Table of Contents
- Introduction
- System Requirements
- Assign Service Logon As Credentials
- Server Configuration
- Agent-Based Monitoring
- Data Providers
- Directory Services
- Audit Work Items
- Hosts
- Templates
- Template Properties
- Batch Update Templates
- Log Management Templates
- File and Directory Monitor Templates
- Windows Monitor Templates
- Account Lockout Monitor Template
- Logon Monitor Template
- CPU Monitor Template
- Memory Monitor Template
- Disk Space Monitor Template
- SMART Monitor Template
- Process Monitor Template
- Service Monitor Template
- Performance Counter Monitor Template
- PowerShell Script Template
- Registry Value Monitor Template
- Active Directory User Monitor Template
- Active Directory User Integrity Monitor Template
- Task Scheduler Template
- Clock Synchronization Template
- Defragment NTFS Disks Template
- Network and Application Monitor Templates
- Database Monitor Template
- Directory Service Monitor Template
- DNS Blacklist Monitor Template
- DNS Monitor Template
- Domain Expiration Monitor Template
- Network Speed Monitor Template
- Ping Monitor Template
- SQL Server Shrink and Backup Template
- SSH Shell
- TCP Port Scan Monitor Template
- Website Monitor Template
- SSL Certificate Monitor Templates
- Email Monitor Templates
- SNMP Monitor Templates
- Monitors
- Reports
- Auto-Configurators
- Filters
- Actions
- Schedules
- Environment Variables
- Options
- Account Lockout Monitoring and Reporting
- SNMP
- SSH Shell
- Exporting and Importing Configuration Objects
- Shared Views
- Auto-Config Host Assignment Properties
- General Executable Properties
- Assign Actions
- Assign Directories
- Assign Disks
- Assign Shares
- Assign Files
- Assign Consolidated Logs
- Assign Event Logs
- Assign Active Directory Audit Logs
- Target Files and Sub-Directories
- Define Log Entry Columns
- Define Log Entry Columns with Regular Expressions
- Define CSV and W3C Log Entry Columns
- Active Directory User and Group Filters
- Explicitly Assigned Logs
- File Explorer
- Report Columns
- Report Date/Time Ranges
- Report Security Event Log Filters
- Select Folder or File
- Command Line Interface
- Troubleshooting
- Terminology
Agent-Based Monitoring Templates
Server Manager includes an Agent-Based solution to download logs from remote computers. The Agent-Based solution solves several potential problems with existing built-in technologies. To understand the benefits we must first understand the technologies used to remotely manage Windows hosts. Event Logs are downloaded using a WMI whereas Text Logs require either Windows Shares, SFTP/SSH or FTP/S to download logs. Other monitors, such as Windows Certificates and Performance Counters, rely on other seemingly undocumented APIs.
- In some Server Hardened environments, management services are not permitted to run as domain or local administrators.
- In some Server Hardened environments, remote WMI and Performance Counters are not accessible.
- Windows blocks discovery and remote management of the certificate store.
- WMI is quite slow when transmitting Event Log entries and often throws what seems are random errors on a regular basis.
- In rare cases, WMI corrupts itself requiring the WMI service to be restarted or repaired.
- WMI requires multiple ports, one of which is randomly assigned. The randomly assigned port can be configured to use a fixed port, however, the fixed port must be configured on each client host.
- Internet based servers cannot typically be managed.
- Hosts that periodically connect to the local network (e.g. Law Enforcement laptops), can be difficult to manage on a polling schedule. The polling schedule must be fast enough to catch each managed laptop when they just so happen to be logged into the local network often generating unnecessary traffic as well as a high number of errors in the meantime.
Corner Bowl Software solves all of these issues with our Server-Side Server Agent and our remotely installed lightweight Server Manager Agent while also downloading Event Log entries 12 times faster than WMI.
