Administration Guide
Revision A
McAfee Logon Collector 2.2
COPYRIGHT
Copyright © 2014 McAfee, Inc. Do not copy without permission.
TRADEMARK ATTRIBUTIONS
McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, Policy
Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource,
VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other
names and brands may be claimed as the property of others.
Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2
McAfee Logon Collector 2.2
Administration Guide
Contents
1
Introduction to McAfee Logon Collector
Important terminologies . . . . . .
Domain controllers and logon collection
Deployment . . . . . . . . . . .
Ports used by Logon Collector . . . .
Viewing online help . . . . . . . .
2
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
7
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Installation
11
Key considerations for installation . . . . . . . . . . . . . . . . . . . . . . . . . . .
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Planning for installation . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DNS resolution requirements . . . . . . . . . . . . . . . . . . . . . . . . . .
Install Logon Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Download the software . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install the software on Windows Server . . . . . . . . . . . . . . . . . . . . .
Uninstall the software . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Uninstall Microsoft SQL Server 2008 Express Edition . . . . . . . . . . . . . . . .
Access the Logon Collector web interface . . . . . . . . . . . . . . . . . . . . . . . .
Install Logon Collector as a McAfee ePO extension . . . . . . . . . . . . . . . . . . . .
Installation requirements . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installing Logon Collector as a McAfee ePO extension . . . . . . . . . . . . . . . .
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install Logon Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install a Logon Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Uninstall Logon Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
7
7
8
9
10
Upgrade
11
11
11
12
13
13
13
14
16
16
17
17
17
17
19
19
19
20
21
Key considerations for an upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Upgrade the software from 2.0 or 2.1 to 2.2 using the installer . . . . . . . . . . . . . . . 22
Verify the upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4
Identities collection
23
About identities collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add a domain to monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add Logon Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add a Logon Collector certificate to a Logon Monitor . . . . . . . . . . . . . . . .
Add a Logon Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remove a Logon Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing exchange servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add an exchange server to a monitored domain . . . . . . . . . . . . . . . . . .
Remove an exchange server . . . . . . . . . . . . . . . . . . . . . . . . . .
5
Server settings
23
23
24
24
25
25
26
26
27
29
About server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
McAfee Logon Collector 2.2
Administration Guide
3
Contents
Active Directory User login . . . . . . . . . . . . . . . . . . . . . . . . . .
Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Email Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Identity replication certificate . . . . . . . . . . . . . . . . . . . . . . . . .
Local Logon Monitor settings . . . . . . . . . . . . . . . . . . . . . . . . . .
MLC Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MLC Group / IP Ignore List . . . . . . . . . . . . . . . . . . . . . . . . . . .
MLC Group Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the IP address for Logon Collector server client communication . . . . . . .
MLC User Login Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . .
Printing and exporting . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Server certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About Personal Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Logon Monitor configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remote tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use MMC to manage Logon Monitor certificates . . . . . . . . . . . . . . . . . . .
Use NTLMv2 with Logon Monitors . . . . . . . . . . . . . . . . . . . . . . . .
6
High Availability (Clustering)
41
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Prerequisites for High Availability . . . . . . . . . . . . . . . . . . . . . . . .
High Availability setup . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure High Availability in Public Key Infrastructure (PKI) setup . . . . . . . . . .
Check the status of cluster formation . . . . . . . . . . . . . . . . . . . . . .
Configuration data replication . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Logon events replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disable a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reconfigure a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
On-demand group and user refresh
User management
Reporting
47
47
47
50
50
52
53
Manage users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add or modify a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Delete a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Delete permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Duplicate permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage contacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add or modify a contact . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Delete a contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9
41
41
42
42
43
43
44
44
45
45
45
47
MFS Scheduler 2.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
On-demand group refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Options of group refresh . . . . . . . . . . . . . . . . . . . . . . . . . . .
On-demand user refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Options of user refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Server Tasks Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8
29
29
29
30
30
32
34
34
36
36
37
37
37
37
38
38
38
39
53
53
54
54
54
54
55
55
55
56
57
About the Status page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
View who is logged on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Export report of who is logged on . . . . . . . . . . . . . . . . . . . . . . . . 59
4
McAfee Logon Collector 2.2
Administration Guide
Contents
View the audit log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Export the audit log . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage audit log queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a query group . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Delete a query group . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Edit a query group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create audit log queries . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Import audit log queries . . . . . . . . . . . . . . . . . . . . . . . . . . .
Query actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Define filter criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Define export criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
View dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
Integration with other McAfee products
65
Integration with McAfee Firewall Enterprise . . . . . . . . . . . . . . . . . . . . . . .
Integration requirements . . . . . . . . . . . . . . . . . . . . . . . . . . .
Passive identity validation . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure Passive Passport . . . . . . . . . . . . . . . . . . . . . . . . . .
Integration with McAfee Firewall Enterprise Control Center . . . . . . . . . . . . . . . . .
Integration requirements . . . . . . . . . . . . . . . . . . . . . . . . . . .
Integration with McAfee® Network Security Manager . . . . . . . . . . . . . . . . . . . .
Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User groups for Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Important terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Integration requirements . . . . . . . . . . . . . . . . . . . . . . . . . . .
How Logon Collector - McAfee® Network Security Manager integration works . . . . . .
Configuration details for Logon Collector integration . . . . . . . . . . . . . . . .
Display of Logon Collector details in the Threat Analyzer . . . . . . . . . . . . . . .
Display of Logon Collector details in Network Security Manager reports . . . . . . . . .
Integration with McAfee Data Loss Prevention . . . . . . . . . . . . . . . . . . . . . .
Integration requirements . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using Active Directory User elements . . . . . . . . . . . . . . . . . . . . . .
Using McAfee DLP on remote LDAP servers . . . . . . . . . . . . . . . . . . . .
How Logon Collector is used with McAfee DLP . . . . . . . . . . . . . . . . . . .
How Logon Collector enables user identification . . . . . . . . . . . . . . . . . .
Setting up Logon Collector . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authenticating McAfee DLP Manager and Logon Collector . . . . . . . . . . . . . . .
11
Scalability
Troubleshooting
75
77
Verify the domain credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Connect to a domain controller . . . . . . . . . . . . . . . . . . . . . . . . .
Run a CPU performance query . . . . . . . . . . . . . . . . . . . . . . . . .
Run a back log query . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Run a forward log notification query . . . . . . . . . . . . . . . . . . . . . . .
Create a non-administrator account to access the security event log on a domain controller . . . .
Create an account on Windows Server 2003 and 2008 . . . . . . . . . . . . . . .
Create an account on Windows Server 2003 . . . . . . . . . . . . . . . . . . .
Create an account on Windows 2000 server . . . . . . . . . . . . . . . . . . . .
Additional resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Logon Monitor logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Internal messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Messages generated due to Logon Collector communication . . . . . . . . . . . . .
Messages generated due to Logon Monitor communication . . . . . . . . . . . . . .
McAfee Logon Collector 2.2
65
65
65
66
66
66
66
67
67
67
67
68
68
69
69
69
70
70
71
71
71
72
72
75
Scalability details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12
59
60
60
60
60
60
61
61
62
62
63
63
77
78
79
79
79
80
80
80
81
81
81
81
82
82
Administration Guide
5
Common Domain Controller errors . . . . . . . . . . . . . . . . . . . . . . .
Logon Collector logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Logon Collector Active Directory communication errors log records . . . . . . . . . .
Troubleshooting DNS problems . . . . . . . . . . . . . . . . . . . . . . . . .
Troubleshooting NSLookup failure . . . . . . . . . . . . . . . . . . . . . . . .
Error installing Logon Collector 2.0 on Windows Server 2008 R2 . . . . . . . . . . . . . . .
Error uninstalling SQL database instance for Logon Collector . . . . . . . . . . . . . . . .
Configure Database Settings page to connect to the SQL server . . . . . . . . . . . . . . .
Ports used by Logon Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
High memory usage of lsass.exe . . . . . . . . . . . . . . . . . . . . . . . . . . .
Recovery procedure for McAfee ePO 10,000 directory objects restriction . . . . . . . . . . .
Saved group filter configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6
McAfee Logon Collector 2.2
83
83
83
84
84
85
85
85
86
86
86
87
Administration Guide
1
Introduction to McAfee Logon Collector
The McAfee® Logon Collector is software that monitors Active Directory domains and collects logon
information. Logon Collector polls Microsoft Active Directory domain controllers for user logon events
and sends this information to security appliances to correlate network traffic with user behavior. Logon
Collector is installed on separate Windows-based servers to communicate with the Active Directory,
and supports distributed deployment. Logon Collector deployment does not require any modification to
the Active Directory or the Active Directory schema and requires no agents.
Logon Monitors can be used to poll nearby domain controllers and forward collected information to the
Logon Collector, shortening the distance domain controller communication must travel.
Contents
Important terminologies
Domain controllers and logon collection
Deployment
Ports used by Logon Collector
Viewing online help
Important terminologies
A domain is a logical group of identified resources on a network, whether users, computers, or
networked application services. These resources are collected for the domain into a distributed
directory, shared in a group of domain controllers. Members of a domain only need to authenticate one
time to the closest domain controller. All the other resources in the domain are made accessible based
on their privileges in the domain.
An identity is the set of characteristics that uniquely identifies a user. A user’s identity includes user
name, authentication status, group membership, primary group, and current IP address. The user or
system primary group can be fetched and passed on to clients.
Domain controllers and logon collection
Logon Collectors and Logon Monitors interact with domain controllers and enable McAfee products
such as Firewall Enterprise and McAfee® Network Security Platform to continuously gather identity
information. This information is used to map network transactions to actual identities.
Each time a user logs on to the network or requires access to any domain-controlled resource such as
a printer, server, or file share, the domain controller creates an event log entry in a special, protected
log file called the Security Event Log. This log file is available to remote systems such as the Logon
Collector and the Logon Monitor by way of a Microsoft interface called Windows Management
Instrumentation (WMI).
McAfee Logon Collector 2.2
Administration Guide
7
1
Introduction to McAfee Logon Collector
Deployment
To minimize the burden placed on a domain controller by Security Event Log queries (using WMI), the
Logon Collector or Logon Monitor contacts the domain controller on behalf of McAfee appliances that
require the Security Event Log information. Each domain controller only has to accommodate a single
connection instead of multiple connections for each McAfee appliance.
Because the overhead of using WMI can be expensive, you can deploy Logon Monitors close to the
domain controllers on your network. Doing so routes the greatest amount of traffic, WMI
communication between the domain controllers and Logon Monitor, along a relatively short distance.
The communication overhead between a Logon Monitor and a Logon Collector is low, enabling you to
optimize your deployment of logon collecting.
Deployment
The Logon Collector and Logon Monitor can connect to multiple domain controllers across multiple
domains and forests. Each Logon Collector can be contacted by multiple clients and can have multiple
Logon Monitors. When deploying Logon Collectors and Logon Monitors, consider the following:
8
•
The network overhead of WMI communication can be expensive. WMI communication occurs
between the domain controller and the Logon Monitor. McAfee recommends that you use a single
Logon Monitor for all your McAfee security devices so that only one WMI session is needed on each
domain controller.
•
McAfee recommends that you place a Logon Collector or Logon Monitor local to the domain
controllers that it is monitoring. Communication between a Logon Monitor and the Logon Collector
over a WAN link is often faster than the communication between the domain controller and the
Logon Collector over the same WAN link. The faster the Logon Collector receives this information,
the faster the client can associate an IP address with the matching identity.
•
Connect to domain controllers that add value to the monitoring strategy. The Logon Monitor should
connect to the domain controller from which the users to be monitored log on. For example, if you
are monitoring in an area of the network such as New York, and you never see users from San
Francisco, then you might not need to monitor the users that log on to a domain controller in San
Francisco. Conversely, if the users in San Francisco use services in the New York data center you
are monitoring, then you will greatly benefit from watching the security event log of the San
Francisco domain controller and determining the identity of these users.
•
Take advantage of the IT support infrastructure. If your infrastructure is administered by different
groups of system administrators that correspond to the already existent Windows architecture, you
might want to work with them. The Logon Collectors and Logon Monitors are installed as services
on Windows Server 2008 R2 or Windows Server 2012. The administration of these servers might
already be part of a larger system administration strategy, and you might want to abide by it.
•
Depending on your security requirements, you might want to dedicate a Windows Server 2008 R2
or Windows Server 2012 to run the Logon Collector or a pair of servers in High Availability mode. If
the server on which the Logon Collector is installed is compromised, it might cause great loss of
functionality to your security architecture.
•
It is important to keep the server on which the Logon Collector or Logon Monitor is installed up to
date by applying the Microsoft security patches on a timely basis. It is equally important to follow
the Microsoft security best practices to harden this server.
•
If possible, remote and local access to the Logon Collector or Logon Monitor server should be
limited to its administrators only.
McAfee Logon Collector 2.2
Administration Guide
Introduction to McAfee Logon Collector
Ports used by Logon Collector
1
•
Follow the instructions from the Use NTLMv2 with Logon Collectors section to securely protect the
credentials in the server and to use only secure authentication protocols.
•
It is possible to configure domain controllers to allow the Logon Monitor to access the Security
Event Log without using Administrator logon credentials. This is recommended. Refer to the section
on Create a non-administrator account to access the security event log on a domain controller.
Figure 1-1 Logon Collector deployment
Ports used by Logon Collector
These ports must be enabled in your network.
Table 1-1 Logon Collector Port table
Port
Type of port Used for
8443
Logon Collector
HTTPS
Web Server Secure port
8444
Logon Collector
HTTPS
Web Server authorization port
JMS
Communication between Logon Collector and point
products
61641 Logon Collector
Communication among Logon Collector cluster
members
61613 Logon Collector
McAfee Logon Collector 2.2
JMS (STOMP) Communication between Logon Collector and 2.0+
C client based point products
Administration Guide
9
1
Introduction to McAfee Logon Collector
Viewing online help
Table 1-1 Logon Collector Port table (continued)
Port
Type of port Used for
50443 Local or Remote Logon
Monitor
TCP
Communication between Logon Collector and Logon
Monitor
389
LDAP
LDAP query from Logon Collector to Domain
Controller
Domain Controller (AD)
Logon Collector does not function if you have enabled SSL port 636 on the Domain Controllers (Active
Directory) and have disabled non-SSL port 389. Logon Collector fails to connect to Domain Controller
(Active Directory) on SSL port 636.
The WMI communication happens between Logon Monitor and domain controller.
Viewing online help
You can view the online help for Logon Collector by clicking the question mark (?) button on the menu
bar. The online help includes a table of contents and has full-text search capability.
10
McAfee Logon Collector 2.2
Administration Guide
2
Installation
This section includes the installation process of McAfee® Logon Collector and Logon Monitor.
Contents
Key considerations for installation
Prerequisites
Install Logon Collector
Access the Logon Collector web interface
Install Logon Collector as a McAfee ePO extension
Install Logon Monitor
Key considerations for installation
This section gives the details of the key considerations for installation.
When you install the Logon Collector on Windows Server 2008 R2 or 2012 for the first time, you might
see a message that states, “The Windows registry entry NtfsDisable8dot3NameCreation value will be
changed to 0”.
You will receive this message only if the Windows registry entry value has not been modified.
You can either proceed by making this change in the registry or you can proceed without the change.
If you accept the change in the registry and proceed, you can have spaces in the installation location. If
you do not accept the change in the registry, you must ensure that the installation location path does
not contain any folder with white spaces in its name. You must also ensure that the folder name does
not exceed 8 characters.
Prerequisites
Review the installation prerequisites for the Logon Collector and the Logon Monitor before installing
the software.
Planning for installation
Before installation, ensure that you complete the following:
•
You must be logged on to the server as a local computer administrator.
•
Make sure your hardware meets or exceeds the minimum requirements.
McAfee Logon Collector 2.2
Administration Guide
11
2
Installation
Prerequisites
•
You do not need a special passphrase or license key to install the Logon Collector or Logon Monitor
software. You can install as many instances of the Logon Collector or Logon Monitor (each on its
own server) as are needed to provide adequate coverage for the domain controllers in your
monitored domain.
