Revision D McAfee Logon Collector 3 McAfee Logon Collector 3.0 Administration Guide 1 Introduction...

Administration GuideRevision D

McAfee Logon Collector 3.0

COPYRIGHT

© 2017 Intel Corporation

TRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Logon Collector 3.0 Administration Guide

Contents

1 Introduction to McAfee Logon Collector 7Important terminologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Domain controllers and logon collection . . . . . . . . . . . . . . . . . . . . . . . . . 7Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Ports used by Logon Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Viewing online help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2 Installation 11Key considerations for installation . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Planning for installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12DNS resolution requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Install Logon Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Download the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Install the software on Windows Server . . . . . . . . . . . . . . . . . . . . . 14Uninstall the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Uninstall Microsoft SQL Server 2008 Express Edition . . . . . . . . . . . . . . . . 17

Access the Logon Collector web interface . . . . . . . . . . . . . . . . . . . . . . . . 18Install Logon Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Install a Logon Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Uninstall Logon Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3 Upgrade 21Key considerations for an upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Upgrade the software from 2.2 to 3.0 using the installer . . . . . . . . . . . . . . . . . . 22Verify the upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

4 Identities collection 23About identities collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Manage monitored domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Add a domain to monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . 24View monitored domain details . . . . . . . . . . . . . . . . . . . . . . . . . 27Add Logon Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Edit username and password . . . . . . . . . . . . . . . . . . . . . . . . . . 29Managing exchange servers . . . . . . . . . . . . . . . . . . . . . . . . . . 29Manage Query Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Remove a monitored domain . . . . . . . . . . . . . . . . . . . . . . . . . . 31

5 Server settings 33About server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Active Directory User login . . . . . . . . . . . . . . . . . . . . . . . . . . 34Email Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Identity replication certificate . . . . . . . . . . . . . . . . . . . . . . . . . 34Local Logon Monitor settings . . . . . . . . . . . . . . . . . . . . . . . . . . 34

McAfee Logon Collector 3.0 Administration Guide 3

MLC Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36MLC Group / IP Ignore List . . . . . . . . . . . . . . . . . . . . . . . . . . . 38MLC Group Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Configuring the IP address for Logon Collector server client communication . . . . . . . 40MLC User Login Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Printing and exporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Server certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

About Personal Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Logon Monitor configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Configuration tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Remote tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Use MMC to manage Logon Monitor certificates . . . . . . . . . . . . . . . . . . . 46Use NTLMv2 with Logon Monitors . . . . . . . . . . . . . . . . . . . . . . . . 47

6 High Availability (Clustering) 49Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Configuration basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Prerequisites for High Availability . . . . . . . . . . . . . . . . . . . . . . . . 50High Availability setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Configure High Availability in Public Key Infrastructure (PKI) setup . . . . . . . . . . 54Check the status of cluster formation . . . . . . . . . . . . . . . . . . . . . . 55

Configuration data replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Logon events replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Disable a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Reconfigure a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

7 On-demand group and user refresh 61MFS Scheduler 2.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62On-demand group refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Options of group refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . 62On-demand user refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Options of user refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Server Tasks Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

8 User management 75Manage users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Add or modify a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Delete a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Manage permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Create permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Delete permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Duplicate permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Manage contacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Add or modify a contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Delete a contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

9 Reporting 79About the Status page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79View who is logged on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Export report of who is logged on . . . . . . . . . . . . . . . . . . . . . . . . 81View the audit log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Export the audit log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Manage audit log queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Create a query group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Delete a query group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Contents


Edit a query group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Create audit log queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Import audit log queries . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Query actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Define filter criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Define export criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86View dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

10 Integration with other McAfee products 89Integration with McAfee Next Generation Firewall . . . . . . . . . . . . . . . . . . . . . 89

Integration requirements for McAfee Next Generation Firewall . . . . . . . . . . . . . 89Integration with McAfee Firewall Enterprise . . . . . . . . . . . . . . . . . . . . . . . 91

Integration requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Passive identity validation . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Configure Passive Passport . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Integration with McAfee Firewall Enterprise Control Center . . . . . . . . . . . . . . . . . 92Integration requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Integration with McAfee Network Security Manager . . . . . . . . . . . . . . . . . . . . 92Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93User groups for Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Important terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Integration requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 93How Logon Collector - McAfee® Network Security Manager integration works . . . . . . 94Configuration details for Logon Collector integration . . . . . . . . . . . . . . . . 94Display of Logon Collector details in the Threat Analyzer . . . . . . . . . . . . . . . 96Display of Logon Collector details in Network Security Manager reports . . . . . . . . . 96

