event tracker pulse user guide

8/6/2019 Event Tracker PULSE User Guide

1/182

EventTracker PULSE

UsersGuide


2/182

All intellectual property rights in this work belong to Prism Microsystems, Inc. The information contained in this work mustnot be reproduced or distributed to others in any form or by any means, electronic or mechanical, for any purpose, withoutthe prior permission of Prism Microsystems, Inc., or used except as expressly authorized in writing by Prism Microsystems,Inc.

Copyright

Copyright 1999 - 2009 Prism Microsystems, Inc. All Rights Reserved.

All company, brand and product names are referenced for identification purposes only and may be trademarks or registeredtrademarks that are the sole property of their respective owners.

Trademarks

Prism Microsystems, Inc. reserves the right to make changes to this manual and the equipment described herein withoutnotice. Prism Microsystems, Inc. has made all reasonable efforts to ensure that the information in this manual is accurate andcomplete. However, Prism Microsystems, Inc. shall not be liable for any technical or editorial errors or omissions made hereinor for incidental, special, or consequential damage of whatsoever nature resulting from the furnishing of this manual, oroperation and performance of equipment in connection with this manual

Disclaimer

.


3/182

E V E N T T R A C K E R P U L S E V E R . 6 . 3 U S E R S

G U I D E C O N T E N T S

ContentsAbout this Guide ................................................................................................................................ vi

Purpose of this guide ...................................................................................................................................... viWho should read this guide ............................................................................................................................ viTypographical Conventions ........................................................................................................................... vi

Document Revision Control ............................................................................................................ viiHow to Get In Touch ......................................................................................................................viii

Documentation Support................................................................................................................................ viiiCustomer Support......................................................................................................................................... viii

Chapter 1 Getting Started.................................................................................................................. 9About EventTracker PULSE............................................................................................................ 10EventTracker PULSE Services and Ports ........................................................................................ 10EventTracker PULSE Components ................................................................................................. 11

System Manager.............................................................................................................................................11EventVault Warehouse Manager....................................................................................................................13

Diagnostic & Support Tool.............................................................................................................. 14

Chapter 2 Configuring PULSE........................................................................................................ 17EventTracker Knowledge Base Web site......................................................................................... 18SYSLOG Receiver........................................................................................................................... 18

Monitoring Syslogs ........................................................................................................................................18Monitor Agent Health...................................................................................................................... 19

Chapter 3 Managing System Groups.............................................................................................. 21Discover Modes ............................................................................................................................... 22

Auto Discover Mode ......................................................................................................................................22Manual Mode .................................................................................................................................................22

Adding Computers........................................................................................................................... 23Adding a single Computer..............................................................................................................................23Adding a group of Computers ........................................................................................................................25Adding a group of Computers from an IP subnet ...........................................................................................27

Removing Computers ...................................................................................................................... 30Removing Computers Auto Discover Mode ...............................................................................................30Removing Computers - Manual Mode ...........................................................................................................32

Removing Unmanaged Systems ...................................................................................................... 33Logical System Groups.................................................................................................................... 38

Creating a New Logical Group - System Type...............................................................................................38Creating a New Logical Group IP Subnet ...................................................................................................42Creating a New Logical Group Manual Selection .......................................................................................44Modifying a Group.........................................................................................................................................47Deleting a Group ............................................................................................................................................50

A B O U T T H I S G U I D E i i i


4/182



Chapter 4 Managing Windows Agents............................................................................................ 53Agent for Windows Systems ........................................................................................................... 54

Pros ................................................................................................................................................................54Cons ...............................................................................................................................................................55

Deploying Window Agents.............................................................................................................. 55Pre-installation Procedures.............................................................................................................................55Installing Windows Agents ............................................................................................................................55Uninstalling Windows Agents........................................................................................................................64Upgrading Windows Agents ..........................................................................................................................66Removing Windows Agent Components .......................................................................................................70Switching Windows Agent Modes.................................................................................................................72Viewing Agent Status.....................................................................................................................................76Starting the Agent Service..............................................................................................................................76Editing Admin Account .................................................................................................................................76

Generating System Report ............................................................................................................... 79Managed System Report ................................................................................................................................80Unmanaged System Report ............................................................................................................................81All System Report ..........................................................................................................................................81

Vista Agent ...................................................................................................................................... 82Event Publishers in Windows Event Log .......................................................................................................82Event Logs and Channels in Windows Event Log .........................................................................................82Event Consumers in Windows Event Log......................................................................................................82Prerequisites...................................................................................................................................................83Installing / Uninstalling Vista Agent ..............................................................................................................83Filtering Events ..............................................................................................................................................83Monitoring EVTX Logfiles............................................................................................................................84

Configuring Windows Agent........................................................................................................... 85Accessing the Windows Agent Configuration Window .................................................................................85Forwarding Events to Multiple Destinations..................................................................................................86Event Delivery modes ....................................................................................................................................88Modifying Event delivery modes ...................................................................................................................88Removing Managers ......................................................................................................................................91Filtering Events ..............................................................................................................................................92Filtering Events with Exception .....................................................................................................................96Filtering Events with Advanced Filters..........................................................................................................98Enabling SID Translation.............................................................................................................................101Enabling High Performance mode ...............................................................................................................102Monitoring System Health ...........................................................................................................................103Monitor Applications ...................................................................................................................................106Filtering applications that need not be monitored ........................................................................................108Filtering applications that needs to be monitored.........................................................................................109Monitoring Services.....................................................................................................................................110Filtering Services that need not be monitored ..............................................................................................112Monitoring Logfiles .....................................................................................................................................113Viewing File Details.....................................................................................................................................121Deleting Log file monitoring settings...........................................................................................................122Searching Strings .........................................................................................................................................122