•
For Windows Server 2012, enable .NET framework 3.5 to successfully install Logon Collector 2.2 .
Client Server compatibility
•
Logon Collector 1.0 client supports Logon Collector 1.x and 2.x servers.
•
Logon Collector 2.2 client supports Logon Collector 2.x servers. The client does not support Logon
Collector 1.x servers.
System requirements
The Logon Collector and Logon Monitor run as Microsoft Windows services on a Windows Server, and
require a system that meets these minimum requirements:
Component
Minimum requirement
Operating System
Any one of the following Microsoft operating systems:
• Windows Server 2008 R2 (64-bit)
• Windows Server 2012 and 2012 R2 (64-bit)
Windows Server 2003 is not supported.
Operating System —
Domain controllers
Any one of the following Microsoft servers:
• Windows Server 2008 R2
• Windows Server 2012 and 2012 R2
RAM (memory)
4 GB or higher
Disk space
20 GB free space
Processor
Pentium IV 2 GHz or faster
Software framework
Microsoft .NET framework 3.5
We highly recommend to enable the .NET framework 3.5 to successfully install
Logon Collector 2.2.
Browser
• Microsoft Internet Explorer 8.x and 9.x
• Mozilla Firefox 3.x and above (Recommended)
12
Network connectivity
From Logon Collector servers to the domain controllers of the Microsoft Active
Directory domain that the Logon Collector or Logon Monitor is monitoring
Resolution
Display set to a resolution of 1024x768 or greater
McAfee Logon Collector 2.2
Administration Guide
Installation
Install Logon Collector
2
Component
Minimum requirement
Monitored Domains
The domain user (entered while adding domain in Logon Collector) must have
access rights to the security events logs on each domain controller
Domain controllers
Domain controller's functional level should not be higher than Logon
Collector's Windows Server version. Refer to the section, Key considerations
for installation.
Domain controllers must have non-SSL port 389 enabled for LDAP queries
Consider installing the Logon Monitor on a virtual machine as the Logon Monitor is a less demanding
application, and does not transmit as much information as the Logon Collector.
The Logon Monitor memory usage depends on the number of users and groups in its database.
DNS resolution requirements
Proper Domain Name System (DNS) resolution is a critical prerequisite for identities collection. The
computers on which the Logon Collector or Logon Monitor are installed, and the client configured to
collect identities must be configured to refer to a DNS server that must be able to:
•
Resolve any domain from which logons are collected.
•
Provide forward resolution for all domain controllers from which logons are collected.
•
Provide reverse resolution for all domain controllers from which logons are collected.
•
Provide SRV records for one or more domain controllers in the domain from which logons are
collected.
When the DNS settings are changed, Logon Collector cancels its old DNS cache after 30 seconds, and
then applies new DNS settings. You should wait at least for 30 seconds to resolve the domain.
Install Logon Collector
A Logon Monitor is installed locally on the same server when you install Logon Collector. This Logon
Monitor is referenced in the user interface as localhost.
You can install Logon Monitor separately, if you need a remote Logon Monitor.
If you are already running a McAfee Foundation Services (MFS)-based application (for example, McAfee®
ePolicy Orchestrator), the Logon Collector service will be incompatible with it.
Download the software
Download the bundled Logon Collector and Logon Monitor software from the McAfee website.
Task
1
In a web browser, go to https://secure.mcafee.com/apps/downloads/my-products/login.aspx?
region=us.
2
Provide your grant number, and select the appropriate product category (for example, McAfee®
Firewall Enterprise Appliance).
3
Select the McAfee Logon Collector version, for example McAfee Logon Collector 2.2.
McAfee Logon Collector 2.2
Administration Guide
13
2
Installation
Install Logon Collector
4
Download the zip file for the Logon Collector installation. Extract the files to your local directory.
5
Find the Logon Collector installation program and download it to your local directory.
The Logon Monitor is part of the Logon Collector bundle that you download.
If you want to have a separate remote Logon Monitor installation, select the McAfee Logon
Monitor folder and find the installation program.
If you want to install Logon Collector as a McAfee ePO extension, download the
MLC<version>_ePOextension.zip file, for example MLC22_ePOextension.zip from the same location.
Install the software on Windows Server
The Logon Collector installation wizard will install the Logon Collector, local Logon Monitor, and
Microsoft SQL Server 2008 Express (64 bit) on any one of the following Operating Systems:
•
Windows Server 2008 R2
•
Windows Server 2012
•
Windows Server 2012 R2
If you already have an instance of Microsoft SQL Server on your server, you can skip that part of the
installation.
At any point of the installation, click Back or Cancel to return to the previous step or cancel the
installation, respectively.
Task
1
Navigate to the downloaded Logon Collector folder in your local directory.
2
Double-click Setup.exe.
The Logon Collector installation wizard opens. If your system has less than 4 GB RAM, a memory
error message is displayed.
Click Yes to continue the installation with the current available memory.
You can click No to cancel the installation and proceed with the same after a sufficient memory of
minimum 4 GB RAM is ensured.
If you are installing the software on Windows 2008 R2, the following Security Warning window will be
displayed. Click Run to proceed.
A pop-up window might appear to enable the Windows 8.3 file naming convention. Click Yes to
continue with the installation.
Enabling this option generates a short name in the Windows 8.3 file naming convention for lengthy
file names.
3
The Logon Collector installation wizard opens.
Click Next to continue.
The McAfee End User Licensing Agreement window opens.
14
McAfee Logon Collector 2.2
Administration Guide
2
Installation
Install Logon Collector
4
Select any one of the following licenses from the drop-down list under the License expire type option:
•
1 Year Subscription - the license expires in a year
•
2 Year Subscription - the license expires in two years
•
Perpetual License - the license has no expiry
Read the license agreement, select the I accept the terms in the license agreement option, and then click OK.
5
By default, the destination folder for the installation is set to C:\Program Files\McAfee\McAfee
Logon Collector\. Click Change to select a new location.
The uninstallation process can remove the folder containing the installed Logon Collector along with
any existing folder in the path. McAfee recommends that you to select an empty folder or follow the
default installation location format to avoid this issue.
Click Next to continue. The Global Administrator Information window is displayed.
6
Enter the Username and Password for the Logon Collector web interface administrator. Re-enter the
password for verification purpose.
Click Next. The HTTP Port Information window opens.
7
Leave the Logon Collector ports at their default values unless a default port is already in use.
You will need the Web Server port for opening the Logon Collector web interface.
8
Click Next.
The SQL Express Option window opens.
There can be any one of the following results:
•
Result 1 — Options enabled in the SQL Express Option window:
A pop-up opens. Click Yes to continue with the Microsoft SQL 2005 Express installation.
•
Result 2 — Options disabled in the SQL Express Option window:
During the installation process, you might find both the options disabled in the SQL Express
Option window.
Click Why are the above options disabled? option to view the reasons of this action. Click OK to continue.
Additional scenario
If you are installing Microsoft SQL 2008 Express on Windows Server 2008 (64-bit) for the first
time, the a warning message is displayed.
Click Yes to open the Program Compatibility window. Click Run Program to continue.
9
The Microsoft SQL 2008 Express installation is in progress window is displayed.
The Database Information window opens.
10 Select the following options in the Database Information window:
•
Windows authentication: Select to enter the domain and logon credentials for the server that will
house the Logon Collector database. The SQL server TCP port details are set by default.
•
SQL authentication: Select only when you have a separate Microsoft SQL Server installation prior to
the Logon Collector installation. In this case, enter the Microsoft SQL Server user name and
password that was used during Microsoft SQL Server installation.
McAfee Logon Collector 2.2
Administration Guide
15
2
Installation
Install Logon Collector
11 Click Next.
The Ready to Install the Program window opens.
12 Click Install to proceed.
The Installing McAfee® Logon Collector window is displayed.
13 Click Finish to complete the installation.
Uninstall the software
Follow these steps to uninstall the Logon Collector.
Task
1
On the Windows server, from the Start menu, select Control Panel menu, and then click Add or Remove
Programs.
2
Select Logon Collector, then click Remove and follow the on-screen instructions.
3
If you want to remove the Logon Collector database, leave the checkbox selected and click Next to
proceed.
Configuration information such as which domains are being monitored and which Logon Monitors
are connected is not saved. If you have numerous users configured for administering the Logon
Collector, you might want to preserve the database.
4
When you are prompted for the database password, click Next to proceed.
5
In the Add or Remove Programs window, select Logon Collector, and click Remove.
6
Click Yes when prompted to remove Logon Collector.
7
Close Add or Remove Programs.
Uninstall Microsoft SQL Server 2008 Express Edition
If you have installed Microsoft SQL Server 2008 Express Edition as part of installing the Logon
Collector, you might want to remove it when you remove the Logon Collector from your computer. If
you intend to re-install the Logon Collector, you must leave Microsoft SQL Server 2008 Express Edition
on your computer.
Follow these steps to uninstall Microsoft SQL Server 2008 Express Edition.
Task
16
1
On Windows server, from the Start menu, select Control Panel menu, and click Add or Remove Programs.
2
Select Microsoft SQL Server 2008, and click Remove.
3
In the Component Selection window, select MLCSERVER: Database Engine and Workstation Components, and click
Next.
4
Click Finish.
5
In the Add or Remove Programs window, select Microsoft SQL Server Native Client, and click Remove.
6
Click Yes when prompted to remove Microsoft SQL Server Native Client.
7
Close Add or Remove Programs.
McAfee Logon Collector 2.2
Administration Guide
Installation
Access the Logon Collector web interface
2
Access the Logon Collector web interface
Use the Logon Collector web interface to monitor domains and Logon Monitors, generate reports, and
perform administrative tasks.
Task
1
Open a browser and enter the URL of the Logon Collector.
For example, if you accepted the default ports, you might enter https://127.0.0.1:8443/.
The value "8443" in the URL might differ depending on the installation.
If you are connecting to the web interface for the first time over an HTTPS connection, an invalid
certificate warning will appear. Click Continue to this website (or the equivalent) to continue.
The Log On window appears.
2
Enter the user name and password configured during installation, and click Log On.
The Main Status window of the web interface appears.
Install Logon Collector as a McAfee ePO extension
The Logon Collector can also be installed on McAfee® ePolicy Orchestrator (McAfee ePO) 4.6 server as
an extension. McAfee ePO™ is a scalable platform for centralized policy management and enforcement
of your system security products such as anti-virus, desktop firewall, and anti-spyware applications.
The Logon Monitor polls the Active Directory domain to retrieve user information like user names and
user behavior in the form of logon events.
Due to the load it places on the system, the Logon Collector can run on McAfee ePO only for monitoring
a small-sized Active Directory.
Installation requirements
The following gives the details of the minimum requirements for installing the Logon Collector as a
McAfee ePO extension:
•
Logon Collector version — 2.2
•
McAfee ePO™ version — 5.x
If you want to uninstall ePolicy Orchestrator, remove the MLC extension and then uninstall ePolicy
Orchestrator. This eliminates ePolicy Orchestrator uninstallation issues that might occur due to Logon
Collector.
Installing Logon Collector as a McAfee ePO extension
To install the Logon Collector as a McAfee ePO extension:
Task
1
Download the MLC22_ePOextension.zip file to your local directory.
If you have older versions of Logon Collector, first uninstall 2.0 or 2.1, upgrade McAfee ePO to 5.x
(64-bit) , and then freshly install Logon Collector 2.2. We do not support upgrade of Logon Collector
on ePO extension.
McAfee Logon Collector 2.2
Administration Guide
17
2
Installation
Install Logon Collector as a McAfee ePO extension
2
Select Menu | Software | Extensions.
The Extensions page opens.
3
Click Install Extension in the bottom left corner to proceed with the installation.
4
Click Browse to select the MLC22_ePOextension.zip file to be installed from your local directory. Click
OK.
Download the zip file from the location as described in the Download the software section of this
guide.
The Install Package window opens.
5
Click OK to return to the Extensions window. View that the Logon Collector is listed as an extension
on the left pane.
6
Select the Status window and click Id Replication Manager to confirm the installation.
Tasks
•
Install Logon Collector from Software Manager tab in McAfee ePO on page 18
Install Logon Collector from Software Manager tab in McAfee ePO
Follow the steps below to install the Logon Collector from the Software Manager tab on the McAfee ePO
user interface.
Task
1
Select Menu | Software | Software Manager.
2
Click Refresh from the left pane.
3
Under the Product Categories section, click Firewall Related Software in the Software (by Label) option.
4
In the right pane, the Software (by Label) > Firewall Related Software option is displayed. Click McAfee Logon
Collector 2.2.
5
Click Check-in MLC.
6
In the McAfee Logon Collector Check In Software Summary window, read and select the I accept the terms in the
license agreement option.
7
Click OK to view the Activity In Progress window.
You can view the progress of the installation here. Wait for some time to view the Complete status
(for a successful installation) or Failed status (for an unsuccessful installation).
8
18
To verify the successful installation of Logon Collector extension, check if Status and Logon Report
pages appear under Menu | Reporting.
McAfee Logon Collector 2.2
Administration Guide
Installation
Install Logon Monitor
2
Limitations
This section details the limitations on the Logon Collector when running as an McAfee ePO extension:
•
High Availability — This feature is disabled when the Logon Collector is running as an McAfee ePO
extension.
•
Identity Data Store (IDDS) — Identity Data Store (IDDS) is the in-memory database specific to
the Logon Collector. A size limit is set to the Logon Collector IDDS by default while running on
McAfee ePO. This means the total number of the directory objects (users and groups) must always
be less than 10,000. Make sure that the domain you are adding to the Logon Collector does not
exceed this limit. Also, check the existing number of users and groups in IDDS before adding a new
domain. Exceeding the size limit will stop the Logon Collector from monitoring all the domains and
the clients will lose connection with the Logon Collector.
The Logon Collector server will behave abnormally once the size limit is exceeded. In this scenario,
it is not recommended to perform any configuration changes.
Workaround: If you reach the 10,000 object limit under McAfee ePO, you may need to run the
Logon Collector on a separate (non-McAfee ePO) server. If you are able to find a combination of
domains to monitor that meets the object limit, you still need to uninstall and reinstall the
extension if the Logon Collector reaches the limit. Make sure that you do not add any domain with
more than 10,000 objects. This recovery process can only be used when the Logon Collector has
reached the object limit of 10,000 and has stopped normal operations.
The following error message will be displayed if you reach the limit:
An error message will also be shown on the Status page under the ID Data Store {idds} section.
Install Logon Monitor
A local Logon Monitor is included in the Logon Collector installation. You do not need a special
passphrase or license key to install the Logon Monitor. You may install as many instances of the Logon
Monitor (each on its own server) as are needed to provide adequate coverage for the domain
controllers in your monitored domain.
You should install a Logon Monitor as close as possible to the domain controllers with which it will
communicate. This minimizes the impact of the traffic resulting from the communication.
The Logon Monitor is part of the Logon Collector download bundle.
Prerequisites:
•
Earlier versions of the Logon Collector or Logon Monitor must be uninstalled before installing this
version of the software.
•
You must be logged on to the server as an administrator.
Install a Logon Monitor
Task
1
Using Windows Explorer, locate the Logon Monitor folder.
Download the software from the location described in the Download the software section of this
guide.
2
Double-click Setup.exe.
McAfee Logon Collector 2.2
Administration Guide
19
2
Installation
Install Logon Monitor
3
For a new installation of the Logon Monitor, click Generate Self Signed Certificate on the Configuration tab of
the McAfee Logon Monitor Configuration window.
The certificate is required to communicate with the Logon Collector. If you are re-installing the
Logon Monitor, the previous installation’s certificate remains in the store, and you can continue to
use it.
4
Complete the configuration changes, and click OK.
Uninstall Logon Monitor
Follow the steps below to uninstall a Logon Monitor.
Ensure that the Logon Monitor you want to uninstall is not being used to watch any domain controllers
for any Logon Collector.
Task
1
On the Windows server, from the Start menu, select the Control Panel menu, and click Add or Remove
Programs.
2
Click McAfee Logon Monitor, then click Remove.
3
When prompted by the InstallShield Wizard for McAfee Logon Monitor, click Next to begin the removal
process.
4
On the Program Maintenance window, click Remove , and click Next.