Corner Bowl Server Manager Agent
Many of the Windows Templates include an Agent-Based Template flag. Once an Agent-Based Template is assigned to a remote host, Server Manager uses Windows Shares to upload the Agent installation file to the host then uses WMI to remote install onto the host. If Server Manager is unable to penetrate the firewall to upload and remote install, you have the option to manually install the Agent to the remote host. Once installed, by default, the Agent connects once a minute to get list of templates to execute. The connection frequency can be overridden. Once Templates and Filters are received, the Agent executes the Templates and applies the Filters. Finally, data is transmitted to the management server.
 |
If the server instance of Server Manager is not available on a public IP address, an Azure Hybrid Relay can be setup to proxy the connection. |
The following templates are currently supported:
- CPU
- Delete Temporary Files
- Directory Size Monitor
- Disk Space Monitor
- Event Log Consolidation
- Event Log File Backup
- Event Log Monitor
- File Monitor
- File Integrity Monitor (FIM)
- Memory
- Performance Counter Monitor
- Process
- Registry
- Service
- SQL Server Shirk and Backup
- Task Scheduler
- TCP Port Scan Monitor
- Text Log Consolidation
- Text Log Monitor
- Windows SSL Certificate Monitor
How to configure the Agent Server:
- From the Explorer View, navigate to Agent Server then right click and select Properties. The Agent Server Properties View displays.
-
From the Agent Server Properties View use the Enabled check box to enable or disable the server.
Once enabled, the server attempts to install the Agent to all configured hosts that have Agent-Based Templates assigned to them. If you do not want to automatically install the Agent to each host that has an Agent-Based Template assigned, you can either globally disable the Agent installer (below) or disable specific hosts via the Host Properties View. For more information see: Host Properties -
Use the Host identification method drop-down to select how you would like connecting hosts to be identified.
Option Description DNS Lookup The server uses DNS to resolve the hostname. DNS and FQDN Lookup The server uses DNS and Active Directory to resolve the Fully Qualified Domain Name (FQDN). Remote IP Address The server uses the IP address. Local Hostname The client sends its local hostname to server for identification. Local FQDN The client sends its locally resolved FQDN to server for identification. Local IP Address The client sends its local IP address to server for identification. -
Use the Agent installer enabled check box to use WMI and Windows Shares to automatically install the Agent Service to each host that has an Agent-Based Template assigned.
When enabled, Server Manager also updates out-of-date Agent Service installations. Once the Agent connects, if the Agent is a lower version than the server, the Agent requests the Agent be downloaded directly on the connected TCP/IP socket. Once downloaded, the Agent automatically updates itself. -
Use the Agent connect schedule drop-down to select the schedule or frequency you want all of your Agents to connect. By default, the agent connects once a minute.
Real-Time and Range schedules are not supported. This value can be overridden on a per host basis. To override a specific Host's connection schedule, from the Explorer View, find the target host then right click and select Host Properties. The Host Properties View displays. From the General Tab, use the Agent connect schedule drop-down to override this value. -
Use the Assignments Tab to synchronize assignments to connecting hosts.
- Use the Host Groups drop-down to select the host groups you would like to assign each host.
- Use the Template Groups drop-down to select the template groups you would like to assign each host.
- Use the Report Groups drop-down to select the report groups you would like to assign each host.
- Use the Templates drop-down to select the templates you would like to assign each host.
- Use the Reports drop-down to select the templates you would like to assign each host.
How to enable remote Server Manager Agent installation
- From the Explorer View, navigate to Agent Server then right click and select Properties. The Agent Server Properties View displays.
- Check Enabled.
- Click Save.
-
From the Explorer View, navigate to Templates | Sample Templates | Log Consolidation then right click on Agent-Based Event Log Consolidation and select Assign.
The Select Services, Devices and Endpoints View displays.You can assign any template that has been flagged as an Agent-Based Template. For more information see below. - From the Select Services, Devices and Endpoints View, check each host you would like to install the Server Manager Agent, then click OK.
- Once assigned, Server Manager will attempt to remote install the Server Manager Agent onto each assigned host.
How to manually install the Server Manager Agent on remote hosts
-
From the host you have installed Server Manager, copy the following file to each target host:C:\Program Files\Corner Bowl\Server Manager\ServerManagerAgentInstaller.exe
-
From each target host, open a command prompt as Administrator then run the executable with the following command line options:
Parameter Description HOST The fully qualified hostname of the host Server Manager is installed. PORT The port to connect with. The default value is 21843 TLSENABLED true to enable TLS 1.2. Please note the server must be configured to use TLS. For more information see: Server Configuration TLSCERTIFICATE The optional TLS client certificate to use for TLS 1.2. -q Silently run the installation. -norestart Suppress reboot. For Example:ServerManagerAgentInstaller.exe -q HOST=1.2.3.4 PORT=21843
To update the Agent configuration
Just like the Service, the Agent uses an XML configuration file to load the parameters to connect to the server.