Monitoring Network Connections................................................................................................................124Excluding Network Connections from monitoring ......................................................................................127Including Network Connections for monitoring...........................................................................................131Suspicious Connections................................................................................................................................133Monitoring Suspicious Connections.............................................................................................................133Adding programs to the trusted list ..............................................................................................................138Adding Firewall Exceptions to the Trusted List ...........................................................................................139

i v


5/182



Monitoring Processes ...................................................................................................................................140Removing processes from List of Filtered Processes ...................................................................................143Maintaining Log Backup..............................................................................................................................144Viewing Logs...............................................................................................................................................147Applying the Settings to Specified Agents ...................................................................................................148Backing up Current Configuration ...............................................................................................................151Protecting the Current Configuration Settings .............................................................................................152

Windows Agent Management Tool ............................................................................................... 154Accessing Agent Management Tool ............................................................................................................154Querying Agent Service status - System ......................................................................................................154Querying Agent Service status - Group........................................................................................................155Querying Agent Service status - All.............................................................................................................156Restarting Agent Service - System...............................................................................................................156Restarting Agent Service - Group ................................................................................................................157Restarting Agent Service - All .....................................................................................................................157Querying version of the Agent Service - System .........................................................................................158Querying version of the Agent Service - Group ...........................................................................................158Querying version of the Agent Service - All ................................................................................................159

Deploying Windows Agents in Command line mode.................................................................... 159Command line parameters............................................................................................................................160Installing Windows Agent on a single system..............................................................................................160Uninstalling Windows Agent from a single system .....................................................................................162Installing and Uninstalling Windows Agents in multiple systems ...............................................................162

Chapter 5 Agentless Monitoring of Windows Systems........... ........... ........... ........... .......... .......... 164Agentless Monitoring .................................................................................................................... 165

Pros ..............................................................................................................................................................165Cons .............................................................................................................................................................165Adding Systems for Agent-less monitoring .................................................................................................165Editing Admin account.................................................................................................................................171

Chapter 6 EventVault Warehouse Manager .......... ........... ........... ........... ........... .......... ........... ..... 173Viewing CAB files......................................................................................................................... 174Configuring EventVault................................................................................................................. 174

Saving EventBox Metadata............................................................................................................ 175Verifying EventBox Integrity ........................................................................................................ 176Extracting EventBox Data ............................................................................................................. 177Deleting an EventBox.................................................................................................................... 177

Glossary ........................................................................................................................................... 179

Index................................................................................................................................................. 181

v


6/182


G U I D E P U R P O S E O F T H I S G U I D E

About this Guide

Purpose of this guide

This guide will enable you to use every option of EventTracker PULSE and providesdetailed procedures for the same.

Who should read this guide

Intended audience:

Administrators who are assigned the task to monitor and manage eventsusing EventTracker PULSE

Operations personnel who manage day-to-day operations using EventTrackerPULSE

Typographical Conventions

Before you start, it is important to understand the typographical conventions followed inthis guide:

T able 1 This Represents

Italics References to other guides and documents.

Bold Input fields, radio button names, check boxes, drop-down lists, links on screens, menus, and menu

options.

CAPS Keys on the keyboard and buttons on screens.

T{Text_to_customize}T A placeholder for something that you must customize.

For example, T{Server_Name}T would be replaced

with the name of your server/ machine name or an IPaddress.

Constant width Text that you enter, program code, files and directorynames, function names.

A Note, providing additional information about acertain topic.

A B O U T T H I S G U I D E v i


7/182


G U I D E D O C U M E N T R E V I S I O N C O N T R O L

Document Revision Control

This section defines the conventions followed for the document revision controlnumber. The revision control number is an alphanumeric identifier, unique to thedocument. The components of the acronym identify the following:

First two letters name of the product

Second two numbers version of the product

Last two letters document description

The document revision control number for this guide is as given below:

T able 2

Document Revision ControlNumber Significance

EP6.3USGD EP EventTracker PULSE

6.3 version number

USGD Document description

A B O U T T H I S G U I D E v i i


8/182


G U I D E H O W T O G E T I N T O U C H

How to Get In TouchThe following sections provide information on how to obtain support for thedocumentation and the software.

Documentation Support

Prism Microsystems, Inc. welcomes your comments and suggestions on the qualityand usefulness of this document. For any questions, comments, or suggestions onthe documentation, you can contact us by e-mail at [email protected]

Customer Support

If you have any problems, questions, comments, or suggestions regarding

EventTracker PULSE, contact us by e-mail at [email protected] Diagnostics application included with PULSE produces a zip file with allinformation needed to help resolve the problem.

A B O U T T H I S G U I D E v i i i
mailto:[email protected]:[email protected]:[email protected]:[email protected]


9/182

Chapter 1

Getting Started

In this chapter, you will learn about:

Starting EventTracker PULSE

EventTracker PULSE Components

9


10/182


G U I D E A B O U T E V E N T T R A C K E R P U L S E

About EventTracker PULSEEventTracker PULSE is the search interface to a reliable, policy driven, software-onlysolution to monitor and manage critical event logs generated by Windows(Vista/2008/2003/XP/2K), Unix (SYSLOG), SYSLOG-NG. EventTracker PULSE is anenterprise grade solution that provides secure warehousing and flexible log searchinginterface.

EventTracker PULSE gives you the ability to:

Collect log data from Windows systems

Receive log data from SYSLOG sources such as Unix/Linux and Cisco

Archive collected log data efficiently

Search archived log data with a flexible and powerful interface

EventTracker PULSE Services and Ports

T able 3

Service Description StartupType

Log on as Allowservice tointeract withdesktop

EventTracker

Agent

Relays local log

data and isusuallymanaged bythe centralEventTrackerConsole. Ifuninstalledlocally,correspondingchanges will benecessary atthe Console.May berestarted topick up newconfiguration.

Automatic Local System

account

Yes

C H A P T E R 1

G E T T I N G S T A R T E D 1 0


11/182


G U I D E E V E N T T R A C K E R P U L S E C O M P O N E N T S

Service Description StartupType

Log on as Allowservice to

interact withdesktop

EventTrackerEventVault

AnEventTrackercomponent tocompress andsecurely storeraw log data.

Automatic Local Systemaccount

Yes

EventTrackerReceiver

EnablesEventTracker toreceive log datafrom configuredsources. If

stopped,EventTrackercannot function.May berestarted topick up newconfiguration.