5
Click Remove.
6
Click Finish.
If you plan to re-install the Logon Monitor, then consider that the previous installation’s certificate
remains in the store and you can continue to use it.
20
McAfee Logon Collector 2.2
Administration Guide
3
Upgrade
This section discusses about the upgrade of Logon Collector 2.0 or 2.1 to Logon Collector 2.2.
Contents
Key considerations for an upgrade
Upgrade the software from 2.0 or 2.1 to 2.2 using the installer
Verify the upgrade
Key considerations for an upgrade
You can perform a fresh installation of Logon Collector 2.2 or you can upgrade from Logon Collector
2.0 or 2.1 to Logon Collector 2.2.
To the upgrade section, please add a note explicitly that "
The entire Logon Collector configuration along with the following information will be retained on the
Logon Collector server when an upgrade is done:
•
Configured domains
•
Added certificates
•
Remote Logon Monitors
After an upgrade, the local Logon Monitor settings and configuration are reset to default values. Make
sure to note these values prior to an upgrade.
You must manually download and install Microsoft SQL Server 2008 Express edition (32-bit) before an
upgrade.
As with any upgrade, McAfee strongly recommends that you always first try the upgrade in a test
environment.
If Logon Collector 2.x is installed on Windows 2003, it is not possible to upgrade or restore the data.
You need to disconnect the clients, perform a fresh installation on Windows 2008 R2 or 2012 or 2012
R2, and configure the monitored domains and reconnect the clients.
McAfee Logon Collector 2.2
Administration Guide
21
3
Upgrade
Upgrade the software from 2.0 or 2.1 to 2.2 using the installer
Upgrade the software from 2.0 or 2.1 to 2.2 using the installer
Before you begin
•
Note the local Logon Monitor settings and configuration values. After upgrade, these
values are reset to default.
•
Download and manually upgrade to SQL Server 2008 Express (32-bit) edition.
•
These Microsoft operating systems are supported for an upgrade:
•
Windows Server 2008 R2
•
Windows Server 2012
•
Windows Server 2012 R2
.NET framework 4.5 is installed as part of Windows Server 2012 / R2. This version has
compatibility issues with SQL Server 2008 Express. We highly recommend enabling
the .NET framework 3.5 to successfully install Logon Collector 2.2.
Use the installer you downloaded to upgrade Logon Collector.
Task
1
Navigate to the folder on your local directory that contains the downloaded Logon Collector
installer. Double-click Setup.exe and start the Logon Collector 2.2 setup.
2
Read and accept the license, and proceed with the installation.
3
Confirm the destination folder. Click Next.
This password must be the same as in the previous (Logon Collector 2.0 or 2.1) installation.
4
Enter the user name and password for the Logon Collector administrator. Verify the password.
This must be the same as in the previous (Logon Collector 2.0 or 2.1) installation.
5
Confirm the port numbers.
Since you already have an existing database, the Microsoft SQL Server options are disabled.
6
Verify that the Database Server option in the Database Information window retains the same information as
that in the Logon Collector 2.0 or 2.1 installation.
Click Next. The Ready to Install the Program window opens.
7
Click Install to begin the upgrade process. The Installing McAfee Logon Collector window opens.
8
Click Finish to complete the upgrade process.
Verify the upgrade
Select Menu | Configuration | About to verify a successful upgrade.
22
McAfee Logon Collector 2.2
Administration Guide
4
Identities collection
This section gives the details of identities collection.
Contents
About identities collection
Add a domain to monitor
Add Logon Monitor
Managing exchange servers
About identities collection
Identities can be collected in one of the following ways:
•
Monitor a domain with a local Logon Monitor: Any Logon Collector installation contains the Logon
Monitor. You must add a domain that the Logon Collector collects information from.
•
Monitor a domain with a remote Logon Monitor: You can add remote Logon Monitors to the Logon
Collectors.
See the Deployment section for a discussion of when to use Logon Monitors to monitor a domain.
Add a domain to monitor
Before you begin
Enter the credentials for the domains that will be monitored directly by the Logon Collector.
•
Obtain management access to the client that polls a given domain for identities.
•
Install and configure a Logon Collector.
•
Acquire the appropriate domain credentials from your Windows domain administrator.
The administrator account you intend to use to access the domain controller must be in the
same domain from which you want to obtain identities.
If you want to use an account other than the administrator account, refer to the Create a
non-administrator account section to access the security event log on a domain controller
section.
McAfee Logon Collector 2.2
Administration Guide
23
4
Identities collection
Add Logon Monitor
Follow these steps to add a monitored domain:
Task
1
Select Menu | Configuration | Monitored Domains.
2
Click New Domain.
3
Type the name of the domain and the required credentials in the relevant fields.
4
Click Next.
Connections are made to each domain controller belonging to that particular domain. If the
connection is not successful with any of the domain controllers, an error message with the details
of the failure is displayed.
5
For each listed domain controller, specify a primary and, optionally, a backup Logon Monitor.
To add a backup Logon Monitor to the drop-down list, click New Logon Monitor.
6
a
Click the drop-down list under Primary and select a Logon Monitor.
b
[Optional] Click the drop-down list under Backup and select a Logon Monitor that will operate in the
event the primary Logon Monitor is unavailable.
c
Click Next.
Only those domain controllers will be displayed in this screen for which the Logon Collectors are
chosen. Specify the order in which LDAP queries are made to the domain controllers for user and
group information.
In general, the closest domain controllers should be placed at the top of the list in order to increase
response times and reduce network bandwidth.
Click the up or down arrows to move domain controllers in the list.
7
Click Save.
If a domain controller is disconnected, the LDAP query fails and the status button goes red.
By default, Logon Collector is configured to perform LDAP query every 12 hours. After the
network connection is re-established and the status still shows red, we recommend to remove
the domain and add it again.
Add Logon Monitor
This section describes how to add remote Logon Monitor to the Logon Collector.
Contents
Add a Logon Collector certificate to a Logon Monitor
Add a Logon Monitor
Remove a Logon Monitor
Add a Logon Collector certificate to a Logon Monitor
Before you can add a remote Logon Monitor to a monitored domain on a Logon Collector, you must
first provide the Logon Collector certificate information to the Logon Monitor.
24
McAfee Logon Collector 2.2
Administration Guide
Identities collection
Add Logon Monitor
4
Task
1
Install the Logon Monitor and have the McAfee Logon Monitor Configuration application running.
2
On the computer on which you installed the Logon Monitor, open a web browser.
You will be trading information between the Logon Monitor and the Logon Collector. Having a web
browser open with the Logon Collector web interface makes this task easier to accomplish.
3
Log on to the Logon Collector web interface and click Menu | Configuration | Server Settings.
4
Click Identity Replication Certificate in the list of Setting Categories.
5
In the McAfee Logon Monitor Configuration application, click the Remote tab.
6
If necessary, click New to add a new certificate to the Logon Monitor.
7
Copy the value for Common Name (CN) on the Logon Collector to the Common Name field on the Logon
Monitor.
8
In the Logon Collector web interface, scroll down until Logon Monitor Fingerprint field is visible.
9
Copy the value for Logon Monitor Fingerprint on the Logon Collector to the Certificate Hash field on the Logon
Monitor.
10 Click OK.
11 Repeat these steps for any other Logon Collectors that the Logon Monitor will be communicating
with.
With the Logon Collector certificate(s) on the Logon Monitor, you can add the Logon Monitor to any
of the Logon Collectors to collect logons for a monitored domain.
Add a Logon Monitor
Task
1
Select Menu | Configuration | Logon Monitors.
2
Click New Logon Monitor.
3
Type a name for the remote Logon Monitor.
The name is an arbitrary label used within Logon Collector to identify the Logon Monitor.
4
Type the host name or IP address for the remote Logon Monitor.
5
Type the port number, or accept the default value of 50443.
6
Click Next or OK depending on how you are adding the Logon Monitor.
A connection is attempted to the Logon Monitor.
•
If the connection is successful, the certificate is displayed. To accept the certificate, click Save or
OK depending on how you are adding the Logon Monitor.
•
If the connection is unsuccessful, an error message is displayed.
Remove a Logon Monitor
If you want to remove a remote Logon Monitor, you must ensure it is not monitoring any domain
controllers.
Follow these steps to remove a Logon Monitor.
McAfee Logon Collector 2.2
Administration Guide
25
4
Identities collection
Managing exchange servers
Task
1
Select Menu | Configuration | Monitored Domains.
2
Select a domain and then click Manage Exchange Servers / Domain Controllers.
3
For each domain controller, ensure the Logon Monitor you want to delete is not listed as either the
Primary or Backup Logon Monitor.
If the Logon Monitor is listed, click the drop-down list and select a different Logon Monitor.
4
Repeat steps 2 and 3 until you are sure the Logon Monitor you want to delete is not being used.
5
Select Menu | Configuration | Logon Monitors.
6
Select the Logon Monitor you want to delete, then click Delete Logon Monitor.
7
Click OK to confirm the deletion.
Managing exchange servers
Logon Collector can monitor exchange servers. Logon Collector supports logon events for users
logging in through Microsoft Outlook thick client or Outlook Web Access (OWA) from internet browsers
running on Windows and MAC systems.
POP3 and IMAP clients are not supported.
Add an exchange server to a monitored domain
You can add an exchange server and monitor logon events from Outlook users. View the Status page
for the added exchange servers.
You can add an exchange server only to an existing monitored domain.
Task
1
Select Menu | Configuration | Monitored Domains. The Domains page is displayed.
2
Select a domain and click Manage Exchange Servers / Domain Controllers.
3
In the Exchange Servers area, click Add Exchange Server.
4
In Exchange Server, enter the fully qualified domain name (FQDN) of the exchange server.
We recommend to add an exchange server's IP address to the IP Ignore List. Navigate to Menu |
Configuration | Server Settings. Select MLC Group / IP Ignore List and enter the server IP address.
5
Under Logon Monitor, go to Primary drop-down list and select localhost if you want to use Logon Collector
server's local Logon Monitor or select a remote Logon Monitor if the Logon Monitor is installed on a
different system.
6
[Conditional] If you have more than one Logon Monitor, you can select a backup Logon Monitor
from the Backup drop-down list.
You can select a local Logon Monitor as primary and a remote Logon Monitor as backup or vice
versa. Alternatively, you can select different remote Logon Monitors as primary and backup.
Logon Collector server uses the backup Logon Monitor if the primary Logon Monitor goes down.
26
McAfee Logon Collector 2.2
Administration Guide
Identities collection
Managing exchange servers
7
Click Save.
8
Click Status | <domain name> | Controller Logon Collecting. Make sure the Message area's Status displays
Collecting logons from <exchange server>.
4
Remove an exchange server
You can remove and stop monitoring logon events from an exchange server.
Task
1
Select Menu | Configuration | Monitored Domains.
2
Select a domain and click Manage Exchange Servers / Domain Controllers.
3
From the existing Exchange Servers, decide on the exchange server you want to delete and click Delete
Exchange Server.
McAfee Logon Collector 2.2
Administration Guide
27
4
Identities collection
Managing exchange servers
28
McAfee Logon Collector 2.2
Administration Guide
5
Server settings
This section gives the configuration details as well as the different features in the Server Settings window.
Contents
About server settings
About Personal Settings
Logon Monitor configuration
About server settings
Use the Server Settings window to configure a variety of settings. To edit a particular setting:
Task
1
Select Configuration | Server Settings.
2
Select a setting category, then click Edit in the lower right corner of the window.
3
Add or update the information, then click Save.
Tasks
•
MLC Advanced Settings on page 32
This section describes the advanced configuration settings of McAfee® Logon Collector
server. The Logon Collector configuration file has the parameters to configure the Logon
Collector server.
•
MLC Group / IP Ignore List on page 34
Logon Collector gives you the option to ignore user IP addresses and user group names
based on your monitoring needs.
•
MLC Group Filter on page 34
A group filter in Logon Collector enables you to filter user groups and send only relevant
information to clients like McAfee Network Security Manager.
Active Directory User login
Select this option to allow Active Directory users to log on to the Logon Collector if they have at least
one permission set.
Dashboards
The Dashboards user interface option is not applicable for Logon Collector 2.1.
Email Server
Specify the email (SMTP) server to be used for emailing reports.
McAfee Logon Collector 2.2
Administration Guide
29
5
Server settings
About server settings
Option
Definition
SMTP server name Name of the SMTP server
SMTP server port
Port number of the SMTP server, usually port 125
Authentication
The method of authentication, if any, for the SMTP server
Select Authenticate and specify the required credentials if the specified SMTP server
requires authentication.
From address
The email address to be included in the From field
Identity replication certificate
The identity replication certificate identifies the Logon Collector to other entities with which it
communicates and establishes a trusted connection. For example:
•
The Logon Monitor Fingerprint value is provided to a Logon Monitor.
•
The Base 64 value is provided to clients such as the McAfee® Firewall Enterprise Control Center.
You can generate a new self-signed certificate or use a provided certificate and private key by
browsing to their locations. You must also provide a passphrase, if there is one, when you use a
provided certificate.
Changing the certificate can lead to any one of the following problems:
•
Existing client may not be able to reconnect.
•
The High Availability cluster might break.
Local Logon Monitor settings
Configure the local Logon Monitor settings.
Option
Definition
Distinguished
Name
The Distinguished Name contains the Common Name and other attributes that the
local Logon Monitor needs to identify the certificate found in its store (see Store
Name below) that should be used to authenticate to the Logon Collector server.
For example, cn=dlc.centserv.org,o=centserv,c=us could be the Distinguished
Name, comprised of the certificate’s Common Name (cn), organization name (o)
and country of origin (c). To use a self-signed certificate, you only need to use the
Common Name (prefixed with cn=) for identification.
30
Store Name
The Store Name, or Certificate Store name, is where the local Logon Monitor looks
to find its certificates. The default setting for the Store Name is
McAfeeLogonMonitor\MY. This uses the Store Type
CERT_SYSTEM_STORE_SERVICES.
Store Type
Certificate stores are organized by type. The default type
(CERT_SYSTEM_STORE_SERVICES) should suffice in most instances.
Server Port
The port for the local Logon Monitor service to listen on. As long as another
service is not listening on the specified port, use your choice of port. The default is
port 50443. Valid port numbers are 1-65535.
McAfee Logon Collector 2.2
Administration Guide
Server settings
About server settings
Option
Definition
Certificate
Checking
Specifies the type of check to perform on any Accepted Remote Certificates.
5
• Certificate Hash — [Recommended] Verifies that the hash configured for the given
common name matches the hash stored.
• Certificate Store — The Certificate Store check is where the certificate must be
signed by a certificate authority found in the Certificate Store.
• Certified Not Required — It does not check any certificate. This option does not
provide secure communications to access the Logon Collector.
McAfee recommends using Certificate Hash as the most secure method.
Connection Type
Specifies whether the Logon Collector connection is encrypted or not. This setting
is intended for troubleshooting only. This setting must be set to the default value
(Encrpted (TLS)) or the Logon Collector may not function correctly.
Debug Level
The amount of information written to the log file. The level of detail increases with
the debug level. The default value is zero (0), with no extra log detail recorded.
File Location
Where in the system the log file is stored. By default the installation location for
Logon Collector is C:\Program Files\McAfee\McAfee Logon Collector\Login
Collector.
File Size
The maximum size, in kilobytes, to which the log file may grow before rotating.
The system keeps up to five log files in the selected location. LoginMonitor.log is
the most recent file, followed chronologically by LoginMonitor.log.1 to
LoginMonitor.log.4.
Authentication
Type
The type of authentication for the connection between the local Logon Monitor
service and any domain controllers. Kerberos and NTLM authentication are
supported, with Kerberos as the default.
CPU Disconnect
Threshold
Specifies when the local Logon Monitor introduces rate-limiting if services on a
monitored domain controller consume too much CPU too quickly. If the CPU
threshold is crossed, the local Logon Monitor stops polling a domain for twenty
minutes. After the twenty minute window, which should give the CPU time to
handle its load, the local Logon Monitor reconnects. If you find that the local Logon
Monitor frequently resorts to rate-limiting, try disabling the Allow Backlog Queries
option.
