Agent-Based Event Log Management with Corner Bowl Server Manager

In this article I am going to show you how use Corner Bowl Server Manager's Agent to:

• Consolidate Event Log Entries to a Log Database.
• Backup Event Log Files to a remote location.

Table of Contents

• How to Configure the Agent Server
• How to Configure our Agent-Based Event Log Management Templates
• How to Install the Agent on Windows Servers
• How to Run the Templates on Demand
• How to Verify Event Log Entries have been Saved to the Log Database
• How to Verify Event Log Files have been Remotely Backed Up
• Troubleshooting

Event Log Consolidation Template Properties View

Our Event Log File Backup (Agent) Template requests Event Logs are backed up then uploaded to the Management Server for remote storage. Backed up Event Log Files are compressed then optionally encrypted using FIPS compliant AES.

Event Log File Backup Template Properties View

Both of these templates are flagged within their corresponding properties views as Agent-Based Templates. For detailed information on each template, see the in-application help file.

To configure a template as an Agent-Based Template

• From the Explorer View, right click on a supported template type then click Template Properties. The Template Properties View displays.
• From the Template Properties View, select the Agent Template Tab
• Use the Enabled check box to flag the template as an Agent-Based Template.
• Use the Trigger check box to trigger actions when assigned hosts do not connect within the configured time span.
• Use the On Host Not Connecting drop-down to assign the actions to fire when assigned hosts do not connect within the configured time span.

Agent-Based-Template-Properties Tab

Before we trigger the agent installation, I am going to show you how to monitor the installation within the software. Notice the Service Output Tab in the lower left corner. If we drag and drop this tab to the center of the screen we can see the output in the document view pane. This view displays verbose agent installation output so we can see exactly what is happening.

Now that we have added a host to manage, we need to assign a single agent-based template to the host. Once assigned the software will attempt to install the agent on the remote host within one minute.

To assign a template to a host

• From the Explorer View, use drag-drop to assign the template or
• Right click on a template then select Template Properties. Use the Template Properties View to assign the hosts to the template.

If we watch the Service Output, we see the following messages indicating the agent has been successfully installed:

AgentInstallerService: Agent is not installed.  Host: Northbowl
AgentInstallerService: Uploading installation file...  Source: C:\Program Files\Corner Bowl\Server Manager 2022\ServerManagerAgentInstaller.exe  Destination: \\Northbowl\C$\WINDOWS\TEMP\ServerManagerAgentInstaller.exe  Host: Northbowl
AgentInstallerService: Remote executing...  File: \\Northbowl\C$\WINDOWS\TEMP\ServerManagerAgentInstaller.exe  Host: Northbowl
                    

Once installed, the agent will connect once every minute. Notice, in the screenshot below, we see three different connection sessions defined by the entries below:

Session [39 192.168.0.3] - Connected.
Session [39 192.168.0.3] - WinAuthProtocol: Authenticated \anonymous.
AgentInstallerService: Remote executing...  File: \\Northbowl\C$\WINDOWS\TEMP\ServerManagerAgentInstaller.exe  Host: Northbowl
Agent Server Object(anonymous): IP: 192.168.0.3  Client Version: 22.0.0.427  Server Version: 22.0.0.427
Agent Server Object: Session started.  Remote IP: 192.168.0.3  Host: Northbowl  Local FQDN: NorthBowl  Local Hostname: NORTHBOWL  Local IP Address: 192.168.0.3  Session Count: 1
Agent Server Object(anonymous): Client requesting templates...  Host: Northbowl
Session [39 192.168.0.3] - The connection was terminated by the remote end point.
                        

Agent Installation Messages

Once connected, we can see some information about the client in the Dashboard. To view the Dashboard:

• From the Explorer View, click on the Dashboard node. The Dashboard View displays.
• From the Dashboard View, select the Host Summary Tab.
• Notice the new host is listed along with the Client Version and the Last Connection time.

Host Summary

Depending on the options you set for the Host Identification, the host may be added with a different name than the name you previously added. In that scenario the host is added to a group called Agent Devices. To see this in action, delete the host then wait for the agent to re-connect. Once reconnected, you will see a new Agent Server group with the host listed in the group.

Agent Devices Group

If the agent has internet access, the agent automatically updates when a new version becomes available, otherwise, Server Manager attempts to update the agent when a new update becomes available. If WMI or Windows Shares access is unavailable from the host the agent is installed, we can configure Server Manager to ignore the host when updating agents. To disable the automatic installation and updates of a host's agent, open the Host Properties View then de-select the Automatically install option located on the General Tab.

Disable Agent Installation

• From the Explorer View, expand the Hosts node.
• Navigate through the tree to find the target host then expand the host.
• Once expanded, find the Event Log File Backup (Agent) template then right click and select Explore. The Monitor Detail View displays.
• From the Monitor Detail View, the status shows the location of the backed up files. Take note of the location.
  Security Event Log File Backup Monitor Status
• From the Menu Bar, select File | Open then select the Zip file to view. The Log Viewer automatically expands the file then displays the contents. If the file was encrypted and password protected, we are prompted to specify the password to unlock the file.
  When you have finished reviewing the file, if the expanded file is no longer required, use Windows Explorer to delete the file.