Integration with McAfee Data Loss Prevention . . . . . . . . . . . . . . . . . . . . . . 96Integration requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Using Active Directory User elements . . . . . . . . . . . . . . . . . . . . . . 97Using McAfee DLP on remote LDAP servers . . . . . . . . . . . . . . . . . . . . 97How Logon Collector is used with McAfee DLP . . . . . . . . . . . . . . . . . . . 97How Logon Collector enables user identification . . . . . . . . . . . . . . . . . . 98Setting up Logon Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Authenticating McAfee DLP Manager and Logon Collector . . . . . . . . . . . . . . . 99

11 Scalability 101Scalability details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

12 Troubleshooting 103Verify the domain credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Connect to a domain controller . . . . . . . . . . . . . . . . . . . . . . . . 104Run a CPU performance query . . . . . . . . . . . . . . . . . . . . . . . . . 106Run a back log query . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Run a forward log notification query . . . . . . . . . . . . . . . . . . . . . . 109

Create a non-administrator account to access the security event log on a domain controller . . . 109Create an account on Windows Server 2003 and 2008 . . . . . . . . . . . . . . . 110Create an account on Windows Server 2003 . . . . . . . . . . . . . . . . . . . 110Create an account on Windows 2000 server . . . . . . . . . . . . . . . . . . . 110Additional resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Add different Kerberos encryption types across domains . . . . . . . . . . . . . . . . . 110Logon Monitor logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Internal messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Messages generated due to Logon Collector communication . . . . . . . . . . . . . 111Messages generated due to Logon Monitor communication . . . . . . . . . . . . . 112Common Domain Controller errors . . . . . . . . . . . . . . . . . . . . . . . 112

Logon Collector logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Contents


Logon Collector Active Directory communication errors log records . . . . . . . . . . 113Troubleshooting DNS problems . . . . . . . . . . . . . . . . . . . . . . . . 114Troubleshooting NSLookup failure . . . . . . . . . . . . . . . . . . . . . . . 114

Error uninstalling SQL database instance for Logon Collector . . . . . . . . . . . . . . . . 115Configure Database Settings page to connect to the SQL server . . . . . . . . . . . . . . 115Ports used by Logon Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116High memory usage of lsass.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Saved group filter configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Index 117

Contents


1 Introduction to McAfee Logon Collector

The McAfee® Logon Collector is software that monitors Active Directory domains and collects logoninformation. Logon Collector polls Microsoft Active Directory domain controllers for user logon eventsand sends this information to security appliances to correlate network traffic with user behavior. LogonCollector is installed on separate Windows-based servers to communicate with the Active Directory,and supports distributed deployment. Logon Collector deployment does not require any modification tothe Active Directory or the Active Directory schema and requires no agents.

Logon Monitors can be used to poll nearby domain controllers and forward collected information to theLogon Collector, shortening the distance domain controller communication must travel.

Contents Important terminologies Domain controllers and logon collection Deployment Ports used by Logon Collector Viewing online help

Important terminologiesA domain is a logical group of identified resources on a network, whether users, computers, ornetworked application services. These resources are collected for the domain into a distributeddirectory, shared in a group of domain controllers. Members of a domain only need to authenticate onetime to the closest domain controller. All the other resources in the domain are made accessible basedon their privileges in the domain.

An identity is the set of characteristics that uniquely identifies a user. A user’s identity includes username, authentication status, group membership, primary group, and current IP address. The user orsystem primary group can be fetched and passed on to clients.

Domain controllers and logon collectionLogon Collectors and Logon Monitors interact with domain controllers and enable McAfee productssuch as Next Generation Firewall and McAfee® Network Security Platform to continuously gatheridentity information. This information is used to map network transactions to actual identities.

Each time a user logs on to the network or requires access to any domain-controlled resource such asa printer, server, or file share, the domain controller creates an event log entry in a special, protectedlog file called the Security Event Log. This log file is available to remote systems such as the LogonCollector and the Logon Monitor by way of a Microsoft interface called Windows ManagementInstrumentation (WMI).