Maximum
Backlog Records
Maximum number of records for which a backlog query will run.
Allow Backlog
Queries
Specifies whether the local Logon Monitor checks the domain controller security
event logs for identity-related events that may have occurred while it was not
connected. With this option enabled, the local Logon Monitor can query back into
the time it was disconnected rather than simply resuming at the time it
reconnects. Note that backlog querying cannot occur when the local Logon Monitor
first connects to the domain controller. The query is done for the value of
Maximum Backlog Records or until the time of the last connection, whichever
comes first.
Backlog queries are likely to affect the performance of heavily loaded or legacy
computers and are not recommended. If you find that the local Logon Monitor is
frequently resorting to rate-limiting, try disabling this feature.
Accepted
Remote
Certificates
Certificates from remote Logon Collectors accepted by this Logon Collector.
Certificates must pass the criteria defined in Certificate Checking.
McAfee Logon Collector 2.2
Administration Guide
31
5
Server settings
About server settings
MLC Advanced Settings
This section describes the advanced configuration settings of McAfee® Logon Collector server. The
Logon Collector configuration file has the parameters to configure the Logon Collector server.
You can use the MLC Advanced Settings option or edit the mlc-config.xml file to configure these
settings.
•
Domain Controller Backoff Time — Logon Collector stops sending the WMI queries to the
domain controller if the CPU usage of the latter is beyond the configured CPU threshold. The Logon
Collector waits for 20 minutes by default before sending the WMI queries to that domain controller.
Setting too small value for controllerbackofftime is not recommended as it might increase the load
on domain controller. McAfee recommends a minimum value of 10 minutes.
•
Logon Collector V1 Compatibility — Logon Collector 1.0 and Logon Collector 1.0.1 do not
propagate the user or group name changes in the Active Directory to the clients. However, Logon
Collector 2.1 propagates the user and group name changes information to the clients. This causes
McAfee Firewall ACLD to core as it depends on this functionality of Logon Collector.
Using the v1 compatibility mode of Logon Collector 2.1 behaves exactly as Logon Collector 1.0 with
respect to this functionality. As a result of this, Firewall ACLD does not core as soon an upgrade to
Logon Collector 2.1 happens.
By default, Logon Collector 2.1 runs on the compatibility mode.
•
Remove White Space from Unique Name — Logon Collector 1.x used an algorithm for
generating uniqueName for user and group objects that would remove the white spaces. As a result
of this, the algorithm responsible for the generation of unique names was not creating the
uniqueName.
Example:
Group 1
cn: ProductServices
un: ProductServices@DistributionLists.scur.com
Group 2
cn: Product Services
un: ProductServices@DistributionLists.scur.com
The same "un" is generated for Group 1 and Group 2 even though their "cn"s are different.
•
McAfee ePO Users and Groups Limit — When the Logon Collector is running as an McAfee ePO
extension, a size limit of 10,000 for Directory objects is set in the Logon Collector Identity Data
Store (IDDS) by default.
The default value for this parameter is 10,000.
Setting a value more the 10,000 is not recommended. McAfee recommends the installation of the
Logon Collector in a standalone server if the domain to be monitored has more than 10,000 users
and groups.
32
McAfee Logon Collector 2.2
Administration Guide
Server settings
About server settings
5
Configure Logon Collector using MLC Advanced Settings
Select Server Settings | MLC Advanced Settings to configure advanced settings for the Logon Collector.
Alternatively, you can configure these settings using the xml file.
Task
1
Select Menu | Configuration | Server Settings.
2
Select MLC Advanced Settings and click Edit. The Edit MLC Advanced Settings page is displayed.
3
[Logon Collector setting] In the Domain Controller Backoff Time field, enter the time in minutes.
4
[For clients] Select or deselect the MLC V1 Compatibility checkbox. By default, this checkbox is
selected.
5
[For clients] Select or deselect the Remove White Space from Unique Name checkbox. By default, this
checkbox is deselected.
In Logon Collector these user and user group names remain as-is.
6
[For MLC Extension on ePolicy Orchestrator] In the (ePO) Users and Groups Limit field, enter the
maximum number of users and user groups.
7
Click Save.
8
Restart the Logon Collector service.
Configure Logon Collector advanced settings using the xml file
Follow the steps below to configure advanced settings on the xml file if you want to configure the
Logon Collector server.
1
Stop the Logon Collector service.
2
Go to <MLC_INSTALL_FOLDER>/server/conf/mlc‑config.xml.
3
Edit the xml file.
•
Domain Controller Backoff Time
Change the value of the parameter (in minutes):
<config name="controllerbackofftime" value="20" type="common" />
•
Logon Collector V1 Compatibility
Change the value of the parameter (true or false):
<config name="enable-v1-compatibility" value="true“ type="common"/>
McAfee Logon Collector 2.2
Administration Guide
33
5
Server settings
About server settings
•
Remove White Space from Unique Name
Change the value of the parameter (true or false):
<config name="removeWhiteSpaceFromUniqueName" value="false" />
•
McAfee ePO Users and Groups Limit
Change the value of the parameter (number):
<config name="idds.epo.limit.directory_object_count" value="10000" />
4
Restart Logon Collector service.
If the Logon Collector service takes a longer time to stop, open Task Manager, select the Processes tab,
locate the Tomcat process, and click End Process.
MLC Group / IP Ignore List
Logon Collector gives you the option to ignore user IP addresses and user group names based on your
monitoring needs.
In many organizations, there are Exchange Servers. When users log on to OWA, the domain controller
gets the IP Address of the Exchange Server. The system administrator can add the exchange server IP
Address to the IP Ignore List.
Similarly, many systems are configured to perform some automated tasks. These systems
continuously log on to domain controller using bot user credentials. The system administrator can
create an user group and add these bot users to the group. This user group can be added to the Group
Ignore List.
•
IP Ignore List — If a user logs on from an IP Address and that IP Address is added to IP Ignore List, all
logon events from that IP Address are ignored.
•
Group Ignore List — If a user is member of a group and this user group name (or one of its parent
group) is added to Group Ignore List, all logon events from that user are ignored.
Ignore user IP addresses and user group names
You can select Server Settings| | MLC Group / IP Ignore List to ignore user IP addresses and user group names.
Task
1
Select Menu | Configuration | Server Settings.
2
Select MLC Group / IP Ignore List and click Edit. The Edit MLC Group / IP Ignore List page is displayed.
3
In Group Ignore List, enter the user group names as comma-separated values.
4
In IP Ignore List, enter the user IP addresses as comma-separated values.
5
Click Save.
MLC Group Filter
A group filter in Logon Collector enables you to filter user groups and send only relevant information
to clients like McAfee Network Security Manager.
The group filter feature optimizes data sent to clients from Logon Collector. On the other hand, the
filtered user groups minimize the volume of transactions in the network and enable clients to use less
resources when caching the data from Logon Collector.
The MLC Group Filter option is available under Menu | Configuration | Server Settings | Setting Categories.
34
McAfee Logon Collector 2.2
Administration Guide
Server settings
About server settings
5
Considerations for High Availability mode
Make sure to take care of these points when Logon Collector is in High Availability mode:
•
The group filter settings can be configured on primary server only.
•
Group filter configuration is replicated from primary to secondary server.
•
When the secondary server is in standby mode, it is not possible to make group filter changes.
•
If the primary goes down, you can make group filter changes from the secondary server.
Contents
Configure a group filter
Send filtered groups to clients
Configure a group filter
You can create a group filter and send only relevant details to clients.
Before you begin
If the client is connected, disconnect the client from Logon Collector server prior to
configuring the group filter.
If the client is in connected state before configuring a group filter, the client has already
received all the user groups instead of the filtered user groups.
Task
For option definitions, click ? or Help in the interface.
1
Go to Menu | Configuration | Server Settings | Setting Categories and click MLC Group Filter.
2
Click Edit. The Edit MLC Group Filter page is displayed.
3
Select the Enable Filter checkbox.
4
From Quick Find, select ALL DOMAINS or select a specific domain. The Available Groups and details for a
domain are displayed.
You can also enter a search keyword and click Apply.
5
Press the Ctrl key and select the user groups from the list. Click Add. The Added Groups are displayed.
You can click Add all to select all user groups. If you then click Save, the group filter is disabled. This is
because all user groups are selected and no filter as such is created.
If you wish to remove any user groups, click Remove to refine your filter.
6
Click Save. The group filter is configured and the MLC Group Filter page is displayed.
You can now connect the client to Logon Collector so that it can receive only filtered user groups and
details. Users who are members of the selected user groups are sent to the client, and also the logon
events are sent only for users of the selected user groups.
Send filtered groups to clients
Logon Collector can configure a group filter, save the filter settings, connect to the client, and send
filtered user groups and details.
These are the high-level steps to send filtered user groups to clients.
McAfee Logon Collector 2.2
Administration Guide
35
5
Server settings
About server settings
Task
1
Add a monitored domain — Populates Logon Collector’s database with all the user groups
2
Configure a group filter — Select from the available user groups and save the group filter settings
3
Connect to the client — Client receives the filtered user groups and information
Users who are members of the selected user groups are sent to the client. The logon events are sent
only for users of the selected user groups.
Configuring the IP address for Logon Collector server client
communication
When multiple IP addresses are present in the Logon Collector server, it listens on all the IP addresses.
During High Availability failover, when the primary server is inactive or is not reachable, the secondary
server changes from standby to active state. The latter continues to establish communication with the
primary server. Once the primary server is active, the secondary server changes its state to standby
(or passive) and the primary server regains its active state.
When the primary server is unavailable, the Logon Collector clients have to retry all the IP addresses
of the primary server before switching over to the secondary server. This delays the failover process
for the client.
To overcome this problem, the Logon Collector allows you to selectively choose the IP addresses for
communication. Logon Collector HTTPS port will continue to listen to all the IP addresses. The clients
communication and High Availability communication will happen through the selected IP address.
When the primary server is not available, the Logon Collector clients have to retry only the configured
primary IP address before switching to the secondary server.
Configure MLC Communication IP Address
To configure MLC Communication IP Address:
Task
1
Select Menu | Configuration | Server Settings.
2
Click MLC Communication IP Address.
3
Click Edit at the bottom right corner to select an IP address from the drop-down list.
4
Click Save.
MLC User Login Timeout
The Logon Collector provides an option to modify the duration of the logon event in the Logon
Collector server. By default, the logon event is stored in the Logon Collector server for 6 hours.
Configure MLC User Login Timeout
To configure MLC User Login Timeout:
Task
36
1
Select Menu | Configuration | Server Settings.
2
Click MLC User Login Timeout.
McAfee Logon Collector 2.2
Administration Guide
5
Server settings
About Personal Settings
3
Click Edit at the bottom right corner to modify the time. The logon event will be stored in the Logon
Collector server according to the configured time.
4
Click Save.
Printing and exporting
Configure the settings for exported documents.
Server certificate
In this section, you configure the certificate that the Logon Monitor uses to authenticate itself to the
Logon Collector.
Ensure that you have a certificate for the Logon Monitor, whether it is a newly generated (by the Logon
Monitor) self-signed certificate or one generated by a Certificate Authority. The Logon Monitor will not
function without a certificate. However, for a local Logon Monitor, you do not need a self-signed
certificate.
•
Distinguished Name — The Distinguished Name contains the Common Name and other attributes
that the Logon Monitor needs to identify the certificate found in its store (see Store Name below)
that should be used to authenticate to the server.
For example, string cn=dlc.centserv.org,o=centserv,c=us could be the Distinguished Name,
comprised of the certificate’s Common Name (cn), organization name (o) and country of origin (c).
To use a self-signed certificate, you only need to use the Common Name (prefixed with cn=) for
identification.
•
Store Name — The Store Name, or Certificate Store name, is where the Logon Monitor looks to
find its certificates. The default setting for the Store Name is McAfeeLogonMonitor\MY. This uses the
Store Type CERT_SYSTEM_STORE_SERVICES. If the Logon Monitor is running in standalone mode, use
the Store Name MY. This uses the Store Type CERT_SYSTEM_STORE_CURRENT_USER.
•
Generate Self-Signed Certificate — Only available when the Distinguished Name field is not
blank, the Generate Self-Signed Certificate button generates a self-signed certificate and places it
in the certificate store identified by Store Name.
For a separate installation of Logon Monitor, you must generate a certificate so that you can connect
the Logon Monitor to a Logon Collector.
•
View Certificate — Only available when the Distinguished Name field is not blank, the View
Certificate button displays a Windows-standard certificate viewer displaying the certificate matching
the Distinguished Name, if one is found in the store.
About Personal Settings
Use the Personal Settings window to edit the password for whomever is currently logged on and the
period in minutes for non-Dashboard tables to refresh if they are set to auto-refresh. Select Menu |
Configuration | Personal Settings.
Logon Monitor configuration
The Logon Monitor runs as a Windows service and starts automatically after every power cycle. This
section describes configuring the Logon Monitor software.
McAfee Logon Collector 2.2
Administration Guide
37
5
Server settings
Logon Monitor configuration
You configure the Logon Monitor with an application named Logon Monitor Configuration on the
Windows computer on which you installed the Logon Monitor software. If you are not configuring the
Logon Monitor as part of the installation, go to the Start menu and select Logon Monitor Configuration (for
example, by default in Start | Programs | McAfee Logon Monitor | Logon Monitor Configuration) to display the McAfee
Logon Monitor Configuration window.
You do not have to restart the Logon Monitor service when you make configuration changes. Changes
take effect after you click OK. Logon Monitor configuration information is stored in the Windows Registry.
Configuration tab
The Configuration tab contains the settings for the Logon Monitor.
Remote tab
The Remote tab contains the certificate common name and certificate hash of any Logon Collector to
which this Logon Monitor connects.
The Logon Monitor accepts any number of certificates in the Remote tab.
Use MMC to manage Logon Monitor certificates
Logon Monitor uses the Microsoft Certificate store to manage the certificates it generates. After you
install the Logon Monitor, the easiest way to view the certificates is to use the Microsoft Management
Console (MMC) to view the Certificate store for the Logon Monitor service.
To use MMC:
Task
1
Start MMC (Start | Run | MMC).
2
Navigate to File | Add/Remove Snap-in to display the Add/Remove Snap-in window.
3
Click Add to display the Add Standalone Snap-in window.
4
Select Certificates and then click Add to display the Certificates snap-in window.
5
Select Service account on the Certificates snap-in window, and then click Next.
6
Select Local Computer, and then click Next.
7
Select Logon Collector from the list of services and then click Finish.
8
Click Close on the Add Standalone Snap-in window.
9
Click OK on the Add/Remove Snap-in window to close the same.
MMC displays the certificate information for the Logon Monitor.
10 Right-click a certificate or a store to import certificate lists in the display.
Import or remove a server or client CA certificate for Logon Monitor
See the Microsoft documentation on the Certificate snap-in for MMC for information on importing a
certificate as a Certificate Authority (CA) for Logon Monitor.
This is only useful when the Logon Monitor is using Certificate Checking.
38
McAfee Logon Collector 2.2
Administration Guide
Server settings
Logon Monitor configuration
5
Use NTLMv2 with Logon Monitors
McAfee recommends that you use Kerberos as the authentication type. If you want to use NTLM, you
should use NTLMv2 as described in this section. The default authentication method in Windows
environments, LM hash, generates a weak response that can be used by an attacker to perform an
off-line, brute-force attack in order to guess the actual password.
Read this section to learn how to use the NTLMv2 authentication method for a more secure connection
between a Logon Monitor and a domain controller.
McAfee recommends that you use the NTLMv2 authentication method on Windows 2008 and Windows
2012 servers when you are running a Logon Monitor. This enables the Logon Monitor to use NTLMv2 to
authenticate to the domain controllers. This can only be accomplished by modifying the Registry; no
changes are required on the domain controllers.
This procedure requires modifying the Windows Server Registry. Improper editing of the Registry could
leave your system completely unusable or in an unstable state. Make a backup of your Registry before
leave your system completely unusable or in an unstable state. Make a backup of your Registry before
proceeding. For more information, see Microsoft support article 322756 (http://
support.microsoft.com/kb/322756/). If the Windows Server offers other services and there are clients
that do not support NTLMv2 (for example, Windows 95 or Windows 98), this change prevents these old
clients from using the server.
