Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Migration

 

Guide to configure agent-based data collection

  • 1. Why do I need to install an agent?

    ADAudit Plus collects security information from configured computers on your network including domain controllers, file servers, Windows servers, and workstations. In case of larger networks that operate across wide area network (WAN) connections, deploying a client-side agent not only smooths out data collection, but also considerably reduces bandwidth utilization.

    Even without an installed agent, log collection from domain controllers happens in real time; however for workstations, file servers, and Windows servers, real-time data collection can only be enabled by installing a client-side software agent. That said, neglecting to install an agent will not hinder ADAudit Plus' functionality.

  • 2. Installation prerequisites

    Please ensure that the following criteria are met to allow smooth installation of the agent on the target machine.

    2.1 Supported operating systems

    Windows Server operating systems

    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • Windows Server 2008

    Windows operating systems

    • Windows 10
    • Windows 8.1
    • Windows 8
    • Windows 7
    • Windows Vista
    2.2. Ports

    Check if the ports used by ADAudit Plus are open on the client machine to allow data exchange.

    To check which ports are being used by ADAudit Plus, go to the Admin tab and choose Connection under General Settings. The corresponding port number (either HTTP or HTTPS) for ADAudit Plus can be found here.

    General Settings under the Admin tab
    2.3. Privileges

    Make sure that the ADAudit Plus service account (the ADAudit Plus service account is the AD account that fetches events from the security logs, and can be found in the Domain settings page) is a member of the Domain Admins group so that ADAudit Plus can perform the following actions:

    1. Install, uninstall or update the agent
    2. Start or stop the agent

    If you do not wish to use Domain Admin credentials, you can still install the agent manually.

    ADAudit Plus service account configuration
    2.4. Disk space requirements

    Ensure that there is a minimum of 2GB of free disk space.

    2.5. Windows .NET Framework

    The installation requires Windows .NET Framework version 4 or higher on the client machine.

    By default, .NET Framework version 4 or higher is included with Windows Server 2012 or higher, as well as workstations running Windows 8 or higher. If you're running one of these operating systems, you can proceed with step 3: installing the agent.

    If you're running an older version of Windows, keep in mind that .NET Framework version 4 or higher can be installed on the following operating systems: Windows 7, Windows Vista, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2.

    You can check the .NET Framework version installed on a computer by opening Command Prompt, navigating to \%windir%\Microsoft.NET\FrameWork, and then going to the directory with the latest version number. Once in the directory with the latest version number, run the command .\MSBuild.exe -version.

    Microsoft (R) Build Engine version 4.7.3056.0
    [Microsoft .NET Framework, version 4.0.30319.42000]
    Copyright (C) Microsoft Corporation. All rights reserved.

    4.7.3056.0

    The last line after the copyright information is the Windows .NET Framework version installed on the computer.

  • 3. Agent installation
    3.1. Installing the agent via ADAudit Plus' UI

    Now that you have your environment set up to meet the installation prerequisites, you can install the agent on a target machine right from within ADAudit Plus' user interface as shown below:

    Installing the client-side agent from ADAudit Plus' UI

    We recommend installing the agent using ADAudit Plus; if installation fails on any computer, ADAudit Plus automatically retries installing the agent every 30 minutes for up to 10 failed attempts.

    Please note that the service account used has to be a member of the Domain Admins group for the application to install the agent on a client.

    3.2 Installing the agent manually

    Go to <ADAudit Plus installation directory>\ManageEngine\ADAudit Plus\webapps\adap\agent\, and choose the appropriate MSI based on the OS version on your client computer.

    For 32-bit versions: ADAuditPlusAgent-x86.msi
    For 64-bit versions: ADAuditPlusAgent-x64.msi

    3.2.1 Deploying the agent manually via Group Policy:

    Use the following properties while creating an MST file for silent installation:

    SERVERNAME="test-dc1" — The name of the server where ADAudit Plus is hosted
    SERVERFQDN="test-dc1.test.com" — FQDN of the server where ADAudit Plus is hosted
    SERVERIP="192.168.209.109" — The IP Address of the server where ADaudit Plus is hosted
    PORT="8081" — The port number over which ADAudit Plus communicates
    PROTOCOL="HTTP" — The protocol used for communication

    3.2.2. Installing the agent by running the MSI file on client computers

    Arguments while installing the agent:

    Server name: The name of the server where ADAudit Plus is hosted.
    Port: The port number used to communicate with the ADAudit Plus server.
    Protocol: The defined protocol for communicating with the ADAudit Plus server.

    To check which port number and transfer protocol are being used by ADAudit Plus, go to the Admin tab, and choose Connection under General Settings. The corresponding port number and protocol used by the ADAudit Plus server can be found here.

    ADAuditPlus Agent Configuration Setup
  • 4. Agent configuration sync

    ADAudit Plus immediately syncs any configuration change occurring on the server with the agent, and checks if configurations are in sync every 30 minutes. If the client is offline, up to 2 GB of data will be stored locally which will automatically be synced to the server once a connection is established.

    An alert can be set up, as shown below, to notify you if the event collection has stopped.

    Alert me configuration

    ADAudit Plus also checks the agent service status every 30 minutes and automatically restarts the service if it has stopped.

  • 5. Upgrading the agent

    If there is a newer version of the agent available, ADAudit Plus automatically attempts to update the agent, but this requires the service account to be a member of the Domain Admins group. Please check the release notes to find the newest version of the agent.

  • 6. Uninstalling the agent

    The agent can be uninstalled by selecting the computers you wish to uninstall the agent from as shown in the image below.

    Server Configuration Settings page
  • 7. Troubleshooting

    The Manage Agent page allows you to monitor and manage the installed agent.

    Please check the following while troubleshooting the agent service.

    1. Check if the agent service is installed and running on the desired computer.

      • Under Configured File Servers, click on Manage to bring up the Manage Agent page.
      • Refresh the Agent Service table.
      • Check the Agent Service table.
      • If the service has stopped, start the service.

      (Note: The ADAudit Plus service account should be a member of the Domain Admins group in order to get the service status.)

    2. Check if the agent is able to communicate with the ADAudit Plus server.
      • Go to the Agent Communication table.
      • Refresh the Agent Communication table.
      • Check if communication is established.

    Note:

    1. An RPC connection is required to sync configuration settings on the agent with the ADAudit Plus server.
    2. An HTTP connection needs to be established in order for the agent to forward event data to the ADAudit Plus server.
      1. If an error persists, test RPC and HTTP communication by clicking on the corresponding icons under Actions.
      2. If HTTP communication fails, open the machine on which the ADAudit Plus agent is installed, and connect to the ADAudit Plus server via a web browser. Enter ADAuditPlus_server_name:ADAuditPlus_running_port_number (eg. server_name:8081) in a web browser to connect to the ADAudit Plus server.
        • If you are unable to connect to the ADAudit Plus server, check the firewall settings (inbound and outbound) on the machine where the agent is installed.
      3. If communication is established, refresh the Agent Property table to check if the agent properties match the properties on the server.
        • If you are unable to refresh the Agent Property table check the Remote Registry Service status on the machine where the agent is installed, and if it has been stopped, start the service.
        • Also, refresh and check the Configuration Sync Details table to ensure that the most recent changes have been synced.
    Manage Agent page

    If the error persists, please contact support, and one of our technicians will help you resolve the issue.

    For more information, visit
    https://www.manageengine.com/products/active-directory-audit/.

ADAudit Plus Trusted By

A single pane of glass for complete Active Directory Auditing and Reporting