Automatic Local Systemaccount

Yes

T able 4

EventTracker PULSEModule

Port(s) Application

Agent 14506(TCP) etagent.exe

Windows Receiver 14505(TCP/UDP) EtReceiver-W-14505.exe

Syslog Receiver 514(UDP), 1470(TCP) EtReceiver-S-514.exe

EventTracker PULSE Components

System Manager

System Manager enables you to:

Create, Modify, and Delete a Group. You can add systems to the Group bySystem Type, IP subnet or by manual selection.

Install, Uninstall, and Upgrade Agents.

Switch modes of the Agent

Configure Agents.

View logs.

C H A P T E R 1



12/182



To work with System Manager effectively, a thorough understanding of its graphicaluser interface is necessary.

Figure 1 SystemManager UserInterface

Title Bar

The top strip of System Manager is the Title Bar. Title Bar displays the name of the

application. You cannot move or drag the Title Bar.Menu Bar

The strip next to Title Bar is the Menu Bar. Menu Bar contains menus. Each Menucontains a list of commands and shortcut keys to carry out a specific task. You cannotcustomize, move, or drag the Menu Bar.

Toolbar

The third strip is the Toolbar. Toolbar contains command buttons with images.Frequently used options are provided on the Toolbar. You cannot customize, move, ordrag the Toolbar.

Mouseover ToolTip for command buttons help you know the purpose the buttonsserve.

T able 5

Click To

Configure System Open the Agent Configuration window.

C H A P T E R 1



13/182



Click To

Search ComputersSearch and add computers. You can add a singlecomputer or a Group of computes.

Create Group Create a logical computer Group. You can addsystems to the Group by System Type, IP subnet ormanual selection.

Delete Group Delete a logical computer Group.

Add System Install the Agent on remote systems.

Remove System Uninstall the Agent from remote systems.

Upgrade Agent Upgrade the Agent. You can upgrade throughWindows Domain Network or Upgrade Over IP (NonWindows domain) methods.

Workspace

The workspace consists of a left pane and a right pane.

Left pane displays the tree view of computer Groups.

The right pane displays managed and unmanaged computer details.

Status Bar

System Manager displays the system type i.e. Windows or non-Windows on the leftpane, discover mode of System Manager i.e. Auto or Manual in the second sectionand the total number of systems discovered in the third section on the right pane.

EventVault Warehouse Manager

EventVault Warehouse Manager provides the capability to archive the events from theEventTracker PULSE database. The EventVault provides a simple, but importantmechanism to securely archive event logs for future use and more specifically forauditing purposes.

In most enterprise networks with multiple critical servers and workstations, the eventlog data can become huge and unmanageable. Those event data may not beimmediately required once the initial analysis is completed. At the same time theycannot be completely discarded, as they will be required for future audits. EventVaultsolves this problem and provides mechanisms to identify if any of the EventVault datahas been tampered with.

Archives are .mdb files that are compressed into .cab files called as EventBox andare stored in the Archives folder. If EventTracker is installed in the default path thenthese files could be located in the Archives directory. The range of events that eachEventBox contains is stored into an index file in the archives folder. These EventBoxesare sorted by period and can be viewed from EventVault Manager Window. You canalso sort by Name, Checksum, Path, and Port Number.

C H A P T E R 1



14/182


G U I D E D I A G N O S T I C & S U P P O R T T O O L

Figure 2 EventVaultWarehouse Manager

T able 6

Click To

Configure EventVault Warehouse Manager to archivethe events from EventTracker database.

Save the archive summary into a text file.

Verify the integrity of selected EventBoxes.

Extract the selected EventBox data into an MSAccess database.

Delete the selected EventBox.

View the CAB files for a specific period.

Diagnostic & Support ToolThe EventTracker PULSE installation, optionally, adds the PULSE Diagnosticapplication as a Startup program.

C H A P T E R 1



15/182



Figure 3 Diagnostic &Support Tool

Right-click the Diagnostic & Support Tool icon in the application tray, EventTrackerPULSE displays the shortcut menu.

To set the frequency, move the mouse pointer over the Run Frequency option.EventTracker PULSE displays the options to set the frequency.

C H A P T E R 1



16/182



Figure 4 Diagnostic &Support Tool

C H A P T E R 1



17/182

Chapter 2

Configuring PULSE

In this chapter, you will learn how to:

Configure PULSE

The PULSE configuration dialog is part of the Start Menu group.

1 7


18/182


G U I D E

E V E N T T R A C K E R K N O W L E D G E B A S E W E B

S I T E

EventTracker Knowledge Base Web siteThis option enables you to configure EventTracker Knowledge Base Web site.

To configure EventTracker knowledge Base Web site1

2

Click Start, point to Programs, point to Prism Microsystems, point toEventTracker Pulse, and select the EventTracker Pulse Configurationoption.

EventTracker PULSE displays the Manager Configurationwindow.

Type the URL of the Knowledge Base Web site in the KB Website field.

Click OK.3

4

EventTracker PULSE displays the confirmation message box.

ClickYes to save the changes.

SYSLOG Receiver

By default, EventTracker PULSE selects the Enable Syslog Receivercheck box toenable EventTracker Receiver service to receive SYSLOGs sent by non-Windowssystems.

To disable SYSLOG receiver1 Click Start, point to Programs, point to Prism Microsystems, point to

EventTracker Pulse, and select the EventTracker Pulse Configurationoption.


Enable SYSULUOG receivercheck box is selected by default.

To not to receive Syslogs, clear the check box.2

3

4

Click OK.


ClickYes to save the changes.

Monitoring Syslogs

For monitoring Syslog events, you must configure the Syslog source (e.g. Unix orLinux systems or Cisco or other network equipment) to forward Syslog events to the

C H A P T E R 2

C O N F I G U R I N G P U L S E 1 8


19/182


G U I D E M O N I T O R A G E N T H E A L T H

computer where EventTracker PULSE is installed. The default Syslog port is UDPPort=514. Also see the FAQ on Syslog.