To force the use of NTLMv2:
Task
1
Log on to the Windows Server where the Logon Monitor runs.
2
Start the Registry editor (Start | Run | regedit).
3
Navigate to the key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
4
Right-click the value LmCompatibilityLevel.
See: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/
76052.mspx
5
Click Modify.
6
Type the number 5 (only use NTLMv2 authentication and negotiate NTLMv2 session security if the
server supports it) and click OK.
7
Restart the Windows Server.
8
Ensure the IAM status on the Logon Collector is UP after 10 minutes.
McAfee Logon Collector 2.2
Administration Guide
39
5
Server settings
Logon Monitor configuration
40
McAfee Logon Collector 2.2
Administration Guide
6
High Availability (Clustering)
This chapter discusses about the High Availability (HA) feature.
The terms High Availability and cluster are used interchangeably throughout the chapter.
Contents
Overview
Configuration basics
Configuration data replication
Logon events replication
Limitations
Disable a cluster
Reconfigure a cluster
Overview
The high availability feature enables the McAfee® Logon Collector to exist in the form of primary server
and secondary server. In this scenario, when the primary server is inactive or is not reachable, the
secondary server changes from standby to active mode. The latter keeps polling the primary server to
check if it is available again. Once the primary server is active, the secondary server changes to the
standby state. The clients that were connected to the primary server, switch over to the secondary
server when the primary server becomes unreachable. When the primary server becomes active
again, the clients switch back to the primary server.
Logon Collector can exist in the following modes:
•
Standalone
•
Cluster
Logon Collector can exist in the following states:
•
Active
•
Standby
Configuration basics
This section gives the details about the configuration basics of the High Availability feature.
McAfee Logon Collector 2.2
Administration Guide
41
6
High Availability (Clustering)
Configuration basics
Prerequisites for High Availability
Listed below are the prerequisites for the High Availability feature:
•
Two Logon Collector servers (primary and secondary server) must be available.
•
The domain controller(s) to be monitored must always be reachable from both the Logon Collector
servers.
•
Both the primary and secondary servers must communicate with each other.
•
Both the primary and secondary servers should either have the self-signed certificate or the
certificate signed by common CA.
High Availability setup
To configure a cluster:
Task
1
Install Logon Collector on two different servers (Windows Server 2008 or Windows Server 2012).
2
On the server that you intend to select as primary, select Menu | Configuration | Cluster Configuration.
The Cluster Configuration window opens.
3
Click Edit. The Edit Cluster Configuration window opens.
4
Select the Enable clustering box, and select Primary. Click Save.
5
On the server that you intend to select as secondary, select Menu | Configuration | Cluster Configuration to
open the Cluster Configuration window.
6
In the Edit Cluster Configuration window, select the Enable Clustering box and select Secondary. Enter the
following details:
•
Primary Server (<IP Address>:<Https port>)
•
Admin username for primary server
•
Admin password for primary server
Click Next. The Enable Cluster Task window opens.
7
Click Yes to display the HTTPS port certificate of the primary server.
The cluster will be formed only if you accept the certificate.
This message gives the information about the configuration settings after a cluster formation is
complete.
Click No if you do not want to overwrite the configuration settings.
8
In the Primary MLC Certificate window, click Accept Certificate and Enable Clustering.
This initiates the certificate exchange between the primary and secondary servers, and enables the
trust establishment.
The Cluster Configuration window opens.
42
McAfee Logon Collector 2.2
Administration Guide
High Availability (Clustering)
Configuration basics
9
6
The Cluster Configuration window shows the following details:
•
MLC Cluster Configuration Enabled: The status of cluster configuration
•
Status — The status of the server
•
Primary Server IP address — The IP address of the primary server
•
Https port number of primary server — The https port number used by the peer server during cluster
creation
•
JMS port number of primary server — The Java Messaging Services (JMS) port number used by the peer
server and clients for transferring data
Configure High Availability in Public Key Infrastructure (PKI)
setup
You can also configure the High Availability feature in Public Key Infrastructure (PKI) setup. The steps
to configure the cluster in this scenario remains the same as described earlier.
Pre-requisites for High Availability in Public Key Infrastructure (PKI) setup
The following steps are the pre-requisites for high availability in Public Key Infrastructure (PKI) setup:
1
Select Menu | Configuration | Trusted CAs and add the CA root certificate on both the High Availability
peers.
2
Select Menu | Configuration | Server Settings | Identity Replication Certificate to replace the Identity Replication
certificate with the CA-signed certificate for the respective servers.
The CA root certificate and the CA-signed certificate should be added for the clients.
Error scenarios
An error message will be displayed for any one of the following scenarios:
•
The certificate used by the primary server is self-signed, while the certificate used by the
secondary server is signed by CA.
•
The certificate used by the secondary server is self-signed, while the certificate used by the
primary server is signed by CA.
•
The certificates used by the primary and secondary servers are signed by two different CAs. In this
case, the cluster configuration is successful, but the status will be displayed in red.
The following figure shows the error message.
Check the status of cluster formation
This section discusses how to check the status of cluster formation.
1
Select Menu | Reporting | Status to verify the cluster formation status.
2
In the Status window, click Cluster Manager to view the message from the cluster member.
Important:
The overall {IAM} status is RED since the {LAM} component status is RED.
McAfee Logon Collector 2.2
Administration Guide
43
6
High Availability (Clustering)
Configuration data replication
Configuration data replication
•
When a cluster is created, the primary server overrides the existing configuration of the secondary
server.
•
The secondary server exists in any one of the following states:
•
Active — When the secondary server is disconnected from the primary server, it is known as the
active secondary server.
•
Standby — When the secondary server is connected with the primary server, it is known as the
standby secondary server.
The passive secondary server does not allow you to make configuration changes; an error message
will be displayed if you do so. The configuration changes can only be done on the active secondary
server.
•
Replication from the primary to the secondary server:
Once the cluster is configured, the configurations are replicated from the primary to the secondary
server.
•
Replication from the active secondary server to the primary server:
When the primary server goes down and comes up after a period of time, it receives the
configuration details from the active secondary server.
•
When the secondary server runs in standby mode, the {LAM} status is RED in the Status window.
This is a normal behavior because the Logon Collector stops {LAM} when it runs in standby mode.
Logon Collector should not be deployed on a DHCP machine: The peer Logon Collector servers
should communicate with each other during a cluster formation. But, this may not be possible if the
Logon Collector is deployed on a DHCP machine. McAfee products connected to the Logon Collector
server on a given IP address will also be disconnected when there is a change in the IP address due to
DHCP configuration. McAfee therefore, recommends that you avoid deploy the Logon Collector on a
DHCP system.
Logon events replication
Replication from the primary to the secondary server
The logon events on the active Logon Collector server are replicated to the standby Logon Collector
server.
Replication from the active secondary server to the primary server
When the primary server goes down and comes up again after a period of time, it receives the
replication data (logon events, users, groups) from the active secondary server.
When both primary and secondary servers are down, you must bring up first the server that has the
latest configuration followed by the other server. If you fail to do so, the data replicated across the
servers might not be the latest.
44
McAfee Logon Collector 2.2
Administration Guide
High Availability (Clustering)
Limitations
6
Limitations
The following list shows the limitations of the High Availability feature:
•
The split network scenario is not supported. It is important to ensure that the communications
between primary and secondary are never interrupted. For example, if the network connectivity
between the primary and the secondary server is down, the secondary server assumes that the
primary server is not responding, waits for 5 seconds, and becomes active. When the
communication is re-established, the primary server always overrides the configuration of the
secondary server.
•
The high availability feature works in the PKI setup, but the primary and secondary certificates
must be signed by the same signer. Certificate Revocation List (CRL) is not supported.
•
Other McAfee products using the Logon Collector 1.0 client library will not be benefitted with this
feature; but they can continue to work in this scenario.
Disable a cluster
To disable a cluster:
Task
1
On the secondary server, select Menu | Configuration | Cluster Configuration.
2
Deselect Enable clustering, and click Save.
The Disable Cluster Task window opens. Click Yes to continue.
3
Go to the Cluster Configuration window of the primary server.
4
Deselect the Enable clustering checkbox and click Save.
The Disable Cluster Task window opens. Click Yes to continue.
When the cluster is disabled, the secondary server removes all configurations including logon
monitors and domains, and functions as a standalone server.
The primary server will retain the configurations and will continue to monitor the
configured domains as a standalone server.
Reconfigure a cluster
The cluster can be reconfigured if the role of the servers needs to be reversed (for example, if you
want the secondary server to behave as the primary server and vice versa).
Follow the steps below to reconfigure a cluster:
1
Disable the cluster.
2
Enable the cluster with new primary and secondary server configurations.
McAfee Logon Collector 2.2
Administration Guide
45
6
High Availability (Clustering)
Reconfigure a cluster
46
McAfee Logon Collector 2.2
Administration Guide
7
On-demand group and user refresh
This chapter gives the details of on-demand group and user refresh.
You can refresh the new user information anytime. This enables the Logon Collector server to
synchronize its user/group data with the domain controller.
If the administrator adds a user to an Active Directory group in order to grant access to a resource,
the administrator may use on-demand group refresh to update the Logon Collector and allow user
access to the resource, without having to wait until the group refresh happens in background.
McAfee recommends you to avoid running the group and user refresh tasks at the same time. Run the
group refresh task approximately 20 minutes before the user refresh task to allow the group refresh
task to be completed.
Other options displayed in the Server Tasks user interface that are not explained in this chapter are not
related to the Logon Collector.
Contents
MFS Scheduler 2.5
On-demand group refresh
On-demand user refresh
Server Tasks Log
MFS Scheduler 2.5
You can perform the on-demand group and user refresh tasks if the MFS Scheduler 2.5 is enabled.
MFS Scheduler 2.5 is enabled by default. Go to Menu | Software | Extensions to view the MFS Scheduler
2.5 in the list of the installed extensions.
Both the user refresh and group refresh are implemented using MFS Scheduler. The interval for the
scheduler tasks are stored in the SQL server and not in mlc-config.xml. Any change in the interval of
these tasks will not be replicated from the primary to the secondary server.
On-demand group refresh
Select Menu | Automation | Server Tasks to configure MLC Refresh Groups server task.
Options of group refresh
This section gives the details of the various options of group refresh.
McAfee Logon Collector 2.2
Administration Guide
47
7
On-demand group and user refresh
On-demand group refresh
Option 1: Run
Before you begin
Use this option to manually refresh the group information in the Logon Collector database
(IDDS) by retrieving the latest group information from the domain controller datastore.
To manually refresh the group information:
Task
1
Select Menu | Automation | Server Tasks. Click the Run option of MLC Refresh Groups.
2
Under MLC Refresh Groups, click Run.
The Server Task Log page opens. This page gives the results of group refresh action. By default, the
records are sorted by time, with the latest record on top.
3
Click MLC Refresh Group record to view the details.
Option 2: Edit
Use this option to change the scheduler settings for a task.
Select Menu | Automation | Server Tasks. Select MLC Refresh Groups and click Edit.
Tab 1: Description
Task
1
In the Server Task Builder page, the following details are displayed under the Description tab:
•
Name — MLC Refresh Groups
•
Notes — Refresh all groups for all directories
•
Schedule status — The schedule of the task
•
Enabled — to enable an automatic refresh
•
Disabled — to disable an automatic refresh
McAfee does not recommend using the Disabled action.
2
Click Next. The Actions tab opens.
3
Click Save.
Tab 2: Actions
This tab shows the actions performed by Logon Collector.
Task
1
Under the Actions field, the MLC Group Sync option is selected by default.
2
Click Next. The Schedule tab opens.
3
Click Save.
Tab 3: Schedule
The Schedule tab enables you to change the scheduler settings for the task.
48
McAfee Logon Collector 2.2
Administration Guide
On-demand group and user refresh
On-demand group refresh
7
Task
1
In the Schedule tab, enter the following details:
•
Schedule Type — Select any one of the following schedule types from the drop-down list:
•
Hourly
•
Monthly
•
Daily
•
Yearly
•
Weekly
•
Advanced
McAfee recommends that you to select the Daily option for Schedule Type.
•
Start Date — Select the date from when you want to start the task.
•
End Date — Select the date by when you want to stop the task.
McAfee recommends you to select the No End Date option so that no end date is configured for the
task.
•
Schedule — Click
time.
to add a new scheduled time. Click
to remove an existing scheduled
•
At — Select the At option from the drop-down list to run the task at a specific time.
•
Between — Select the Between option from the drop-down list to run multiple tasks in a specific
range of time.
McAfee recommends that you set the schedule time such that the MLC Group Refresh task starts at
least 20 minutes before the MLC User Refresh task.
2
Click Save.
Tab 4: Summary
Go to the Summary tab to view the following details:
•
Name — The name of the task
•
Notes — Any notes related to the task
•
Task Owner — The owner of the task
•
Schedule Status — The status of the scheduled task
•
Schedule — The details about start date, end date, time frame, and next runtime of the scheduled
task
•
Actions — The actions of the scheduled task such as MLC Group Sync
Click Save.
Option 3: View
Use this option to view the settings for the refresh groups.
Select Menu | Automation | Server Tasks. Select MLC Refresh Groups and click View.
The Server Tasks Details page opens. This page displays details of the group refresh action.
McAfee Logon Collector 2.2
Administration Guide
49
7
On-demand group and user refresh
On-demand user refresh
On-demand user refresh
Select Menu | Automation | Server Tasks to configure MLC Refresh Users server task.
Options of user refresh
This section gives the details of the various options of user refresh.
Option 1: Run
Before you begin
Use this option to manually refresh the user information in the Logon Collector database
(IDDS) by retrieving the latest user information from the domain controller datastore.
To manually refresh the user information:
Task
1
Select Menu | Automation | Server Tasks. Click the Run option of MLC Refresh Users.
The Server Task Log page opens. This page gives the results of user refresh action. By default, the
records are sorted on time, with the latest record on top.
2
Click the MLC Refresh Users record to view the details.
Option 2: Edit
Use this option to change the scheduler settings for a task.
Select Menu | Automation | Server Tasks. Select MLC Refresh Users and click Edit.
Tab 1: Description
Task
1
In the Server Task Builder page, the following details are displayed under the Description tab:
•
Name — MLC Refresh Users
•
Notes — Refresh all users for all directories
•
Schedule status — The schedule of the task
•
Enabled — to enable an automatic refresh
•
Disabled — to disable an automatic refresh
McAfee recommends that you avoid using the Disabled action.
2
Click Next to go to the Actions tab.
3
Click Save.
Tab 2: Actions
This tab shows the actions performed by Logon Collector.
Task
1
50
Under Actions field, MLC User Sync option is selected by default.
McAfee Logon Collector 2.2
Administration Guide
On-demand group and user refresh
On-demand user refresh
2
Click Next. The Schedule tab opens.
3
Click Save.
7
Tab 3: Schedule
The Schedule tab enables you to change the scheduler settings for the task.
Task
1
In the Schedule tab, enter the following details:
•
Schedule Type — Select any one of the following schedule types from the drop-down list:
•
Hourly
•
Monthly
•
Daily
•
Yearly
•
Weekly
•
Advanced
McAfee recommends that you select the Daily option for Schedule Type.
•
Start Date — Select the date from when you want to start the task.
•
End Date — Select the date by when you want to stop the task.
McAfee recommends that you select the No End Date option so that no end date is configured for
the task.
•
Schedule — Click
time.
to add the new scheduled time. Click
to remove existing scheduled
•
At — Select the At option from the drop-down list to run the task at a specific time.
•
Between — Select the Between option from the drop-down list to run multiple tasks in a specific
range of time.
McAfee recommends that you set the schedule time such that the MLC Group Refresh task starts at
least 20 minutes before the MLC User Refresh task.
2
Click Save.
Tab 4: Summary
Go to the Summary page to view the following details:
•
Name — The name of the task
•
Notes — Any notes related to the task
•
Task Owner — The owner of the task
•
Schedule Status — The status of the scheduled task
•
Schedule — The details about start date, end date, time frame, and next run time of the scheduled
task
•
Actions — The actions of the scheduled task such as MLC User Sync
Click Save.