1


To minimize the burden placed on a domain controller by Security Event Log queries (using WMI), theLogon Collector or Logon Monitor contacts the domain controller on behalf of McAfee appliances thatrequire the Security Event Log information. Each domain controller only has to accommodate a singleconnection instead of multiple connections for each McAfee appliance.

Because the overhead of using WMI can be expensive, you can deploy Logon Monitors close to thedomain controllers on your network. Doing so routes the greatest amount of traffic, WMIcommunication between the domain controllers and Logon Monitor, along a relatively short distance.The communication overhead between a Logon Monitor and a Logon Collector is low, enabling you tooptimize your deployment of logon collecting.

See also Install Logon Monitor on page 18

DeploymentThe Logon Collector and Logon Monitor can connect to multiple domain controllers across multipledomains and forests. Each Logon Collector can be contacted by multiple clients and can have multipleLogon Monitors. When deploying Logon Collectors and Logon Monitors, consider the following:

• The network overhead of WMI communication can be expensive. WMI communication occursbetween the domain controller and the Logon Monitor. McAfee recommends that you use a singleLogon Monitor for all your McAfee security devices so that only one WMI session is needed on eachdomain controller.

• McAfee recommends that you place a Logon Collector or Logon Monitor on the same geographicallocation as that of the domain controller. Communication between a Logon Monitor and the LogonCollector over a WAN link is often faster than the communication between the domain controllerand the Logon Collector over the same WAN link. The faster the Logon Collector receives thisinformation, the faster the client can associate an IP address with the matching identity.

• Connect to domain controllers that add value to the monitoring strategy. The Logon Monitor shouldconnect to the domain controller from which the users to be monitored log on. For example, if youare monitoring in an area of the network such as New York, and you never see users from SanFrancisco, then you might not need to monitor the users that log on to a domain controller in SanFrancisco. Conversely, if the users in San Francisco use services in the New York data center youare monitoring, then you will greatly benefit from watching the security event log of the SanFrancisco domain controller and determining the identity of these users.

• Take advantage of the IT support infrastructure. If your infrastructure is administered by differentgroups of system administrators that correspond to the already existent Windows architecture, youmight want to work with them. The Logon Collectors and Logon Monitors are installed as serviceson Windows Server 2008 R2 or Windows Server 2012. The administration of these servers mightalready be part of a larger system administration strategy, and you might want to abide by it.

• Depending on your security requirements, you might want to dedicate a Windows Server 2008 R2or Windows Server 2012 to run the Logon Collector or a pair of servers in High Availability mode. Ifthe server on which the Logon Collector is installed is compromised, it might cause great loss offunctionality to your security architecture.

• It is important to keep the server on which the Logon Collector or Logon Monitor is installed up todate by applying the Microsoft security patches on a timely basis. It is equally important to followthe Microsoft security best practices to harden this server.

• If possible, remote and local access to the Logon Collector or Logon Monitor server should belimited to its administrators only.

1 Introduction to McAfee Logon CollectorDeployment


• Follow the instructions from the Use NTLMv2 with Logon Collectors section to securely protect thecredentials in the server and to use only secure authentication protocols.

• It is possible to configure domain controllers to allow the Logon Monitor to access the SecurityEvent Log without using Administrator logon credentials. This is recommended. Refer to the sectionon Create a non-administrator account to access the security event log on a domain controller.

Figure 1-1 Logon Collector deployment

See also Use NTLMv2 with Logon Monitors on page 47About identities collection on page 23

Ports used by Logon CollectorThese ports must be enabled in your network.

Table 1-1 Logon Collector Port table

Port Type of port Used for

8443 Logon Collector HTTPS Web Server Secure port

8444 Logon Collector HTTPS Web Server authorization port

61641 Logon Collector JMS Communication between Logon Collector andpoint productsCommunication among Logon Collector clustermembers

Introduction to McAfee Logon CollectorPorts used by Logon Collector 1


Table 1-1 Logon Collector Port table (continued)


61613 Logon Collector JMS (STOMP) Communication between Logon Collector and2.0+ C client based point products

50443 Local or Remote LogonMonitor

TCP Communication between Logon Collector andLogon Monitor

389 Domain Controller (AD) LDAP/Secure LDAP LDAP or Secure LDAP query from LogonCollector to Domain Controller

Logon Collector does not function if you have enabled SSL port 636 on the Domain Controllers (ActiveDirectory) and have disabled non-SSL port 389. Logon Collector fails to connect to Domain Controller(Active Directory) on SSL port 636.