To configure UNIX systems to forward Syslog messages toEventTrackerIdentify the IP Address of the computer that is hosting the EventTrackerPULSE Manager.

1

2

3

4

5

6

Log on with the root account in the UNIX computer.

Open the syslog.conf file in a text editor. The default path of the syslog.conffile is /etc/syslog.conf.

Append the configuration details in the syslog.conf file to forward Syslogmessages to the EventTracker PULSE Manager computer.

Save and close the syslog.conf file.

Stop and restart the Syslog daemon (syslogd).Example: To forward Syslog error messages to the IP address 192.192.150.150,add the following detail to the syslog.conf file. *.err @192.192.150.150

Note

For more information refer the syslog.conf or Syslog MAN pages.

Syslog configuration may be platform-dependent and it isrecommended that you check the platform documentation.

Monitor Agent HealthThis option enables you to periodically ping EventTracker Windows Agents.

To monitor Agent health1

2

Click Start, point to Programs, point to Prism Microsystems, point toEventTracker Pulse, and select the EventTracker Pulse Configurationoption.


Type the duration to ping the Agent in the UPUing EventTracker Agents everyfield.

Click OK.3


C H A P T E R 2



20/182


G U I D E M O N I T O R A G E N T H E A L T H

ClickYes to save the changes.4

Note

EventTracker PULSE disables this feature if you set the pingfrequency to 0.

C H A P T E R 2



21/182

Chapter 3

Managing System Groups


Discover Modes

Adding Computers

Removing Computers

Removing Unmanaged Systems

Logical System Groups

2 1


22/182


G U I D E D I S C O V E R M O D E S

Discover ModesSystem Manager adds Domains and Computers in your enterprise in two modes. Youcan switch discover modes anytime you wish.

Auto Discover Mode

The Auto Discovery mode detects and adds all systems found on all trusted Windowsdomains. The auto discovery process includes an initial quick detection for systemsand a background search for more systems. On completion of the backgrounddiscovery process it prompts the user to refresh the System Manager to get anupdated list of systems. This mode is easy to use and is recommended for networkshaving less than 100 systems.

To set auto discover mode1

2

Click Start, point to Programs, point to Prism Microsystems, point toEventTracker Pulse, and select the System Manageroption.

Click the File menu and select the Select Auto Discover Mode option.

System Manager displays the Select Auto Discover Modedialog box.

Figure 5 Select AutoDiscover Mode

window

Click the Automatically find and add Computers [Recommended forsmall networks e.g. < 100 Computers] option.

3

4 Click OK.

System Manager automatically starts adding Domains and computers.

Manual Mode

Unlike in Auto Discover Mode, System Manager will not automatically discover anyWindows Domains or computers in this mode. You have to add them manually. Had

C H A P T E R 3

M A N A G I N G S Y S T E M G R O U P S 2 2


23/182


G U I D E A D D I N G C O M P U T E R S

you switched from Auto to Manual mode, System Manager will retain previouslydiscovered Domains and Computers.

To add computers manually1

2

Select the I will choose to add and track Computers (Recommended forlarge networks) option in the Select Auto Discover Mode window.

Click OK.

System Manager displays the EventTracker System Manager confirmationmessage box.

Figure 6 Set the optionto add computersmanually messagebox

Click OK.3

Note

In addition to the above, an option is also provided to either performthis search in the background or in the foreground. Performing thesearch in the background allows the user to proceed with other taskson the System Manager.

Adding ComputersIn Auto Discover Mode, the System Manager automatically discovers Domains andComputers when you keep adding them in your enterprise. All you need to do is torefresh the System Manager. But in Manual Mode, you have to add them explicitly.This section helps you add Computer(s) when the System Manager is in ManualMode.

Adding a single ComputerThis option enables you to add a computer.

To add a single computer1 Open the System Manager.

C H A P T E R 3



24/182



Click the File menu and select the Find/Add Computer(s) option2

(OR)

Click Search Computers on the toolbar.(OR)

Press F holding Ctrl key on your keyboard.

System Manager displays the Add Computer(s)dialog box.

Figure 7 AddComputer(s) window

Add a single computer

Field Description

Add a singleComputer [Byname or IPaddress]

Select this option to add a single computer.

Add a group ofComputers

from availableDomains

Select this option to add a group of computers.

AddComputersbelonging toan IP subnet

Select this option to add computers from an IP subnet.

T able 7

Click the Add a single Computer [By name or IP address] option.3

4 Click Next>.

System Manager displays the EventTracker System Managerdialog box.

C H A P T E R 3



25/182



Figure 8 AddComputer s Add asingle computer

Type the computer name you want to add in the Group.5

6 Click OK.

System Manager displays the EventTracker System Manager message box.

Figure 9 Add

Computers messagebox

Click OK.7

8 Edit the appropriate Domain and add Computer(s) to that Domain.

Adding a group of Computers

This option enables you to add a group of Computers. Note that it is possible to addComputers only with available Windows Domains. As mentioned earlier, SystemManager will be in Auto Discover Mode by default. Later on if you switched theDiscover Mode to Manual and added Computer(s) to a particular Domain, say DomainA. Since the System Manager is Manual Discover Mode, it cannot discover newlyadded Computer(s) by itself. In this scenario you can utilize this option to add thosenew Computer(s) to Domain A.

To add a group of computers1 Select the Add a group of Computers from available Domains option in

the Add Computer(s) window.

C H A P T E R 3



26/182




Add a group ofcomputers

Click Next>.2

System Manager displays the Select Criteriadialog box.

Figure 11 SelectCriteria window

Add a group ofcomputers

Field Description

Select Domain This drop-down list lists the available Domains. Select a Domainfrom where you want to add the computers, from this drop-downlist. When you select --All-- option, System Manager willdiscover all the Computers and adds them up in their respectiveDomains.

Select SystemType

Select a system type from the drop-down list. When you select --Alloption, System Manager discovers all the Computersirrespective of their O/S type and adds them up in theirrespective Domains.