Option 3: View
Use this option to view the settings for the refresh users.
McAfee Logon Collector 2.2
Administration Guide
51
7
On-demand group and user refresh
Server Tasks Log
Select Menu | Automation | Server Tasks. Select MLC Refresh Users and click View.
The Server Tasks Details page opens. This page displays the details of the user refresh action.
Server Tasks Log
Select Menu | Automation | Server Task Log to view the group refresh and user refresh results of earlier
executions.
52
McAfee Logon Collector 2.2
Administration Guide
8
User management
This section gives the details of user management for administrative access to the Logon Collector
itself. To add users to the Active Directory, use the normal Active Directory configuration mechanisms
in Windows.
Contents
Manage users
Manage permission sets
Manage contacts
Manage users
You can add users to Logon Collector and specify what access they have to the system.
Add or modify a user
To add or modify a user:
Task
1
Select Menu | User Management | Users.
2
Click New User to add, or click Actions | Edit to modify.
3
Define the user.
a
Type a name for the user, or change the existing one.
b
Specify whether the user is able to log on or not.
You cannot disable the logon status of the last remaining global administrator.
c
Select an authentication type.
If you are modifying a user, first click Change Authentication or Credentials.
4
•
For Logon Collector authentication, type a password and confirm it.
•
For Windows authentication, type the user name and domain.
d
[Optional] Provide other details for the user: full name, email address, phone number, and
notes.
e
Assign a permission set.
•
Select Global administrator to provide complete access to the Logon Collector.
•
Select a specific permission set or sets by clicking them.
Click Save.
McAfee Logon Collector 2.2
Administration Guide
53
8
User management
Manage permission sets
Delete a user
To delete a user:
Task
1
Select Menu | User Management | Users.
2
Select a user or users by selecting the checkbox next to the contact name.
3
Select Actions | Delete.
Manage permission sets
A permission set is a group of permissions, divided into sections that can be granted to any user by
assigning it to a user’s account. One or more permission sets can be assigned to any user that is not a
global administrator. Global administrators have all permissions to all features.
Permission sets grant permissions only — no permission set ever removes a permission.
Create permission sets
Use this task to create a permission set.
Task
1
Select Menu | User Management | Permission Sets, then click New Permission Set.
2
Type a name for the permission set and select the users to which the set is assigned.
3
Click Save.
4
Select the new permission set from the Permission Sets list.
Its details appear to the right.
5
Click Edit next to any section from which you want to grant permissions.
6
On the Edit Permission Set window that appears, select the appropriate options, then click Save.
7
Repeat for all desired sections of the permission set.
Delete permission sets
Use this task to delete a permission set. If the permission set has users assigned to it, those users will
lose the permissions granted to them.
You must be a global administrator to perform this task.
Task
1
Select Menu | User Management | Permission Sets, then select the permission set that you want to delete
in the Permission Sets list.
Its details appear to the right.
2
Click Actions | Delete.
The Action pane informs you whether any users are assigned to the permission set and gives you
the opportunity to cancel the action.
54
McAfee Logon Collector 2.2
Administration Guide
User management
Manage contacts
3
8
Click OK in the Action pane.
The permission set no longer appears in the Permission Sets list.
Duplicate permission sets
Use this task to duplicate a permission set. Duplicating a permission set creates an in-memory copy of
the selected permission that can be modified and saved with another name.
You must be a global administrator to perform this task.
Task
1
Select Menu | User Management | Permission Sets, then select the permission set that you want to edit in
the Permission Sets list.
Its details appear to the right.
2
Click Actions | Duplicate, type a New name in the Actions pane, then click OK.
3
Select the new duplicate in the Permission Sets list.
Its details appear to the right.
4
Click Edit next to any section for which you want to grant permissions.
5
On the Edit Permission Set window that appears, select the appropriate options, then click Save.
6
Repeat for all sections of the permission set for which you want to grant permissions.
Manage contacts
To make selecting recipients for reports and data easier, Logon Collector provides a Contacts feature
where you can define names and email address for contacts.
Add or modify a contact
To add or modify a contact:
Task
1
Click Menu | User Management | Contacts.
2
Click New Contact to add, or click Actions | Edit to modify.
3
Type a name for the user, or change the existing one.
The contact must include a name, and you can select either a first name only, a last name only, or
both.
4
Type an email address.
5
Click Save.
McAfee Logon Collector 2.2
Administration Guide
55
8
User management
Manage contacts
Delete a contact
To delete a contact:
Task
56
1
Click Menu | User Management | Contacts.
2
Select a user or users by clicking the checkbox next to the contact name.
3
Click Actions | Delete.
McAfee Logon Collector 2.2
Administration Guide
9
Reporting
This section gives the details about the status of the product to verify that components are running as
expected.
Contents
About the Status page
View who is logged on
View the audit log
Manage audit log queries
Define filter criteria
Define export criteria
View dashboards
About the Status page
Use the Status page to verify that components are running as expected. A round Status indicator is
located beside each component. Components and statuses are described in the following table. For all
systems, a green status indicator indicates that the system is operating correctly.
Table 9-1 System components
The system
component
Reports on
Yellow status
indicates
Green
status
indicates
Red status indicates
ID Manager
overall system
status.
one or more of
the component
statuses are
yellow.
Working fine
One or more of the following
components are red:
{iam}
• Login Acquisition Manager
• Id Replication Manager
• Login State Manager
• Id Data Store
Check specific components
to identify the cause of the
component failure. Check
specific components to
identify the cause of the
component failure.
Login Acquisition current state of
Manager
queries to domain
controllers.
lam
McAfee Logon Collector 2.2
one or more
domains are
yellow or red.
Working fine
All domains are red.
Administration Guide
57
9
Reporting
View who is logged on
Table 9-1 System components (continued)
The system
component
Reports on
Yellow status
indicates
ID Replication
Manager
status of the
Not applicable
Identity Replication
to the clients.
Green
status
indicates
Working fine
Red status indicates
An exception has occurred.
A brief message describing
the exception is provided.
Check the Logon Collector
logs to further identify the
cause of failure.
Login State
Manager
{lsm}
ID Data Store
{idds}
ID Resolution
{pnd}
Logon Flow
{logons}
whether the Login Not applicable
State Manager
initialized correctly.
Working fine
statistics on the
number of
objected stored.
Not applicable
Working fine
whether queries
for user
information from
Active Directory
have been serviced
after a logon is
detected.
there are more
Working fine
than 1000 logons
in the pending
queue waiting for
user information
to be resolved.
No red status.
how many logons
have been
detected within
last minute.
no logons have
been detected in
the last hour.
Working fine
No logons have been
detected in the last twelve
hours.
Not applicable
that the
cluster
manager is
working fine.
The communication between
the cluster members is down
or one of the cluster
members is not available.
Cluster Manager the health of
{cluster}
cluster and the
messages being
exchanged
between the
cluster members.
Initiation failed.
Check the Logon Collector
logs to identify the cause of
failure.
Initiation failed.
Check the Logon Collector
logs to identify the cause of
failure.
View who is logged on
Logon Collector provides a report of the IP addresses that a user is using.
To view who is currently logged on and to what IP address:
Task
58
1
Select Menu | Reporting | Logon Report.
2
[Optional] To search on a particular IP address or user name, type the value into the Quick find field,
then click Apply.
McAfee Logon Collector 2.2
Administration Guide
Reporting
View the audit log
3
9
[Optional] Configure the display of columns:
a
Select Actions | Choose Columns.
b
Align the columns by clicking a left or right arrow to move the column.
c
Remove a column by clicking the X button.
Reset your changes by clicking Use Default.
Tasks
•
Export report of who is logged on on page 59
Export report of who is logged on
Before you begin
You can save reports of who is logged on and email them.
To email a report of who is logged on:
Task
1
Select Menu | Reporting | Logon Report.
2
Specify the contents of the report by applying filters as desired.
3
Select Actions | Export Table.
View the audit log
Before you begin
Logon Collector provides an audit log report that lists the changes made to the server
configuration.
To view the audit log:
Task
1
Select Menu | User Management | Audit Log.
2
[Optional] Define an advanced filter.
3
[Optional] Select a pre-defined filter from the drop-down list.
4
[Optional] Click an audit log entry to see the information for a single row displayed as rows instead
of columns.
5
[Optional] Configure the display of columns:
a
Select Actions | Choose Columns.
b
Align the columns by clicking a left or right arrow to move the column.
c
Remove a column by clicking the X button.
Reset your changes by clicking Use Default.
Tasks
•
Export the audit log on page 60
McAfee Logon Collector 2.2
Administration Guide
59
9
Reporting
Manage audit log queries
Export the audit log
You can save specific views of the audit log and email them.
To email an audit log:
Task
1
Select Menu | User Management | Audit Log.
2
Specify the contents by applying filters as desired.
3
Select Actions | Export Table.
Manage audit log queries
Audit log queries enable you to retrieve specific views of the audit log instead of the more simple view
available. Queries against the audit logs are grouped into private and shared groups.
Create a query group
Task
1
Select Menu | Reporting | Queries.
2
Select Group Actions | New Group.
3
Type a name to identify the group.
4
Specify the group’s visibility.
•
Private group — appears in My Groups.
•
Public group — appears in Shared Groups.
•
By permission set — appears in Shared groups but accessible only to those that are assigned
the selected permission sets.
Delete a query group
Task
1
Click a group name.
2
Select Group Actions | Delete Group.
3
Click OK to confirm the deletion.
Edit a query group
Task
60
1
Click a group name.
2
Select Group Actions | Edit Group.
3
Change the name of the group, and optionally the group’s visibility.
4
Click Save.
McAfee Logon Collector 2.2
Administration Guide
Reporting
Manage audit log queries
9
Create audit log queries
To create an audit log query:
Task
1
Select Menu | Reporting | Queries.
2
Click New Query, then click Next to begin the Query Wizard.
3
Define the chart type.
a
Select the type of chart by clicking it.
b
Configure the chart.
The available options differ depending on the type of chart you select.
c
4
Click Next to proceed in the query wizard.
Configure the display of columns.
a
Align the columns by clicking a left or right arrow to move the column.
b
Remove a column by clicking the X button.
c
Click Next to proceed in the query wizard.
5
[Optional] Configure filters.
6
Click Run.
The query is run and the results are displayed.
7
[Optional] Click Edit Query to adjust criteria.
8
When you are satisfied with the report, click Save.
9
Finish configuring the query:
a
Type a name to identify the query.
b
[Optional] Type notes to describe the query.
c
Assign the query to a query group.
Define a new group or select from the list of existing groups.
10 Click Save.
The query appears on the main Queries window. You may need to clear the Quick find text box.
Import audit log queries
Before you begin
You can save your audit log queries outside the Logon Collector as files, and then import
them into the Logon Collector.
To import a query as a file:
Task
1
Select Menu | Reporting | Queries.
2
Select Actions | Import Query.
McAfee Logon Collector 2.2
Administration Guide
61
9
Reporting
Define filter criteria
3
Click Browse to navigate to the file that contains your audit log query.
4
Assign the query to a query group.
Define a new group or select from the list of existing groups.
5
Click Save.
The query appears on the main Queries window. You may need to clear the Quick find text box.
Query actions
Before you begin
To apply Actions to queries:
Task
1
Select the checkbox next to the desired query, or click the Queries checkbox at the top to apply an
action to all queries.
2
Select an action from the list.
Select this action
To do this
Delete
Delete the selected queries.
Duplicate
For single queries only, create a duplicate of the selected query.
In the Duplicate window, type a new name for the query, and assign the
query copy to a query group.
Edit
For single queries only, enables you to alter the properties that affect the
results for the selected query.
Export Data
Export the results of the selected queries as an email attachment.
Export Query
Definition
For single queries only, export the query definition as an XML file.
In the Opening query window, specify whether to open the file with an XML
application, or save the file.
The file is saved according to the path defined for your web browser.
Import Query
Import a query stored as a file.
Move to Different
Group
Move the selected queries to a different group.
New Query
Create a new query.
Run
Execute the query and view the results.
View Query SQL
For single queries only, view the selected query as a SQL statement.
Define filter criteria
Filter criteria are available when you select:
•
The Boolean Pie Chart type
•
Next after step 3 of the Query Wizard
•
Advanced Filter for Audit Log
Available properties are Action, Completion Time, Details, Priority, Start Time, Success, and User Name.
62
McAfee Logon Collector 2.2
Administration Guide
Reporting
Define export criteria
9
To manage criteria for the filter:
Task
1
Click the right arrow in the Available Properties column to activate that property.
2
[Optional] Click the plus sign at the end of the Property row to create an additional comparison item.
3
By default, an additional item is evaluated with an “OR” operator. Click and in the and/or box to
change this.
4
[Optional] Click the left arrow next to the Property to remove it from consideration.
5
Click OK, or Update Filter depending on how you arrived at the filter criteria.
Define export criteria
When you choose to export data or a table, you must define the format of the exported file.
Task
1
2
Select an export action:
•
For a query, select Export Data.
•
For a Logged On report, or Audit Log, select Export Table.
Review the information to be exported.
•
For queries, the names of the queries are listed.
•
For a Logged On report, a unique identifier and the number of data items are displayed.
3
[Optional] Select Zip the output files to compress the report.
4
Select a file format from CSV, XML, HTML, and PDF.
For PDF, also specify a page size, page orientation, optionally select to show filter criteria, and
optionally specify cover page text.
5
Configure the email.
You must already have a configured email server.
6
a
Specify recipients by typing them, or by selecting them from a dialog box.
b
Type a subject line.
c
Add text for the body of the email message.
Click Export.
View dashboards
The Dashboards user interface option is not applicable for Logon Collector 2.1.
McAfee Logon Collector 2.2
Administration Guide
63
9
Reporting
View dashboards
64
McAfee Logon Collector 2.2
Administration Guide
10
Integration with other McAfee products
This chapter discusses about the integration of McAfee® Logon Collector with other McAfee® products.
Every client (product) connecting to Logon Collector must have different certificates with unique Common
Name. This ensures that more than two clients can seamlessly connect to Logon Collector.
Contents
Integration
Integration
Integration
Integration
with
with
with
with
McAfee Firewall Enterprise
McAfee Firewall Enterprise Control Center
McAfee® Network Security Manager
McAfee Data Loss Prevention
Integration with McAfee Firewall Enterprise
You can use Passive Passport in McAfee® Firewall Enterprise to allow matching users to connect
without prompting for authentication.
If your organization uses Microsoft Active Directory, each user is defined as an Active Directory object.
The firewall monitors the authentication status, group membership, and current IP address of each
user by communicating with the McAfee® Logon Collector software, which is installed on a Windows
server. Users are authenticated by the Active Directory server. They are not prompted for
authentication by the firewall.
Integration requirements
The following list gives the details of the integration requirements:
•
Logon Collector version — 2.2
•
Firewall Enterprise version — 8.x and later
Upgrade path
If you are a Firewall Enterprise user and wish to upgrade to Logon Collector 2.2, perform these
high-level steps:
1
Upgrade Logon Collector 2.0 or 2.1 server to Logon Collector 2.2 server.
2
Upgrade Firewall Enterprise to the new version that has the Logon Collector 2.2 client.
Passive identity validation
You can use Passive Passport to allow matching users to connect without prompting for authentication.
McAfee Logon Collector 2.2
Administration Guide
65
10
Integration with other McAfee products
Integration with McAfee Firewall Enterprise Control Center
The following high-level tasks must be performed to use Passive Passport:
Task
1
Define users on an Active Directory server.
2
Install Logon Collector on a Windows server. You can choose to skip this step if you have already
installed Logon Collector.
3
On the Firewall Enterprise Passport window, enable Passive Passport and configure the connection
between the Firewall Enterprise and Logon Collector.
4
In the Rule Properties window for access control rules or SSL rules, allow connections for selected
users and groups based on organizational criteria.
Configure Passive Passport
Configure the Passive Passport using the Firewall Enterprise Admin Console. Refer to the McAfee
Firewall Enterprise Product Guide for details.