The WMI communication happens between Logon Monitor and domain controller.

Viewing online helpYou can view the online help for Logon Collector by clicking the question mark (?) button on the menubar. The online help includes a table of contents and has full-text search capability.

1 Introduction to McAfee Logon CollectorViewing online help


2 Installation

This section includes the installation process of McAfee® Logon Collector and Logon Monitor.

Contents Key considerations for installation Prerequisites Install Logon Collector Access the Logon Collector web interface Install Logon Monitor

Key considerations for installationThis section gives the details of the key considerations for installation.

When you install the Logon Collector on Windows Server 2008 R2 or 2012 for the first time, you mightsee a message that states, “The Windows registry entry NtfsDisable8dot3NameCreation value will bechanged to 0”.

You will receive this message only if the Windows registry entry value has not been modified.

You can either proceed by making this change in the registry or you can proceed without the change.

If you accept the change in the registry and proceed, you can have spaces in the installation location. Ifyou do not accept the change in the registry, you must ensure that the installation location path doesnot contain any folder with white spaces in its name. You must also ensure that the folder name doesnot exceed 8 characters.

PrerequisitesReview the installation prerequisites for the Logon Collector and the Logon Monitor before installingthe software.

Planning for installationBefore installation, ensure that you complete the following:

• You must be logged on to the server as a local computer administrator.

• Make sure your hardware meets or exceeds the minimum requirements.

2


• You do not need a special passphrase or license key to install the Logon Collector or Logon Monitorsoftware. You can install as many instances of the Logon Collector or Logon Monitor (each on itsown server) as are needed to provide adequate coverage for the domain controllers in yourmonitored domain.

• For Windows Server 2012, enable .NET framework 3.5 to successfully install Logon Collector 3.0.

Client Server compatibility

• Logon Collector 1.0 client supports Logon Collector 1.x and 2.x servers.

• Logon Collector client supports Logon Collector 2.x servers. The client does not support LogonCollector 1.x servers.

• Logon Collector 2.2 and 3.0 client supports Logon Collector 3.0 servers. 3.0 client does not supportLogon Collector 1.x and 2.x servers.

System requirementsThe Logon Collector and Logon Monitor run as Microsoft Windows services on a Windows Server, andrequire a system that meets these minimum requirements:

Component Minimum requirement

Operating System Any one of the following Microsoft operating systems:• Windows Server 2008 R2 (64-bit)

• Windows Server 2012 and 2012 R2 (64-bit)

Windows Server 2003 is not supported.

Operating System —Domain controllers

Any one of the following Microsoft servers:• Windows Server 2008 R2

• Windows Server 2012 and 2012 R2

RAM (memory) 4 GB or higher

Disk space 20 GB free space

Processor Pentium IV 2 GHz or faster

Software framework Microsoft .NET framework 3.5

We highly recommend to enable the .NET framework 3.5 to successfully installLogon Collector 3.0.

Browser • Microsoft Internet Explorer 8.x and above

• Mozilla Firefox 25 and above

• Google Chrome 40 and above.

Recommended to use the latest browser versions.

Network connectivity From Logon Collector servers to the domain controllers of the Microsoft ActiveDirectory domain that the Logon Collector or Logon Monitor is monitoring

Resolution Display set to a resolution of 1024x768 or greater

2 InstallationPrerequisites


Component Minimum requirement

Monitored Domains The domain user (entered while adding domain in Logon Collector) must haveaccess rights to the security events logs on each domain controller

Domain controllers Domain controller's functional level should not be higher than LogonCollector's Windows Server version. Refer to the section, Key considerationsfor installation.Domain controllers must have port 389 enabled for LDAP and Secure LDAPqueries.

Consider installing the Logon Monitor on a virtual machine as the Logon Monitor is a less demandingapplication, and does not transmit as much information as the Logon Collector.

The Logon Monitor memory usage depends on the number of users and groups in its database.

DNS resolution requirementsProper Domain Name System (DNS) resolution is a critical prerequisite for identities collection. Thecomputers on which the Logon Collector or Logon Monitor are installed, and the client configured tocollect identities must be configured to refer to a DNS server that must be able to:

• Resolve any domain from which logons are collected.