Add Systems Search and add options can be done either in the backgroundwhile you can continue with your work or in the foreground if youare interested to know about the search progress.

T able 8

Select appropriate options.3

C H A P T E R 3



27/182



Click Add.4

If you select the in the background (I want to continue working as Computersare added) option, System Manager displays the EventTracker System

Manager message box.

Figure 12 Add a groupof computers message box

Click OK.5

System Manager displays the EventTracker System Manager message box

after adding the computers.

Figure 13 Add a groupof computers message box

Click OK.6

7 Refresh the System Manager.

Note

If you select the in the foreground (I will wait as Computers aresearched for and added) option, EventTracker displays themessage in the status bar of the XSelect Criteria window Xas TheEventTracker System Manager is finding Computers. Computers inthe selected group are added to the domain.

Adding a group of Computers from an IP subnet

This option enables you to add computers from an IP subnet.

C H A P T E R 3



28/182



To add computers from an IP subnet1

2

Select the domain for which you want to add computes, in the left pane.

Click the Add Computers belonging to an IP subnet option in the AddComputer(s) window.


Add computers froman IP subnet

Click Next>.3

System Manager displays the Add Subnetdialog box.

Figure 15 Add Subnetwindow

Field Description

SubnetAddress

Type the IP address in these fields.

Add Systems The options are in the background (I want to continue working asComputers are added) and in the foreground (I will wait asComputers are searched for and added).

T able 9

Type appropriately in the relevant fields.4

5 Click OK.

C H A P T E R 3



29/182



If you select the in the background (I want to continue working as Computersare added) option, System Manager displays the EventTracker SystemManager message box.

Figure 16 AddComputers Addcomputers from an IPsubnet

Click OK.6

System Manager displays the EventTracker - System Manager message box afteradding the computers.

Figure 17 Addcomputers from an IPsubnet message box

Click OK.7

If you select the in the foreground (I will wait as Computers are searched forand added) option, System Manager displays the Add Subnet message box.

Figure 18 Add Subnetwindow Add systemsin the foreground

Refresh the System Manager. The computers are added to the selecteddomain.

8

C H A P T E R 3



30/182


G U I D E R E M O V I N G C O M P U T E R S

Removing ComputersYou can either remove Computers when System Manager is in Auto or in Manualdiscover mode.

Removing Computers Auto Discover Mode

This option enables you to remove computers when the System Manager is in AutoDiscover Mode.

To remove computers1

2

Open the System Manager.

Click the File menu and select the Remove Computer(s) option.


Figure 19 RemoveComputers messagebox

Click OK to continue removing the computers.3

4

System Manager displays the Remove Computer(s)dialog box.

Select the computer(s) that you want to remove.

C H A P T E R 3



31/182



Figure 20 RemoveComputer(s) window

Click Remove.5

System Manager removes the selected Computer.

Refresh the System Manager.6

System Manager discovers the removed computer(s).

C H A P T E R 3



32/182



Figure 21 SystemManager console

Removing Computers - Manual Mode

This option enables you to remove computers when the System Manager is in ManualDiscover Mode.

To remove computer(s)1

2


Click the File menu and select the Remove Computer(s) option.

System Manager displays the Remove Computer(s)dialog box.

Note

System Manager automatically discovered the Computers listed inthe Remove Computer(s) dialog box. Remove button is disabled bydefault. System Manager enables it only when you selectComputer(s) from the list.

3

4

Select the Computer(s) that you want to remove.

Click Remove.

System Manager removes the selected computer(s).

C H A P T E R 3



33/182


G U I D E R E M O V I N G U N M A N A G E D S Y S T E M S

Refresh the System Manager.5

Note

Since the System Manager is in Manual mode, it could not discoverthe removed Computer. It is obvious that you have to add theremoved Computer(s) manually.

Removing Unmanaged Systems

This option helps you to remove unmanaged systems from the view as well as from

the database. The discovery of systems in your enterprise should be in Manual modeand not in Auto Discover mode. In Auto discover mode if you remove the system, itwill be removed only for that instance and when you refresh the System Manager, theremoved systems will be discovered and get populated to the list.

Example scenario: Suppose you were monitoring a system and that system exists intwo Groups namely TOONS and MY GROUP. Now you want to remove thatunmanaged system from the All Domain Computers list in the right pane, do thefollowing.

To remove unmanaged systems1

2

Click the File menu and select the Select Auto Discover Mode option.

System Manager displays the Select Auto Discover Mode dialog box.

Select the I will choose to add and track Computers (Recommended forlarge networks) option and then click OK.


Figure 22EventTracker - SystemManager message box

Click OK.3

4 Expand the Groups tree in the left pane.

C H A P T E R 3



34/182



Figure 23EventTracker -System Manager leftpane

Right-click Support.5

System Manager displays the shortcut menu.


From the shortcut menu, choose Edit.

C H A P T E R 3



35/182



System Manager displays the Edit Group window.

Figure 25 Edit Groupwindow

Select the system from the Group Members list and then click


36/182




Click Save.7

System Manager removes the selected system and displays the SystemManager.

C H A P T E R 3



37/182



Figure 27EventTracker SystemManager

To remove the system from all the groups, right-click Groups in the left pane.8


Click Edit.9

System Manager displays the Edit Group window.

C H A P T E R 3



38/182


G U I D E L O G I C A L S Y S T E M G R O U P S


Select the systems from Group Members and then click


39/182



To create a new logical group and add systems based on System Type1

2


Click the File menu, and select the Create Group option

(OR)

Click Create Group on the toolbar.

System Manager displays the Create Groupdialog box.

Figure 30 CreateGroup window System Type

Field (Field *marked aremandatory)

Description

* Group Name Type the group name in this field.

The group name should be unique.

* GroupDescription

Type the group description in this field.

Group Type Select the group type option.

The options are System Type, IP Subnet and Select Manually.

System Type Enables you to add the selected system type tothe group.

IP Subnet Enables you to add the IP subnet to the group.

Select Manually Enables you to add the systems manuallyfrom the available list to the group.

