Introduction
System Requirements
Assign Service Logon As Credentials
Server Configuration
- Azure Relay Hybrid Connection
Agent-Based Monitoring
Data Providers
- Data Provider Properties
- File System Properties
- SQLite Properties
- MySQL Properties
- Microsoft SQL Server Properties
Directory Services
Audit Work Items
Hosts
- Host Properties
- Batch Update Hosts
- Logon As Properties
- SFTP Properties
- FTP/S Properties
- SNMP Device Connection Properties
- WMI
- Contact
- Template Exclusions
- Inventory
- Docker
- Host Assignments
Templates
- Template Properties
- Batch Update Templates
- Log Management Templates
- File and Directory Monitor Templates
- Windows Monitor Templates
- Network and Application Monitor Templates
- SSL Certificate Monitor Templates
- Email Monitor Templates
- SNMP Monitor Templates
Monitors
- Monitor Hierarchy
- Temporarily Suppress Monitors Actions
Reports
- Report Properties
- Security Reports
- Generic Log Reports
- File and Permission Reports
- Summary Reports
Auto-Configurators
Filters
- Simple Filters
- Complex Filters
- C# Script Filters
Actions
- Desktop Actions
- Email Actions
- Event Log Actions
- Executable Actions
- File Actions
- Microsoft Teams Actions
- Service Actions
- SMS Actions
- SNMP Trap Actions
- Syslog Actions
- Action Variables
Schedules
- Fixed Schedules
- Range Schedules
- Real-Time Schedules
Environment Variables
Options
- Email Settings
- Security Settings
- Syslog Server Settings
- SNMP Trap Server Settings
- Web Proxy Settings
- Miscellaneous Settings
Account Lockout Monitoring and Reporting
SNMP
- SNMP Browser
SSH Shell
Exporting and Importing Configuration Objects
Shared Views
- Auto-Config Host Assignment Properties
- General Executable Properties
- Assign Actions
- Assign Directories
- Assign Disks
- Assign Shares
- Assign Files
- Assign Consolidated Logs
- Assign Event Logs
- Assign Active Directory Audit Logs
- Target Files and Sub-Directories
- Define Log Entry Columns
- Define Log Entry Columns with Regular Expressions
- Define CSV and W3C Log Entry Columns
- Active Directory User and Group Filters
- Explicitly Assigned Logs
- File Explorer
- Report Columns
- Report Date/Time Ranges
- Report Security Event Log Filters
- Select Folder or File
Command Line Interface
Troubleshooting
- Arithmetic Overflow
- Access Denied
- Invalid Class
- No Such Interface Supported
- Quota Violation
- The File Exists Errors
- The Interface is Unknown
- The RPC Server is Unavailable
- NetBIOS Errors
- Windows Service Log File
Terminology

Agent-Based Monitoring Templates

Server Manager includes an Agent-Based solution to download logs from remote computers. The Agent-Based solution solves several potential problems with existing built-in technologies. To understand the benefits we must first understand the technologies used to remotely manage Windows hosts. Event Logs are downloaded using a WMI whereas Text Logs require either Windows Shares, SFTP/SSH or FTP/S to download logs. Other monitors, such as Windows Certificates and Performance Counters, rely on other seemingly undocumented APIs.

In some Server Hardened environments, management services are not permitted to run as domain or local administrators.
In some Server Hardened environments, remote WMI and Performance Counters are not accessible.
Windows blocks discovery and remote management of the certificate store.
WMI is quite slow when transmitting Event Log entries and often throws what seems are random errors on a regular basis.
In rare cases, WMI corrupts itself requiring the WMI service to be restarted or repaired.
WMI requires multiple ports, one of which is randomly assigned. The randomly assigned port can be configured to use a fixed port, however, the fixed port must be configured on each client host.
Internet based servers cannot typically be managed.
Hosts that periodically connect to the local network (e.g. Law Enforcement laptops), can be difficult to manage on a polling schedule. The polling schedule must be fast enough to catch each managed laptop when they just so happen to be logged into the local network often generating unnecessary traffic as well as a high number of errors in the meantime.