Integration with McAfee Firewall Enterprise Control Center
When integrated with McAfee® Firewall Enterprise Control Center, Logon Collector polls Active
Directory domain controllers for user characteristics, and sends this information to either or both the
appliances to correlate network traffic with user behavior. Further, to minimize the burden placed on a
domain controller by Security Event Log queries (using WMI), the Logon Collector or Logon Monitor
contacts the domain controller on behalf of McAfee appliances that require the Security Event Log
information.
Integration requirements
The following list gives the details of the integration requirements:
•
Logon Collector version — 2.2
•
Firewall Enterprise Control Center version — 5.x and later
Upgrade path
If you are a Control Center user and wish to upgrade to Logon Collector 2.2, perform these high-level
steps:
1
Upgrade Logon Collector 2.0 or 2.1 server to Logon Collector 2.2 server.
2
Upgrade Control Center to the new version that has the Logon Collector 2.2 client.
Refer to the section, McAfee Logon Collector in the McAfee Firewall Enterprise Control Center Product
Guide to integrate Logon Collector and Control Center.
Integration with McAfee® Network Security Manager
McAfee® Network Security Manager is a browser-based user interface used to view, configure, and
manage McAfee® Network Security Sensor appliance deployments.
66
McAfee Logon Collector 2.2
Administration Guide
Integration with other McAfee products
Integration with McAfee® Network Security Manager
10
Together with the Sensor and the Manager, McAfee® Network Security Platform provides
comprehensive network intrusion detection and can block, or prevent, attacks in real time, making it
truly an intrusion prevention system (IPS). It is built for the accurate detection and prevention of
intrusions, denial of service (DoS) attacks, distributed denial of service (DDoS) attacks, and network
misuse.
The Manager can display a variety of information about the hosts inside and outside a network.
The Logon Collector integrates with the Manager to display user names of the hosts in your IPS and
NTBA deployments. The Logon Collector provides an out-of-band method to obtain user names from
the Active Directories.
Benefits
This integration helps to provide information about source and destination users.
User groups for Sensor
These are the number of user groups supported for different Sensor models.
Sensor model
Supported user groups
8.0 Sensors
8.1 Sensors
M-series
up to 2,000
up to 10,000
NS-series
up to 2,000
up to 10,000
Virtual IPS
up to 2,000
Not Applicable
Important terms
This section describes the important terms associated with this integration.
Identity Acquisition Agent (IAA)
Identity Acquisition Agent (IAA) is deployed on the Network Security Platform side and is used as an
interface to listen to the message service where the updates are published by the Logon Collector
server.
McAfee® Network Security Manager MLC Listener
McAfee® Network Security Manager MLC Listener is the registered listener that regularly receives new
updates from the Logon Collector through IAA.
Integration requirements
The following list gives the details of the integration requirements:
•
Logon Collector version — 2.2
•
McAfee® Network Security Manager version — 7.5.3.11 and later
Upgrade path
If you are a McAfee® Network Security Manager user and wish to upgrade to Logon Collector 2.2,
perform these high-level steps:
McAfee Logon Collector 2.2
Administration Guide
67
10
Integration with other McAfee products
Integration with McAfee® Network Security Manager
1
Upgrade Logon Collector 2.0 or 2.1 server to Logon Collector 2.2 server.
2
Upgrade McAfee® Network Security Manager to the new version that has the Logon Collector 2.2
client.
How Logon Collector - McAfee® Network Security Manager
integration works
Logon Monitors of the Logon Collector can be used to poll nearby domain controllers and forward
collected information on to the Logon Collector, shortening the distance domain controller
communication must travel.
Identity Acquisition Agent (IAA) is deployed on the McAfee® Network Security Manager side and is
used as an interface to listen to the message service where the updates are published by the Logon
Collector server. IAA listens to the Logon Collector Active Message Queue (MQ) service and regularly
receives new updates from the Logon Collector server.
A listener for receiving the updates is registered with the IAA. The registered listener regularly
receives new updates from the Logon Collector through IAA.
All IP to user bindings data are loaded into a newly created McAfee® Network Security Manager cache
for the first time. The cache is subsequently updated with the differences on subsequent updates. As
all the other components of the McAfee® Network Security Manager can query the McAfee® Network
Security Manager cache, it is not required to communicate with the Logon Collector server each time
an update happens.
The McAfee® Network Security Manager and Logon Collector can co-exist in the same server. However,
McAfee does not recommend this co-existence as it can hamper the performance depending on the flow
of traffic.
You do not need a special passphrase or license key to install the Logon Collector software.
Configuration details for Logon Collector integration
This section gives the configuration details for the integration between McAfee® Network Security
Manager and Logon Collector server.
Configure integration at the admin domain level
You can enable the integration between the McAfee® Network Security Manager and the Logon
Collector server at the admin domain level. Refer to the McAfee® Network Security Manager
documentation for details.
Establishment of trust between Network Security Manager and Logon
Collector server
Logon Collector communicates with the McAfee® Network Security Manager through a two-way SSL
authentication. This requires the exchange of certificate between the McAfee® Network Security
Manager and the Logon Collector server.
Import the Manager certificate into Logon Collector
Export the Manager certificate, save the file to your local directory, and import the file to Logon
Collector. Refer to the McAfee® Network Security Manager documentation for exporting the Manager
certificate.
68
McAfee Logon Collector 2.2
Administration Guide
Integration with other McAfee products
Integration with McAfee Data Loss Prevention
10
Task
1
In the Logon Collector console, select Menu | Configuration | Trusted CAs.
2
Click New Authority to open the New Trusted Authority window.
3
Select Import From File, then click Browse to add the exported file saved in your local directory.
You can also use the Copy/Paste Certificate option.
4
Click Save.
Import the Logon Collector certificate
By default, Logon Collector is pre-installed with a self-signed certificate. If you have a different
certificate signed by a CA, you can import this certificate and replace the existing Logon Collector
certificate.
Task
1
In the Logon Collector console, select Menu | Configuration | Server Settings.
2
In the Settings Categories section, click Identity Replication Certificate.
3
Upload the Logon Collector certificate.
a
Copy the Logon Collector certificate from the Logon Collector console and paste it in a newly
created file in your local directory.
b
Under Import Certificate section, click Upload MLC Certificate in the New MLC Certificate option.
c
Select Upload MLC Certificate, then click Browse to add the Logon Collector certificate from your local
directory.
If the existing Logon Collector certificate is changed, the clients connecting to Logon Collector like
Firewall Enterprise, Network Security Manager need to import the new Logon Collector certificate
Display of Logon Collector details in the Threat Analyzer
You can view user information received from the McAfee® Logon Collector server in Threat Analyzer.
Refer to the McAfee® Network Security Manager documentation for details.
Display of Logon Collector details in Network Security Manager
reports
Manager reports display the user information received for Logon Collector. Refer to the McAfee®
Network Security Manager documentation for details.
Integration with McAfee Data Loss Prevention
McAfee® Data Loss Prevention (NDLP or McAfee DLP) is delivered through the low-maintenance
appliance and the McAfee® ePolicy Orchestrator (ePO) platform, for streamlined deployment,
management, updates, and reports. It provides complete data security, data protection outside
network, and easy deployment and management.
McAfee Logon Collector 2.2
Administration Guide
69
10
Integration with other McAfee products
Integration with McAfee Data Loss Prevention
Historically, McAfee DLP Manager has been linked to SAMAccountName as the main user identification
element. But if that attribute is applied to users in the same domain who have similar or matching
user names, they cannot be positively identified. McAfee DLP now keys on the unique alphanumeric
SID (Security Identifier) that is assigned to each user account by the Windows domain controller.
For example, the user name jsmith might belong to John Smith or Jack Smith, so more information
would be needed to distinguish between those two users. Those individuals might even be using the
same IP address, which would aggravate the problem of discovering the identity of the actual user.
But each account on an Active Directory server is made up of attributes that identify the individual
who owns the account. Logon Collector matches the unique SIDs that are assigned to each Active
Directory user to IP addresses, and all of the parameters associated with that SID are extracted when
Logon Collector moves binding updates from the Active Directory server to McAfee DLP.
Because SAMAccountName was used to index data in earlier releases, that information might be lost
during ad hoc searches when the user has upgraded to 9.0, or when the data residing in the capture
database pre-dates the upgrade.
Integration requirements
The following list gives the details of the integration requirements:
•
Logon Collector version — 2.2
•
McAfee DLP version — 9.x and later
Upgrade path
If you are an McAfee DLP user and wish to upgrade to Logon Collector 2.2, perform these high-level
steps:
1
Upgrade Logon Collector 2.0 or 2.1 server to Logon Collector 2.2 server.
2
Upgrade McAfee DLP to the new version that has the Logon Collector 2.2 client.
Using Active Directory User elements
All Active Directory elements are treated as word queries, and can be directed to specific LDAP
servers.
When these elements are used in a query, columns supporting the parameter are configured in the
search window and on the dashboard.
Each of the user elements retrieves the attributes listed.
Parameters available
70
•
User Name — user's name, alias, department, location
•
User Groups — user's group
•
User City — user's city
•
User Country — user's country
•
User Organization — user's company or organization
McAfee Logon Collector 2.2
Administration Guide
Integration with other McAfee products
Integration with McAfee Data Loss Prevention
10
Using McAfee DLP on remote LDAP servers
The ability to monitor user traffic on Active Directory servers now has been extended to directory
servers, making global user management a reality.
The ability of McAfee DLP 9.0 to connect to multiple domain controllers makes this possible. Not only
is data on local networks captured, but it is extended to all traffic on up to two LDAP servers.
When users can be recognized by name, group, department, city or country, a McAfee DLP
administrator can extract a great deal of significant information by using a few seminal facts to
gradually gather more details about potential violations.
How Logon Collector is used with McAfee DLP
Suppose you know that your company has lost intellectual property to a firm in X country, and you
suspect that the leak came from an insider in your branch of Y city. Because McAfee DLP captures all
traffic on your company's network, you can add an Active Directory server that contains the user
account of that insider to McAfee DLP Manager, then search for the UserName of that individual and
monitor his communications.
You might then search his communications for the name of the lost component, and then find the
email address and geographical location of users outside the company who might have received the
information.
You might not know what will be in those communications, but you can use what you find to ask the
next logical question.
Logon Collector can be configured with McAfee DLP Manager to resolve user identities by retrieving
collections of user account information from all Active Directory servers that have been added to the
McAfee DLP system.
If your McAfee DLP Manager is configured with Logon Collector and an Active Directory server, endpoint
protection can be extended to directory servers managing users all over the world.
If you do not know the user's name, you can gradually develop his identity by searching for users in the
Y city, searching the user groups in your Engineering division, and identifying a sub-group that might
contain the user.
How Logon Collector enables user identification
Logon Collector is used to map IP addresses to user identities within Active Directory servers. Without
it, users may be hard to identify because they may be logged into different or multiple workstations.
IP addresses change when DHCP servers automatically assign new addresses, and more than one user
might be logged on to the same workstation.
When a Logon Collector is configured with an McAfee DLP Manager, it resolves user identities by
retrieving collections of user account information from all Active Directory servers that have been
added to the McAfee DLP system. Supporting multiple domain controllers means that large-scale
enterprise operations can be served by McAfee applications.
For McAfee DLP, that means that after Logon Collector is enabled, McAfee DLP administrators can
configure Active Directory-based queries and rules to find out what activities specific users are
engaging in on the network.
McAfee Logon Collector 2.2
Administration Guide
71
10
Integration with other McAfee products
Integration with McAfee Data Loss Prevention
Setting up Logon Collector
Before you begin
Before Logon Collector can be used with McAfee DLP, an Active Directory server must be
added to McAfee DLP Manager. Then secure communications must be established between
McAfee DLP and Logon Collector.
To complete the SSL connections:
Task
1
Export a certificate from Logon Collector.
2
Import the Logon Collector certificate into McAfee DLP Manager.
3
Export a certificate from McAfee DLP.
4
Import the McAfee DLP certificate into Logon Collector.
5
Restart Logon Collector.
After these steps are complete, secure communications between McAfee DLP and Logon Collector
are enabled, and data on Active Directory servers is available for searching and rule construction.
Authenticating McAfee DLP Manager and Logon Collector
Before you begin
Use this method to connect McAfee DLP to a Logon Collector so that certificates can be
exchanged, authenticating each to the other.
When the process is complete, an SSL connection will be set up between them.
Task
1
Open a web browser and log on to the Logon Collector.
2
In the Logon Collector server, select Menu | Configuration | Server Settings | Identity Replication Certificate.
3
Scroll to the bottom of the page.
4
Select and copy all text in the Base 64 field.
5
Open a web browser and log on to the McAfee DLP Manager.
6
Select System | Directory Services.
7
Select Add a McAfee Logon Collector from the Actions menu.
8
Type the IP address of the Logon Collector.
9
Click the paste radio button and paste the text into the box.
Save this Base 64 data to a text file on your desktop so you can re-use it.
10 Click Apply.
11 Click Export to save the Network McAfee DLP certificate to your desktop.
12 Open a web browser and type in the address of the Logon Collector.
13 Select Menu | Configuration | Trusted CA.
72
McAfee Logon Collector 2.2
Administration Guide
Integration with other McAfee products
Integration with McAfee Data Loss Prevention
10
14 Click New Authority.
15 Go to the netdlp_certificate.cer file you saved to your desktop.
16 Click Open.
17 Click Save.
This adds the McAfee DLP Manager to Logon Collector.
18 Open a Remote Desktop session on the Logon Collector server.
19 Shut down and restart the Logon Collector server.
The connection is now complete.
McAfee Logon Collector 2.2
Administration Guide
73
10
Integration with other McAfee products
Integration with McAfee Data Loss Prevention
74
McAfee Logon Collector 2.2
Administration Guide
11
Scalability
This chapter describes the details of the performance limits supported by the Logon Collector.
Scalability details
Listed below are the performance limits for the Logon Collector:
Fields
Numbers
Users
upto 100,000
Groups
upto 30,000
Logon rate
upto 800 logon events per minute
Clients
upto 150
McAfee Logon Collector 2.2
Administration Guide
75
11
Scalability
Scalability details
76
McAfee Logon Collector 2.2
Administration Guide
12
Troubleshooting
This chapter gives the information that may assist you with solving a problem.
Contents
Verify the domain credentials
Create a non-administrator account to access the security event log on a domain controller
Logon Monitor logs
Logon Collector logs
Error installing Logon Collector 2.0 on Windows Server 2008 R2
Error uninstalling SQL database instance for Logon Collector
Configure Database Settings page to connect to the SQL server
Ports used by Logon Collector
High memory usage of lsass.exe
Recovery procedure for McAfee ePO 10,000 directory objects restriction
Saved group filter configuration
Verify the domain credentials
This section describes how to verify that the credentials you specify for a domain are correct and have
sufficient privileges to connect to a domain controller using the Logon Collector. The domain
controllers you access must be logging security events.
Test your credentials by using the wbemtest.exe tool to connect to a domain controller and run several
queries.
If you are unable to specify credentials for an administrator account, you can use a non-administrator
account on the domain controller.
The administrator account that you intend to use to access the domain controller MUST be in the same
domain from which you want to obtain identities.
Successful execution of the queries verifies that the credentials, which you specified have sufficient
privileges for accessing the following on the domain controller:
•
security event log
•
CPU performance
•
WMI connection
•
DCOM connection
McAfee Logon Collector 2.2
Administration Guide
77
12
Troubleshooting
Verify the domain credentials
Connect to a domain controller
Follow the steps below to use the wbemtest.exe tool to connect to a domain controller. These
instructions only work if the Logon Collector is run on a remote computer and will not work if the
Logon Collector is run on local domain controller.
Task
1
Open a command prompt and navigate to \Windows\System32\WBEM.
2
Run wbemtest.exe: C:\Windows\System32\WBEM> wbemtest
The Windows Management Instrumentation Tester window appears.
3
Click Connect to display the Connect window.
4
Specify the following information:
5
Option
Definition
unlabeled connection
\\<dc_name>\root\cimv2
User
The user name to authenticate to the domain controller.
password
The associated password.
Authority
Leave this field blank.
Locale
Leave this field blank.
Impersonation level
Select Impersonate.
How to interpret empty password
Select NULL.
level
Select Packet privacy.
Click Connect to proceed.