Configuration is implemented through the cbsmsrv.exe.config file located in the program data directory. The default location is:
C:\ProgramData\Corner Bowl\Server Manager Agent 2022\cbsmagt.exe.config
Configuration File Reference
{
"Host": "SERVERNAME",
"Port": 21843,
"IdleTimeout": 300,
"ReceiveTimeout": 120,
"SendTimeout": 120,
"TlsConfiguration": {
"Enabled": false,
"Certificate": null,
"RequireRemoteCertificate": false,
"AllowSelfSignedCertificate": true,
"CheckCertificateRevocation": false,
"AllowCertificateChainErrors": true
}
}
To configure Agent-Based Event templates
- Select File | New Template. The Select Template Type view displays.
- Click the Template type to create. The Template Properties view displays.
- Select the Agent Template Tab
- Use the Enabled Check Box to flag the template as an Agent-Based Template.
- Use the Trigger Check Box to trigger actions when assigned hosts do not connect within the configured time span.
- Use the On Host Not Connecting Drop-Down to assign the actions to fire when assigned hosts do not connect within the configured time span.
To configure Agent-Based Event Log Consolidation for remote hosts
After following the steps above, the pre-installed Template is automatically assigned to each host. You have the option to modify this Template or create your own.
- To modify the pre-installed Template, navigate to Templates | Sample Templates | Log Consolidation | Agent-Based Event Log Consolidation then right click and select Template Properties.
- To create a new template, select Files | New | Templates | Log Managements | Log Consolidations then from the properties page set the Sub Type to Event Log.
- Use the General tab to schedule the frequency.
- Use the Logs tab to select the target logs.
- Use the Options tab to specify consolidation filters and log entry retention policy.
-
Use the Agent Template tab to configure Server Manager to remotely install the Corner Bowl Server Manager Agent to the assigned hosts.
If using the sample template notice the Enabled option is checked. If you are creating your own template this option must be selected. The Server Manager Agent logs into the server anonymously with access limited to reading assigned templates and pushing log entries. - The Monitor tab enables you to scan entries on the server-side to fire actions or notifications when necessary.
- Use the Actions tab to assign actions or notifications when the template starts, completes or errors.
- Use the Hosts and Host Groups drop-down boxes on the right side of the screen to assign hosts to this Template.
- Click
To configure Agent-Based Native Event Log File Backup for remote hosts
After following the steps above, the pre-installed Template is automatically assigned to each host. You have the option to modify this Template or create your own.
- To modify the pre-installed Template, navigate to Templates | Sample Templates | Log Consolidation | Agent-Based Event Log File Backup then right click and select Template Properties.
- To create a new template, select Files | New | Templates | Log Managements | Log Backup then from the properties page set the Sub Type to Event Log.
- Use the General tab to schedule the frequency.
- Use the Logs tab to select the target logs.
- Use the Options tab to specify backup options. For more information see: Log Backup Template
-
Use the Agent Template tab to configure Server Manager to remotely install the Corner Bowl Server Manager Agent to the assigned hosts.
If using the sample template notice the Enabled option is checked. If you are creating your own template this option must be selected. The Server Manager Agent logs into the server anonymously with access limited to reading assigned templates and upload log entries. - The Monitor tab enables you to scan entries on the server-side to fire actions or notifications when necessary.
- Use the Actions tab to assign actions or notifications when the template starts, completes or errors.
- Use the Hosts and Host Groups drop-down boxes on the right side of the screen to assign hosts to this Template.
- Click
Troubleshooting
If the Agent does not appear to be connecting or processing templates you can view the Agent's verbose output log for detailed information. The log file is located in the following directory on each remotely managed host:
c:\ProgramData\Corner Bowl\Server Manager Agent 2022\Agent.log