both administrative permissions on the local host and on the remote machines that are being queried.
To change the account the service is running under follow the steps below:
This should not be a problem in security-sensitive environments since the heartbeat agent has little attack surface.