If the message Access Denied appears, you may have mis-typed the credentials, or the user account
does not have the necessary privileges. Try re-typing the credentials, and verify the user account is
properly set up. If you are not using an administrator account, you can use a non-administrator
account on the domain controller.
The Windows Management Instrumentation Tester window changes to display IWbemServices and Method Invocation
Options.
Successfully authenticating to the domain controller and viewing the above window means the
Logon Collector has access to WMI and DCOM connections.
6
Run each of the following queries:
•
CPU performance query
Success with this query means the Logon Collector has access to CPU performance on the
domain controller.
•
back log query
Success with this query means the Logon Collector has access to the security event log.
•
forward log notification query
Success with this query means the Logon Collector has access to the security event log.
You must successfully execute the CPU performance query and either one of the log queries to verify
that you have the correct credentials and therefore, sufficient access privileges.
78
McAfee Logon Collector 2.2
Administration Guide
Troubleshooting
Verify the domain credentials
12
Run a CPU performance query
Follow these instructions to run a CPU performance query.
Task
1
Connect to a domain controller.
2
Click Query.
3
Type the following query:
SELECT * FROM Win32_PerfRawData_PerfOS_Processor WHERE Name=’_Total’
4
Click Apply to view the query results.
5
Click Close when the query functionality is proven successful by displaying the contents of the
screen shot above.
6
Run the other queries if you have not already done so.
Run a back log query
Follow these instructions to run a back log query.
Task
1
Connect to a domain controller.
2
Click Query.
3
Type the following query:
SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND (EventIdentifier =
672 OR EventIdentifier = 673 OR EventIdentifier = 680 OR EventIdentifier = 4768 OR
EventIdentifier = 4769 OR EventIdentifier = 4776) AND TimeWritten > 'yyyymmdd'
where yyyymmdd is yesterday’s date.
4
Click Apply to view the query results.
5
Click Close when the query functionality is proven successful by displaying the contents of the
screen shot above.
You do not have to wait for all results to return.
6
Run the other queries if you have not already done so.
Run a forward log notification query
Follow these instructions to run a forward log notification query.
Task
1
Connect to a domain controller.
2
Click Notification Query.
McAfee Logon Collector 2.2
Administration Guide
79
12
Troubleshooting
Create a non-administrator account to access the security event log on a domain controller
3
Type the following query:
SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'
AND TargetInstance.Logfile = 'Security' AND (TargetInstance.EventIdentifier = 672
OR TargetInstance.EventIdentifier = 673 OR TargetInstance.EventIdentifier = 680 OR
TargetInstance.EventIdentifier = 4768 OR TargetInstance.EventIdentifier = 4769 OR
TargetInstance.EventIdentifier = 4776)
4
Click Apply.
Results are shown as they are logged.
5
Click Close.
The operation does not complete until you click Close.
6
Run the other queries if you have not already done so.
Create a non-administrator account to access the security
event log on a domain controller
Logon Collector supports domains running Windows 2008 R2 and Windows 2012. You cannot install
Logon Collector on a Windows 2003 server; however, Logon Collector can monitor Windows 2003
domains.
Perform the steps detailed in the KB article KB75890 to create a non-admin account on Windows 2008
or 2012 to access the domain controller security event logs.
Create an account on Windows Server 2003 and 2008
Create an account on Windows Server 2003
The following tasks must be completed to create a non-administrator account on Windows Server
2003 that is able to access the domain controller security event log:
80
•
Create a new Active Directory group.
•
Determine the SID of the newly created Active Directory group.
•
Create domain user account.
•
Enable permissions.
•
Grant DCOM access.
•
Enable WMI access to the required namespace.
McAfee Logon Collector 2.2
Administration Guide
Troubleshooting
Logon Monitor logs
12
Create an account on Windows 2000 server
The following tasks must be completed to create a non-administrator account on Windows 2000 server
that is able to access the domain controller security event log:
•
Create a new Active Directory group.
•
Grant DCOM access.
•
Create domain user account.
•
Enable read access to the security event
log.
•
Enable WMI access to the required
namespace.
Additional resources
Resource
URL
Microsoft knowledge base article
http://support.microsoft.com/kb/323076
Security Descriptor String Format http://msdn.microsoft.com/en-us/library/aa379570(VS.85).aspx
SID string description
http://msdn2.microsoft.com/en-us/library/aa379602.aspx
ACE Strings description
http://msdn2.microsoft.com/en-us/library/aa374928.aspx
Useful document for SDDL syntax http://www.washington.edu/computing/support/windows/
UWdomains/SDDL.htm
DCOM Remote access
http://msdn2.microsoft.com/en-us/library/aa393266.aspx
WMI Remote access
http://msdn2.microsoft.com/en-us/library/aa393613.aspx
Logon Monitor logs
The basic format of the log messages for the Logon Monitor is as follows:
YYYY-MM-DD'T'HH:mm:ss'Z' <LEVEL>: <Msg>
Time is in UTC (hence represented as Z in the basic format).
The example of basic log messages format for Logon Monitor is
2010-11-09T21:23:09Z INFO: DlcServiceMain Service Started.
The following list shows the three types of messages that you can receive:
•
Internal messages
•
Messages due to Logon Collector communication
•
Messages due to Logon Monitor communication
Internal messages
The internal messages have no qualifier.
Examples of internal messages are as follows:
McAfee Logon Collector 2.2
Administration Guide
81
12
Troubleshooting
Logon Monitor logs
•
2010-11-09T21:23:09Z INFO: DlcServiceMain Service Started
•
2010-11-09T21:23:09Z INFO: Socket Listening on 50443
Messages generated due to Logon Collector communication
The messages generated due to Logon Collector communication only occur at level 2 debug or higher.
The format of the messages generated due to Logon Collector communication is as follows:
Format — <Data> <Level>: [CLI:<MLC IP Address>:<Port>] <Message>
Examples:
2010-12-03T16:46:24Z DEBUG: [CLI:127.0.0.1:10248] Connection accepted
2010-12-03T16:46:24Z DEBUG: [CLI:127.0.0.1:10248] Command HELLO
2010-12-03T16:46:24Z DEBUG: [CLI:127.0.0.1:10248] Command CONNECT
The following sample message can be used to understand the different parts of a message:
STATS RP:0 LR:2010-12-03T16:46:12Z LV:0 PB:0 CB:0 LW:4 BW:243, where
•
RP stands for the number of records sent
•
LR stands for the last time record sent
•
LV stands for number 0-5 which indicates slow communications
Any number larger than 3 indicates that the link might be very slow.
•
PB and CB are combined to calculate the number of bytes that are pending to be written
•
LW stands for the number of lines written
•
BW stands for the number of bytes written (can be used to calculate bandwidth)
Messages generated due to Logon Monitor communication
The messages generated due to Logon Monitor communication occur at all levels.
The messages generated due to Logon Monitor communication mostly occur at the info level.
The format of the messages generated due to Logon Monitor communication is as follows:
Format — <Data> <Level>: [DC:<DC Name>] <Message>
Examples:
2010-12-03T16:46:24Z INFO: [DC:d2-dc-01.domain2.cai.local] Wmi Connected
2010-12-03T16:46:24Z INFO: [DC:d2-dc-01.domain2.cai.local] DcConnection::run Backlog
query disabled by client request
Example of an error message:
The following error message will appear in Logon Collector Status window: Access Denied (Password
Change) ERROR: [DC:nsbu-01.domain3.cai.local] Wmi [0x80070005 - Access is denied.]
ConnectServer
Example of an error code:
0x80070005 — this is Microsoft error. For more information refer to microsoft.com.
82
McAfee Logon Collector 2.2
Administration Guide
Troubleshooting
Logon Collector logs
12
Common Domain Controller errors
The following table shows the common Domain Controller errors:
Error
Description
0x80070005 Access Denied.
This error can be displayed due to password issues.
0x8004106C Quota Violation: Patch mismatch between DC and MLC
To overcome this problem, ensure that all patches are applied.
0x800706BA The RPC server is unavailable.
This error can be displayed due to one of the following reasons:
• password problem
• if the system is down
• access control
• if WMI is turned off on the system
• patch mismatch
0x80010002 Call was canceled by the message filter (same as 0x800706BA).
0x80090327 An unknown error occurred while processing the certificate.
To overcome this problem, check the certificate of the remote Logon Monitor.
For more information refer to http://msdn.microsoft.com/en-us/library/aa394559%28v=vs.
85%29.aspx.
Logon Collector logs
The Logon Collector has the following log files available at <MLC_INSTALL_FOLDER>/server/logs for
troubleshooting:
•
jakarta_service_20100930.log
•
orion.log
•
jakarta_service_20100930.log
•
orion.log1
•
localhost_access_log.2010-10-12.txt
•
<MLC_INSTALL_FOLDER>/server/logs
•
localhost_access_log.2010-10-12.txt
•
stderr.log
Of the available logs, orion.log and orion.log1 are the most important.
orion.log is a rotating log. It has a size limit and also a limit on the total number of log files.
For example, if you are using orion.log and you reach the maximum size limit, you can move
to orion.log1.
Log format — YYYY-MM-DD HH:mm:ss,mmm <LEVEL> [<Thread>] Message
While troubleshooting, search for the word 'Exception' in the orion log file.
Logon Collector Active Directory communication errors log
records
Check for ‘GSS initiate failed’ or LoginException in the Logon Collector Active Directory communication
errors log records. These error messages indicate that the Logon Collector is unable to access Active
Directory.
McAfee Logon Collector 2.2
Administration Guide
83
12
Troubleshooting
Logon Collector logs
The most common problems are as follows:
•
Wrong password:
•
•
LoginException: Pre-authentication information was invalid (24)
DNS problem:
•
No valid credentials are provided (mechanism level: server not found in Kerberos database (7))
Troubleshooting DNS problems
To troubleshoot DNS problems:
•
Verify that the SRV records exist for the domain to be monitored
•
Run the following command from the Logon Collector server command line and verify the output
against the expected output as shown below:
C:\>nslookup -query=SRV _kerberos._tcp.domain1.cai.local
Server: net-apps.cai.local
Address: 172.25.59.11
Non-authoritative answer:
_kerberos._tcp.domain1.cai.local SRV service location:
priority = 0
weight = 100
port = 88
svr hostname = dc-01.domain1.cai.local
_kerberos._tcp.domain1.cai.local SRV service location:
priority = 0
weight = 100
port = 88
svr hostname = dc-02.domain1.cai.local
domain1.cai.local nameserver = dc-02.domain1.cai.local
domain1.cai.local nameserver = dc-01.domain1.cai.local
dc-01.domain1.cai.local internet address = 172.25.59.80
dc-02.domain1.cai.local internet address = 172.25.59.81
•
Verify that both forward DNS and reverse DNS work for the domain to be monitored
•
Run the following command from the Logon Collector server command line and verify the output
against the expected output as shown below:
C:\>nslookup dc-01.domain1.cai.local
Server: net-apps.cai.local
Address: 172.25.59.11
Non-authoritative answer:
Name: dc-01.domain1.cai.local
Address: 172.25.59.80
C:\>nslookup 172.25.59.80
Server: net-apps.cai.local
Address: 172.25.59.11
Name: dc-01.domain1.cai.local
Address: 172.25.59.80
Troubleshooting NSLookup failure
When NSLookup fails, consider the following to troubleshoot:
•
84
Check if it is pointing at the wrong DNS server:
•
Make sure that you are using the production DNS server.
•
Check if the setup is correct. Make sure that you point the Logon Collector server DNS entries to
the domain controllers.
McAfee Logon Collector 2.2
Administration Guide
Troubleshooting
Error installing Logon Collector 2.0 on Windows Server 2008 R2
•
12
Check if there are any entries in C:\Windows\System32\drivers\etc\hosts:
•
Check for the entries equivalent to UNIX’s /etc/hosts.
•
Check this file for entries that “Mask” the DNS entries. The recommendation is to have only
comments (‘#’) in this file.
•
If you are using production environments, the DNS will not be a problem as Windows relies on
proper DNS setup.
•
Check if you are using reverse DNS. Make sure that you have added entries in DNS for reverse
DNS.
Error installing Logon Collector 2.0 on Windows Server 2008 R2
Logon Collector 1.0 / 1.0.1 installation is not supported on Windows Server 2008 R2. If Logon
Collector 1.0 / 1.0.1 is installed on Windows Server 2008 R2 in the compatibility mode, uninstallation
of Logon Collector does not become clean. As a result, the subsequent Logon Collector 2.0 installation
fails.
Follow the steps below after performing a successful uninstallation of Logon Collector 1.0 / 1.0.1.
Task
1
Delete Logon Collector 1.0 /1.0.1 installation folder.
2
Delete the following registry key:
•
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\ePolicy Orchestrator\MFS Framework (for Windows
32-bit)
•
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\ePolicy Orchestrator\MFS Framework
(for Windows 64-bit)
Error uninstalling SQL database instance for Logon Collector
After a successful uninstallation of Logon Collector, you might want to uninstall the Microsoft SQL
Server instance that was included in the Logon Collector installation. Follow the steps below if you are
unable to do so.
Task
1
Open Task Manager, and end the sqlserver.exe process for the Logon Collector database instance.
2
Retry to uninstall the SQL database instance for the Logon Collector.
Configure Database Settings page to connect to the SQL server
The Logon Collector server uses Microsoft SQL server database to store the Logon Collector user
credentials. This helps in authenticating the users when they log onto the Logon Collector admin user
interface.
If the SQL server credential changes, the Logon Collector server cannot connect to the SQL server. As
a result, users will not be able to log on to the Logon Collector admin user interface.
McAfee Logon Collector 2.2
Administration Guide
85
12
Troubleshooting
Ports used by Logon Collector
Follow the steps below to overcome this problem.
1
Log on to the Logon Collector server.
2
Open https://localhost:8443/core/config in your browser.
3
Reset the password in the Database Settings page.
Ports used by Logon Collector
Ensure that the following ports are enabled on Firewall for the Logon Collector to function.
Port
Type of port Used for
61641 JMS port
Used for client and High Availability communication
61613 Stomp port
Used for C client communication
389
Used for the communication between the Logon Collector and domain
controller
LDAP port
50443
Used for communication between the Logon Collector and Logon Monitor
The WMI communication happens between Logon Monitor and domain controller.
High memory usage of lsass.exe
Lsass.exe caches data to improve the LDAP query performance. It is normal for this process to have
huge memory (multiple GBs) usage on a domain controller when the domain has a large amount of
data.
Recovery procedure for McAfee ePO 10,000 directory objects
restriction
The recovery procedure is a safety mechanism introduced to avoid affecting the performance of
McAfee ePO when the Logon Collector runs as a McAfee ePO extension.
It is recommended that you check the number of users and groups a domain has, before adding it to
the Logon Collector server running as a McAfee ePO extension.
If you reach this limit, the Logon Collector will perform the following actions:
•
Updates and complete synchronization to clients will stop.
•
The Logon Collector will stop the monitoring of the domains.
•
The Logon Collector will not allow any more directory objects to be added to IDDS.
The following error message will be displayed if you reach the limit:
To overcome this problem:
1
Do not make any further operations on the Logon Collector server.
This is strongly recommended by McAfee.
86
McAfee Logon Collector 2.2
Administration Guide
Troubleshooting
Saved group filter configuration
2
12
Remove the Logon Collector and associated extensions from McAfee ePO, and reinstall it. This will
clean up the datastore and configurations.
Saved group filter configuration
The group filter configuration is stored locally on the system in the C: directory. This includes files that
capture group filter status and configuration.
The group filter status details are stored in mlc.config.xml available at C:\Program Files (x86)\McAfee
\McAfee Logon Collector\Server\conf\. This file can be modified only after stopping the Logon Collector
server.
The file has an entry in the form:
<config name="enableFilter" value="Y"
type="common" />
If the filter is enabled, value is Y and if disabled, value is N.
The group filter configuration is stored in a groupfilter file available at C:\Program Files (x86)\McAfee
\McAfee Logon Collector\Server\conf\mlc\. This file is non-editable.
If you try to modify the groupfilter file, the file might get corrupt.
McAfee Logon Collector 2.2
Administration Guide
87
0A00