T able 10


C H A P T E R 3



40/182




Click Next>.4

If you select the System Type option, System Manager displays the CreateGroupdialog box.


Select the system type from the Select System Type drop-down list.5

6 Click Finish.


C H A P T E R 3



41/182



Figure 33 CreateGroup - message box

Click OK.7

System Manager displays the EventTracker System Manager message boxafter creating a group.

Figure 34 CreateGroup - message box

Click OK.8

System Manager displays the EventTracker - System Manager with the newlycreated Group.

Figure 35 SystemManager console aftercreating a group

C H A P T E R 3



42/182



Creating a New Logical Group IP Subnet

This option enables you to create a new logical Group of systems based on IP subnet.

To create a new logical group and add systems based on IP subnet1 Select the IP Subnet option in the Create Groupdialog box.

Figure 36 CreateGroup window IPSubnet

Click Next>.2


Figure 37 CreateGroup window IPSubnet

Type the SubNet Address.3

4 Click Finish.

C H A P T E R 3



43/182




Figure 38 CreateGroup message box

Click OK.5


Figure 39 Create

Group message box

The created group is displayed in the left pane of the System Manager.

Figure 40EventTracker System Manager with

newly created Group.

C H A P T E R 3



44/182



Creating a New Logical Group Manual

Selection

This option enables you to create a new logical Group of systems and manually addComputers to that Group.

To create a new logical group and add systems manually to that group1 Select the Select Manually option in the Create Groupwindow.

Figure 41 CreateGroup window Select SystemsManually

Click Next>.2


C H A P T E R 3



45/182




Select the Show managed systems only check box to view the systemsmanaged by this manager.

3

4 Select the systems you want to add to the group from the list.


Click Finish.5


C H A P T E R 3



46/182




Click OK.6



The created group is displayed in the left pane of the System Manager.

Figure 46EventTracker System Manager withnewly created Group.

If the Group Name already exists, System Manager displays the EventTracker System Manager message box.

C H A P T E R 3



47/182




Type a unique Group name and then click OK to continue creating the Group.7

Modifying a Group

This option enables you to modify a Group.

To modify a Group1

2


Click the File menu and select the Edit Group option.

System Manager displays the Edit Groupsdialog box.

Figure 48 Edit Groupswindow

Select the Group that you want to modify in the displayed list.3

4 Click Edit.

System Manager displays the Edit Groupdialog box.

C H A P T E R 3



48/182




Field Description

Description Type the system-related information in this field.

GroupMembers

Select the computer that you want to remove from the group.

Click .

The selected computer is added to the list of Group Members.

Table 11


System Manager displays the Edit Groupdialog box.

C H A P T E R 3



49/182




Click Save.6

The modified group is displayed in the left pane of the System Manager.

C H A P T E R 3



50/182



Figure 51EventTracker System Manager withnewly created Group.

Had you already selected the Automatically find and add Computers(Recommended for small networks e.g.


51/182



System Manager displays the Delete Groupwindow.

Figure 53 DeleteGroup window

Select the Group that you want to delete in the displayed list.3

4 Click Delete.


Figure 54 DeleteGroup Confirmatorymessage box

ClickYes.5

The selected Group is deleted from the list.

C H A P T E R 3



52/182



Figure 55 DeleteGroup window

Click Close.6

Had you selected the Automatically find and add Computers (Recommendedfor small networks e.g.


53/182

Chapter 4

Managing Windows Agents


Deploying Agents

Agent-less Monitoring

Agent Configuration

Agent Management Tool

Deploying Agents in Command Line Mode

5 3


54/182


G U I D E A G E N T F O R W I N D O W S S Y S T E M S

Agent for Windows SystemsAs part of the Windows event log management infrastructure, a configurable, highperformance, tiny footprint executable (agent) can be deployed to run locally on themanaged machine. The agent is usually remotely deployed directly from the SystemManager application which is part of PULSE.

In addition to sending entries from the Event Log, this agent offers many usefulfeatures including monitoring application log files, threshold events onCPU/memory/disk utilization, application start/stop, software install/uninstall; servicestart/stop & runaway processes and monitor TCP/UDP network activities. It can sendevents with guaranteed delivery (TCP), offers a sophisticated set of filters to limit eventtransmittal and performs automatic backup and clearing of the Windows Event Log(XP and 2003).

This smart agent offers significantly greater capability over manual log monitoring.

Pros

Filters are applied locally - This minimizes network traffic as uninterestingevents can be discarded with no further drain on resources.

Local agent survives in the face of network failure - If the Guaranteed DeliveryMode (GED) is used, events are cached and recovered when networkrecovers.

Real time notification The agent immediately forwards new local event logentries to the Console. Critical events relating to security, uptime etc usuallyrequires immediate alerts.

Performance monitoring The agent is capable of detecting excessive CPU,disk or memory usage and reporting if when user defined thresholds aredetected.

Application monitoring The agent is capable of detecting and reporting thestart/stop of applications. This can be used to comply with licensingrequirements or for usage tracking.

Native backup of event logs The agent is capable of detecting when theevent log is full, backing up the native .evt file to a configured location andresetting the log. Some installations require the original files (XP and 2003).

Software install/removal monitoring The agent can detect and report theinstallation or removal of software from the target machine.

Non-domain topology The agent needs only a TCP/IP network tocommunicate with the Console. In particular the Console is not required to bein the same Windows (Active Directory or NT) domain as the agent.

Encrypted traffic between Agent and Console IPSec techniques can beapplied to all traffic between agent and Console for highest security.

C H A P T E R 4

M A N A G I N G W I N D O W S A G E N T S 5 4


55/182


G U I D E D E P L O Y I N G W I N D O W A G E N T S

Service monitoring The agent is capable of detecting, reporting andrestarting failed services.

Monitoring external log files Many applications write a separate log file (e.g.

IIS, Antivirus, Oracle etc). New matching entries in such log files can bedetected and reported by the agent.

Host based intrusion detection The agent can detect and report networkactivity. This is useful as for capacity analysis or intrusion detection.

