Table of Contents
- Getting Started
- Agent-Based Management
- Data Providers
- Directory Services
- Auditing
- Hosts
- Templates
- Template Properties
- Batch Update Templates
- Assign Templates
- Log Management Templates
- SCAP Compliance Monitor
- File and Directory Monitor Templates
- Windows Monitor Templates
- Account Lockout Monitor Template
- Logon Monitor Template
- CPU Monitor Template
- Memory Monitor Template
- Disk Space Monitor Template
- SMART Monitor Template
- Process Monitor Template
- Service Monitor Template
- Performance Counter Monitor Template
- PowerShell Template
- Registry Value Monitor Template
- System Security Monitor Template
- Active Directory User Monitor Template
- Active Directory User Integrity Monitor Template
- Task Scheduler Template
- Clock Synchronization Template
- Defragment NTFS Disks Template
- Windows Audit Policy Monitor Template
- Windows Logon As Monitor Template
- Windows Update Template
- Windows Management Instrumentation (WMI) Templates
- Database Monitor Template
- Directory Service Monitor Template
- DNS Blacklist Monitor Template
- DNS Monitor Template
- Domain Expiration Monitor Template
- Network Speed Monitor Template
- Ping Monitor Template
- Database Table Reseed
- SQL Server Shrink and Backup Template
- SSH Shell
- TCP Port Scan Monitor Template
- Website Monitor Template
- Wake On LAN Template
- SSL Certificate Monitor Templates
- Email Monitor Templates
- SNMP Monitor Templates
- Windows Accounts Templates
- Monitors
- Reports
- File and Permission Reports
- Summary Reports
- Auto-Configurators
- Filters
- Actions
- Database Actions
- Desktop Actions
- Email Actions
- Event Log Actions
- Executable Actions
- File Actions
- IIS IP Address Restriction Actions
- Microsoft Teams Actions
- PowerShell Actions
- Report Actions
- Service Actions
- SMS Actions
- SNMP Trap Actions
- Syslog Actions
- Template Actions
- IIS IP Address Restriction Actions
- Action Variables
- Schedules
- Environment Variables
- Options
- Account Lockout Monitoring and Reporting
- Merging Logs
- SNMP
- SSH Shell
- Syslog
- Exporting and Importing Configuration Objects
- Shared Views
- Active Directory User and Group Filters
- Assign Actions
- Assign Azure Audit Logs
- Assign Consolidated Logs
- Assign Directories
- Assign Disks
- Assign Event Logs
- Assign Files
- Assign Services
- Assign Shares
- Auto-Config Host Assignment Properties
- Define CSV and W3C Log Entry Columns
- Define Log Entry Columns
- Define Log Entry Columns with Regular Expressions
- Executable Status
- Executable Timeline
- Explicitly Assigned Logs
- File Explorer
- General Executable Properties
- Report Columns
- Report Date/Time Ranges
- Report Security Event Log Filters
- Select Folder or File
- Target Files and Sub-Directories
- Command Line Interface
- Server Configuration
- Agent Configuration
- Troubleshooting
- Terminology
Agent-Based Management
In this Topic
Tutorials
Background
Server Manager includes an agent-based solution to remotely manage both Windows and Linux hosts. Our agent-based solution solves several potential problems with existing built-in technologies and security implementations. To understand the benefits, we must first understand the technologies used to remotely manage Windows and Linux hosts without an agent.
Agentless Management
Windows
Windows Event Logs are downloaded using remote WMI while Text Logs use either Windows Shares, SFTP/SSH or FTP/S to download logs. Most monitors, such as CPU, Memory and Disk Space use remote WMI to query information. Other monitors, such as Windows Certificates and Performance Counters, rely on other seemingly undocumented Microsoft APIs.
Security and Performance Concerns
- Attack Surface Reduction Rules do not permit remote WMI event subscriptions.
- In most hardened environments, monitoring and compliance services are not permitted to run as domain or local administrators.
- In most hardened environments, remote WMI and other Microsoft APIs are not permitted.
- Cloud-based servers cannot typically be managed by remote WMI.
- Windows blocks discovery and remote management of remote Windows Certificate Stores.
- WMI is needlessly slow when transmitting Event Log entries and often throws what seems are random errors on a random basis.
- WMI requires multiple ports, one of which is randomly assigned. The randomly assigned port can be configured to use a fixed port, however, the fixed port must be configured on each client host.
- In rare cases, WMI corrupts itself requiring the WMI service to be restarted or repaired.
- Hosts that periodically connect to the local network (e.g. Law Enforcement laptops), can be difficult to manage on a polling schedule. The polling schedule must be fast enough to catch each managed laptop when they just so happen to be logged into the local network often generating unnecessary traffic as well as a high number of errors in the meantime.
Linux (RedHat (RHEL) and Ubuntu)
Linux audit logs are downloaded using a two step process. First, audit logs must be copied to a temporary directory using Superuser permissions over an SSH connection so yet another SFTP can download the file.