Corner Bowl Software solves all of these issues with our Server-Side Server Agent and our remotely installed lightweight Server Manager Agent while also downloading Event Log entries 12 times faster than WMI.

Corner Bowl Server Manager Agent

Many of the Windows Templates include an Agent-Based Template flag. Once an Agent-Based Template is assigned to a remote host, Server Manager uses Windows Shares to upload the Agent installation file to the host then uses WMI to remote install onto the host. If Server Manager is unable to penetrate the firewall to upload and remote install, you have the option to manually install the Agent to the remote host. Once installed, by default, the Agent connects once a minute to get list of templates to execute. The connection frequency can be overridden. Once Templates and Filters are received, the Agent executes the Templates and applies the Filters. Finally, data is transmitted to the management server.

If the server instance of Server Manager is not available on a public IP address, an Azure Hybrid Relay can be setup to proxy the connection.

The following templates are currently supported:

How to configure the Agent Server:

From the Explorer View, navigate to Agent Server then right click and select Properties. The Agent Server Properties View displays.

From the Agent Server Properties View use the Enabled check box to enable or disable the server.

Once enabled, the server attempts to install the Agent to all configured hosts that have Agent-Based Templates assigned to them. If you do not want to automatically install the Agent to each host that has an Agent-Based Template assigned, you can either globally disable the Agent installer (below) or disable specific hosts via the Host Properties View. For more information see: Host Properties

Use the Host identification method drop-down to select how you would like connecting hosts to be identified.

Option	Description
DNS Lookup	The server uses DNS to resolve the hostname.
DNS and FQDN Lookup	The server uses DNS and Active Directory to resolve the Fully Qualified Domain Name (FQDN).
Remote IP Address	The server uses the IP address.
Local Hostname	The client sends its local hostname to server for identification.
Local FQDN	The client sends its locally resolved FQDN to server for identification.
Local IP Address	The client sends its local IP address to server for identification.

Use the Agent installer enabled check box to use WMI and Windows Shares to automatically install the Agent Service to each host that has an Agent-Based Template assigned.

When enabled, Server Manager also updates out-of-date Agent Service installations.

Once the Agent connects, if the Agent is a lower version than the server, the Agent requests the Agent be downloaded directly on the connected TCP/IP socket. Once downloaded, the Agent automatically updates itself.

Use the Agent connect schedule drop-down to select the schedule or frequency you want all of your Agents to connect. By default, the agent connects once a minute.

Real-Time and Range schedules are not supported.

This value can be overridden on a per host basis. To override a specific Host's connection schedule, from the Explorer View, find the target host then right click and select Host Properties. The Host Properties View displays. From the General Tab, use the Agent connect schedule drop-down to override this value.

Use the Assignments Tab to synchronize assignments to connecting hosts.
- Use the Host Groups drop-down to select the host groups you would like to assign each host.
- Use the Template Groups drop-down to select the template groups you would like to assign each host.
- Use the Report Groups drop-down to select the report groups you would like to assign each host.
- Use the Templates drop-down to select the templates you would like to assign each host.
- Use the Reports drop-down to select the templates you would like to assign each host.

How to enable remote Server Manager Agent installation

From the Explorer View, navigate to Agent Server then right click and select Properties. The Agent Server Properties View displays.
Check Enabled.
Click Save.

From the Explorer View, navigate to Templates | Sample Templates | Log Consolidation then right click on Agent-Based Event Log Consolidation and select Assign.

You can assign any template that has been flagged as an Agent-Based Template. For more information see below.

The Select Services, Devices and Endpoints View displays.

From the Select Services, Devices and Endpoints View, check each host you would like to install the Server Manager Agent, then click OK.
Once assigned, Server Manager will attempt to remote install the Server Manager Agent onto each assigned host.