Cons

The agent must be installed and configured on the target machine - Thisrequires planning. Managing product upgrades must also be considered.Deployment and configuration can be done from the Console to minimize thiseffort.

Possible interaction effects with other software Since the agent is an EXE

and does get installed on the target machine, there is always a finiteprobability of negative interaction effects with other software. The product hasoperated at many customers in many different environments for many years so this highly unlikely.

Agent consumes local resources The agent, like any application uses someamount of system resources on the target. The EventTracker agent is highlyoptimized to absolutely minimize resource usage.

Deploying Window Agents

Pre-installation Procedures

You MUST have Local Admin privileges on the remote systems where youwant to install the Agents.

You can also install Agents with Domain Admin privileges.

Make sure that the systems that you are selecting to monitor are accessiblethrough the network, have disks that are shared for the Admin, and have diskspace up to 5MB that can be used by the Windows Agent.

If the remote system is accessed through a slow line, the install may take timeand it is recommended that you plan accordingly.

Installing Windows Agents

To install agents in Standard mode1 Open the System Manager.

C H A P T E R 4



56/182



Click the Options menu and select the Add System option2

(OR)

Click Add System on the toolbar.(OR)

Right-click the system where you want to install the agent.


Figure 57 Add System window -Computerselection

From the shortcut menu, choose Add System.

System Manager displays the Add Agent window.

C H A P T E R 4



57/182





Field Description

Group Select a group from the drop-down list.

T able 12

C H A P T E R 4



58/182



Field Description

Computers Select a computer on which you want to install the Agent.

Click UAUdd->. The selected computer is added to the SelectedComputers list.

Click Add All >> to install the Agents on all the computers in theselected group.

SelectedComputers

Select a computer and then click .5

C H A P T E R 4



59/182



Figure 61 Add Systemwindow Agent Typeselection

Select the Agent based (Full featured) option.6

7 Click Next>.

Figure 62 Add Systemwindow Installationpath selection

To install the agent in a different drive apart from the default one, type theinstallation path in the Select installation pathon the remote machines field.

C H A P T E R 4



60/182



System Manager displays the System Manager message box if the typed path isnot of recommended levels deep.

Figure 63 SystemManager message box

Note

To set a more specific configuration, click UAUdvanced (OR) clickUIUnstall to install the Agent.

8 Click Advanced.

Figure 64 Add Systemwindow Applyconfiguration

Field Description

Default Select this option to set the default agent configuration.

The default configuration will track all events.

T able 13

C H A P T E R 4



61/182



Field Description

CustomConfig

Select this option to apply a different configuration.

The File field is enabled.

Click UBUrowse, navigate and select the file.

The file extension should be in the EventTracker Agent .ini

format and would be a previously saved configuration file.

Click the appropriate agent configuration settings.9

Figure 65 Add Systemwindow Applyconfiguration

Click Install.10

System Manager displays the Login dialog box.

C H A P T E R 4



62/182



Figure 66 Add Systemwindow Login

Type valid user credentials and then click Login.11

System Manager starts installing the Agent and displays the progress bar.

After installing the Agent, System Manager displays the EventTracker SystemManager message box.

Figure 67 SystemManager messagebox

Click OK.12

System Manager displays the successful installation message.

C H A P T E R 4



63/182



Figure 68 Add Systemwindow Successfulinstallation message

Click Finish.13

To refresh the System Manager, select the View menu and select theRefresh option or press F5 on your keyboard.

14

System Manager displays the newly added system.

Figure 69 SystemManager console with

newly added system

C H A P T E R 4



64/182



Uninstalling Windows AgentsThis option enables you to uninstall Agent from the remote machine.

To uninstall Agents1

2


Select the Options menu and select the Remove System option

(OR)

Click Remove System on the toolbar.

(OR)

Right-click the system from where you want to uninstall the agent.


From the shortcut menu, choose Remove System.

System Manager displays the Uninstall Remote Agent(s)window.

Figure 70 UninstallRemote Client(s)

window Computerselection

For field descriptions, refer to XFigure 268 Add System windowXon page X57X.

Select the computer.3

C H A P T E R 4



65/182



Click Next>.4

Figure 71 UninstallRemote Client(s)

window

Click Uninstall.5




System Manager starts uninstalling the Agent and displays the progress bar.After successfully uninstalling the Agent, System Manager displays theEventTracker System Manager message box.

C H A P T E R 4



66/182



Figure 73 UninstallingAgent message box

Click OK.7

System Manager displays the successful uninstallation message.

Figure 74 UninstallRemote C.lient(s)

window

Click Finish.8

Upgrading Windows Agents

This option enables you to upgrade the Agents that are within the domain by selectingWindows Domain Network option and Upgrade over IP option that are outside thedomain.

To upgrade Agents1

2


Click the Options menu and select the Upgrade Agent option

C H A P T E R 4



67/182



(OR)

Click Upgrade Agent on the toolbar.

(OR)

Right-click the system to upgrade the agent installed in it.


From the shortcut menu, choose Upgrade Agent.

System Manager displays the Upgrade Remote Agent(s)window.

Figure 75 UpgradeRemote Client(s)

window

For field descriptions, refer to XFigure 268 Add System windowXon page X57X.

Select the computer for which you want to upgrade the Agent.3

4 Click Next>.

C H A P T E R 4



68/182




window

Click Next>.5


window

Field Description

Upgrade Method

T able 14

C H A P T E R 4



69/182



Field Description

Upgrade Method

WindowsDomainNetwork

Select this option if all systems to be upgraded can be reachedover the Windows Network and you have administrativeprivileges on all these systems.

Upgrade OverIP (NonWindowsDomain)

Select this option if all systems to be upgraded can be reachedonly via IP and not by the Microsoft Network.

Click the appropriate Upgrade Method.6

7 Click Upgrade.




System Manager starts upgrading the Agent and displays the progress bar.

After upgrading the Agent, System Manager displays the EventTracker SystemManager message box.

Figure 79 UpgradingAgent message box

Click OK.9

System Manager displays the successful upgrade message.