Security and Performance Concerns
- SSH commands often require elevated Superuser permissions.
- SFTP has limited access to operating system files.
- Audit Log consolidation is highly inefficient requiring entire log files to be continually re-downloaded prior to extracting the latest entries.
Agent-Based Management Benefits
- Both the Windows Management Service and the Windows Agent Service can be run using the built-in SYSTEM Account eliminating the requirement to run as a Domain Administrator.
- All data is transmitted over a single TLS 1.2 capable TCP/IP port using a highly efficient binary protocol stack that downloads Windows Event Logs 12 times faster than remote WMI.
- Linux Audit Logs are efficiently accessed, parsed, and filtered directly on Linux hosts prior to transmitting the latest filtered entries to the Management Server.
The Corner Bowl Server Manager Agent
Many of the Windows Templates include an Agent-Based Template flag. Once an Agent-Based Template is assigned to a remote host, Server Manager uses Windows Shares to upload the Agent installation file to the host then uses WMI to remote install onto the host. If Server Manager is unable to penetrate the firewall to upload and remote install, you have the option to manually install the Agent to the remote host. Once installed, by default, the Agent connects once a minute to get list of templates to execute. The connection frequency can be overridden. Once Templates and Filters are received, the Agent executes the Templates and applies the Filters. Finally, data is transmitted to the management server.
Supported Templates
The following templates are currently supported:
- CPU Monitor
- Clock Synchronization (NTP)
- Defragment NTFS Disks
- Delete Temporary Files
- Directory Size Monitor
- Disk Space Monitor
- Event Log Consolidation
- Event Log File Backup
- Event Log Monitor
- File Monitor
- File Integrity Monitor (FIM)
- Memory
- Performance Counter Monitor
- Process Monitor
- PowerShell
- Registry Monitor
- Service Monitor
- SMART Disk Monitor
- SQL Server Shirk and Backup
- Task Scheduler
- TCP Port Scan Monitor
- Text Log Consolidation
- Text Log Monitor
- Windows SSL Certificate Monitor
How to Configure the Agent Server
- From the Explorer View, navigate to then select Agent Server. The Agent Server Properties View displays.
- The Agent Server Properties View contains 2 tabs.
- Options
- Assignments
The Options Tab
- From the Agent Server Properties View use the Enabled check box to enable or disable the Agent Server.
- Use the Add all new hosts check box to automatically add any agent host to the software when initially connecting.
- Use the Host identification method drop-down to select how you would like new hosts to be identified.
Option | Description |
---|---|
DNS Lookup | The server uses DNS to resolve the hostname. |
DNS and FQDN Lookup | The server uses DNS and Active Directory to resolve the Fully Qualified Domain Name (FQDN). |
Remote IP Address | The server uses the IP address. |
Local Hostname | The agent sends its local hostname to server for identification. |
Local FQDN | The agent sends its locally resolved FQDN to server for identification. |
Local IP Address | The agent sends its local IP address to server for identification. |
- Use the Auto-alias checkbox to automatically set the host's alias using the value derived from the identification method when the device is connecting for the first time and the device's IP address has already been added to Server Manager.
- Use the Agent installer enabled check box to use WMI and Windows Shares to automatically install the Agent Service to each host that has an Agent-Based Template assigned.
- Use the Agent connect schedule drop-down to select the schedule or frequency you want all of your Agents to connect. By default, the agent connects once a minute.
- When a real-time schedule is assigned, agents re-connect every minute.
- When a range schedule is assigned, agents re-connect at a random interval within the specified time range.
- Use the Maximum number of connections to limit the maximum number of client connections including, Management Consoles, Tray Icons, and Agent Devices.
- Use the Maximum Keep-Alive connections to limit the maximum number of Agent-Devices allowed to remain connected to the Agent Server.
- Use the Maximum installations per minute to limit the number of Agent-Devices that can be updated per minute.
- Use the Command and control checkbox to initiate the execution of Templates on targeted Keep-Alive Agent Devices from the Agent Server on schedule, otherwise, Templates are executed when each Agent-Device requests the next batch of Templates to execute.
- When using Command and control, use the Execution timeout controls to set the maximum time to wait for each Template to complete before triggering a timeout error.
- Selecting the Assignments Tab reveals a blacklist as well as various lists of objects to automatically assign to the newly added devices. By default, all new hosts are added to a node called Agent Devices, however, if you assign another group or set of groups to the Hosts Groups List, new hosts are only added to those groups.
How to Install the Agent on Windows
For detailed instructions on both automatically and manually installing the Agent on Windows, see Windows Agent Installation.
How to Install the Agent on Linux
For detailed instructions on both automatically and manually installing the agent on Linux, see Linux Agent Installation.
Troubleshooting
If the Agent does not appear to be connecting or processing templates, you can view the Agent's verbose output log for detailed information. The log file is located in the following path on each remotely managed host:
On Windows the location is:
C:\ProgramData\Corner Bowl\Server Manager Agent\agent.log
On Linux the location is:
/var/log/corner-bowl/agent.log