How to manually install the Server Manager Agent on remote hosts

From the host you have installed Server Manager, copy the following file to each target host:

C:\Program Files\Corner Bowl\Server Manager 2022\ServerManagerAgentInstaller.exe

From each target host, open a command prompt as Administrator then run the executable with the following command line options:

Parameter	Description
HOST	The fully qualified hostname of the host Server Manager is installed.
PORT	The port to connect with. The default value is 21843
TLSENABLED	true to enable TLS 1.2. Please note the server must be configured to use TLS. For more information see: Server Configuration
TLSCERTIFICATE	The optional TLS client certificate to use for TLS 1.2.
RELAYENABLED	true to proxy communication through an Azure Relay Connection.
RELAYNAMESPACE	The Azure Relay Connection namespace.
RELAYCONNECTIONNAME	The Azure Relay Connection name.
RELAYKEYNAME	The Azure Relay Connection key name.
RELAYKEY	The Azure Relay Connection key value.
-q	Silently run the installation.
-norestart	Suppress reboot.

For Example:

ServerManagerAgentInstaller.exe -q HOST=1.2.3.4 PORT=21843

To update the Agent configuration

Just like the Service, the Agent uses an XML configuration file to load the parameters to connect to the server. Configuration is implemented through the cbsmsrv.exe.config file located in the program data directory. The default location is:
C:\ProgramData\Corner Bowl\Server Manager Agent 2022\cbsmagt.exe.config

Configuration File Reference

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <configSections>
        <section name="server" type="XPlatformWindowsShared.Configuration.ServerConfigurationSectionHandler,XPlatformWindowsShared" />
    </configSections>

    <startup>
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
    </startup>

    <server>
        <host value="SERVERNAME" />
        <port value="21843" />
        <tls value="False" certificate="" requireRemoteCertificate="false" allowSelfSignedCertificate="true" checkCertificateRevocation="false" allowCertificateChainErrors="true" />
        <idleTimeout value="300" />
        <readTimeout value="120" />
        <writeTimeout value="120" />
        <azure value="False" relayNamespace="" connectionName="" keyName="" key="" />
    </server>

</configuration>

To configure Agent-Based Event templates

Select File | New Template. The Select Template Type view displays.
Click the Template type to create. The Template Properties view displays.
Select the Agent Template Tab
Use the Enabled Check Box to flag the template as an Agent-Based Template.
Use the Trigger Check Box to trigger actions when assigned hosts do not connect within the configured time span.
Use the On Host Not Connecting Drop-Down to assign the actions to fire when assigned hosts do not connect within the configured time span.

To configure Agent-Based Event Log Consolidation for remote hosts

After following the steps above, the pre-installed Template is automatically assigned to each host. You have the option to modify this Template or create your own.

To modify the pre-installed Template, navigate to Templates | Sample Templates | Log Consolidation | Agent-Based Event Log Consolidation then right click and select Template Properties.
To create a new template, select Files | New | Templates | Log Managements | Log Consolidations then from the properties page set the Sub Type to Event Log.
Use the General tab to schedule the frequency.
Use the Logs tab to select the target logs.
Use the Options tab to specify consolidation filters and log entry retention policy.

Use the Agent Template tab to configure Server Manager to remotely install the Corner Bowl Server Manager Agent to the assigned hosts.

If using the sample template notice the Enabled option is checked. If you are creating your own template this option must be selected. The Server Manager Agent logs into the server anonymously with access limited to reading assigned templates and pushing log entries.

The Monitor tab enables you to scan entries on the server-side to fire actions or notifications when necessary.
Use the Actions tab to assign actions or notifications when the template starts, completes or errors.
Use the Hosts and Host Groups drop-down boxes on the right side of the screen to assign hosts to this Template.
Click Save.

To configure Agent-Based Native Event Log File Backup for remote hosts