C H A P T E R 4



70/182




window

Click Finish.10

Removing Windows Agent Components

The best way to uninstall Windows Agents is from the System Manager application.However, it is possible that has the Agent is no longer accessible or that the Agent was

manually removed. In such cases, you can remove the Agent Components from theSystem Manager (deletes configuration entries).

To remove the Agent components1

2

3


Click the Options menu and select the Remove Agent Components option.

(OR)

Right-click any of the systems in the right pane.

System Manager displays the Remove Agent Components dialog box.

C H A P T E R 4



71/182



Figure 81 RemoveClient Components

Select the computer for which you want to remove the Agent from the list.4

5 Click Remove.



ClickYes.6



Click OK.7

C H A P T E R 4



72/182



Click Close on the Remove Client Components dialog box.8

Switching Windows Agent Modes

The Windows Agent offers a High Performance mode, which is useful whenmonitoring Domain Controllers with busy security event logs. Such machinesexperience event log bursts during shift changes when a large number of domainlogon/off activities are observed. The High Performance mode, a dedicated processingthread is used to monitor the security event log.

To switch Agent modes1

2

3


Click the Options menu and select the Configure System option

System Manager displays the Agent Configuration window.Select the system that you want to switch the Agent mode from the SelectSystems drop-down list and then click Event Filters tab

System Manager displays the Agent Configuration window.

C H A P T E R 4



73/182



Figure 84EventTracker AgentConfiguration window

Select the Enable High Performance mode check box.4

System Manager displays the EventTracker Agent Configuration message box.

C H A P T E R 4



74/182



Figure 85EventTracker AgentConfiguration messagebox

ClickYes.5

6 Click Save.

Click Close on the Agent Configuration window.7

To refresh the System Manager, select the View menu and select theRefresh option or press F5 on your keyboard.

8

System Manager displays the upgraded system.

Figure 86 SystemManager console withnewly added system

Note

This feature is not applicable for Vista Agent.

C H A P T E R 4



75/182



Figure 87EventTracker AgentConfiguration window

Vista Agent

C H A P T E R 4



76/182



Viewing Agent Status

This option enables you to view the system health status.

To view agent status1

2

3


Select the system in the right pane.

Click the View menu and select the System Status option.

(OR)

Right-click the system that you want to view the status.


From the shortcut menu, choose System Status.

System Manager displays the system status in the Notepad.

Starting the Agent Service

This option enables you to restart the terminated Agent service.

To start the agent service1

2

3


Select the system in the right pane.

Click the Options menu and select the Start Client Service option.(OR)

Right-click the system that you want to start the client service.


From the shortcut menu, choose Start Client Service.

System Manager starts the Agent service and displays the message in theNotepad.

If the client is already running, System Manager displays the Client status with asuitable message in the Notepad.

Editing Admin Account

This option enables you to change the credentials of the account used by the WindowsAgent. This can be used only for Agents that can be reached within the MicrosoftDomain Network and for which you have administrator privileges.

C H A P T E R 4



77/182



To the admin account1

2


Click the Options menu and select the Agent Properties option.

System Manager displays the EventTracker Agent Properties window.

Figure 88 ClientProperties window

Agent Type tab

Field Description

Local Systemaccount

Select this option to set the system account as the default logonfor the service.

This Account Select this option to change the logon account.

This Account, Password and Confirm Password fields areenabled.

Type the domain name and the user name in the This Accountfield. For example: CELEBRATE\administrator.

Type the password in the Password field.

Type the same password for confirmation in the ConfirmPassword field.

T able 15

Local System account is selected by default.

Select the This Account option and then type valid user credentials.3

4 Click Next>.

C H A P T E R 4



78/182



System Manager displays the EventTracker Agent Propertieswindow.

Figure 89 ClientProperties window

Account tab

Select the system for which you want to apply the changes in the logonaccount.

5

6

(OR)

Select the Select All check box to select all the systems in the list.

Click Finish.

System Manager displays the Statusdialog box.

C H A P T E R 4



79/182


G U I D E G E N E R A T I N G S Y S T E M R E P O R T

Figure 90 ClientService Logon

Account - Statuswindow

Click View Log to view log.7

System Manager displays the log information in the notepad.

Click Close.8

Generating System ReportSystem Report helps to keep track of Managed and Unmanaged systems. Filter optionis provided to view the ports used by Managed systems.

To generate system report1

2


Click the View menu and then select the System Report option.

System Manager displays the System Report console.

C H A P T E R 4



80/182



Figure 91 SystemReport console

Note

EventTracker disables the Port Number option, if you select theUnmanaged option.

Managed System Report

This option helps to generate reports sorted by O/S, group and ports.

To generate system type wise report1

2

3

Select the Managed option.

Select System Type option to view Managed systems by operation systems.

Select an O/S type from the System Type drop-down list.

Click Show Report.4

Note

System Type Unknown represents non-Windows operatingsystems.

To generate group wise report1

2


Select the Group option to view Managed systems by group.

C H A P T E R 4



81/182



Select a group from the Group Name drop-down list. All monitored enterprisesystem groups are listed in this drop-down list.

3

Click Show Report.4

To generate port wise report1

2

3


Select the Port Numberoption to view Managed systems by port. Allconfigured ports are listed in this drop-down list.

Select a port from the Port Numberdrop-down list.

Click Show Report.4

Unmanaged System Report

This option can be used to generate reports sorted by O/S and group.

To generate system type wise report1

2

3


Select System Type option to view Managed systems by operation systems.

Select an O/S type from the System Type drop-down list.

Click Show Report.4

To generate group wise report1

2

3


Select the Group option to view Managed systems by group.

Select a group from the Group Name drop-down list.

Click Show Report.4

All System Report

This option helps to generate O/S wise, group wise and port wise Managed /Unmanaged system report.

C H A P T E R 4



82/182


G U I D E V I S T A A G E N T

Vista Agent

Event Publishers in Windows Event Log

An event publisher creates an event and delivers it to an ev

event tracker pulse user guide

Documents