• Provide forward resolution for all domain controllers from which logons are collected.

• Provide reverse resolution for all domain controllers from which logons are collected.

• Provide SRV records for one or more domain controllers in the domain from which logons arecollected.

When the DNS settings are changed, Logon Collector cancels its old DNS cache after 30 seconds, andthen applies new DNS settings. You should wait at least for 30 seconds to resolve the domain.

See also Troubleshooting DNS problems on page 114

Install Logon CollectorA Logon Monitor is installed locally on the same server when you install Logon Collector. This LogonMonitor is referenced in the user interface as localhost.

You can install Logon Monitor separately, if you need a remote Logon Monitor.

If you are already running a McAfee Foundation Services (MFS)-based application (for example, McAfee®

ePolicy Orchestrator), the Logon Collector service will be incompatible with it.

See also Uninstall the software on page 17Uninstall Logon Monitor on page 19

Download the softwareDownload the bundled Logon Collector and Logon Monitor software from the McAfee website.

InstallationInstall Logon Collector 2


Task1 In a web browser, go to https://secure.mcafee.com/apps/downloads/my-products/login.aspx?

region=us.

2 Provide your grant number, and select the appropriate product category (for example, McAfee®

Firewall Enterprise Appliance).

3 Select the McAfee Logon Collector version, for example McAfee Logon Collector 3.0.

4 Download the zip file for the Logon Collector installation. Extract the files to your local directory.

5 Find the Logon Collector installation program and download it to your local directory.

The Logon Monitor is part of the Logon Collector bundle that you download.

If you want to have a separate remote Logon Monitor installation, select the McAfee LogonMonitor folder and find the installation program.

See also Install a Logon Monitor on page 19

Install the software on Windows ServerThe Logon Collector installation wizard will install the Logon Collector, local Logon Monitor, andMicrosoft SQL Server 2008 Express (64 bit) on any one of the following Operating Systems:

• Windows Server 2008 R2

• Windows Server 2012


If you already have an instance of Microsoft SQL Server on your server, you can skip that part of theinstallation.

At any point of the installation, click Back or Cancel to return to the previous step or cancel theinstallation, respectively.

2 InstallationInstall Logon Collector


https://secure.mcafee.com/apps/downloads/my-products/login.aspx?region=us

https://secure.mcafee.com/apps/downloads/my-products/login.aspx?region=us

Task

1 Navigate to the downloaded Logon Collector folder in your local directory.

2 Double-click Setup.exe.

The Logon Collector installation wizard opens. If your system has less than 4 GB RAM, a memoryerror message is displayed.

Click Yes to continue the installation with the current available memory.

You can click No to cancel the installation and proceed with the same after a sufficient memory ofminimum 4 GB RAM is ensured.

If you are installing the software on Windows 2008 R2, the following Security Warning window will bedisplayed.

Figure 2-1 Security Warning window

Click Run to proceed.

A pop-up window might appear to enable the Windows 8.3 file naming convention. Click Yes tocontinue with the installation.

Enabling this option generates a short name in the Windows 8.3 file naming convention for lengthyfile names.

3 The Logon Collector installation wizard opens.

Click Next to continue.

The McAfee End User Licensing Agreement window opens.

4 Select any one of the following licenses from the drop-down list under the License expire type option:

• 1 Year Subscription - the license expires in a year

• 2 Year Subscription - the license expires in two years

• Perpetual License - the license has no expiry

Read the license agreement, select the I accept the terms in the license agreement option, and then click OK.



5 By default, the destination folder for the installation is set to C:\Program Files\McAfee\McAfeeLogon Collector\. Click Change to select a new location.

The uninstallation process can remove the folder containing the installed Logon Collector along withany existing folder in the path. McAfee recommends that you to select an empty folder or follow thedefault installation location format to avoid this issue.

Click Next to continue. The Global Administrator Information window is displayed.

6 Enter the Username and Password for the Logon Collector web interface administrator. Re-enter thepassword for verification purpose.

Click Next. The HTTP Port Information window opens.

7 Leave the Logon Collector ports at their default values unless a default port is already in use.

You will need the Web Server port for opening the Logon Collector web interface.

8 Click Next.

The SQL Express Option window opens.

There can be any one of the following results:

• Result 1 — Options enabled in the SQL Express Option window:

A pop-up opens. Click Yes to continue with the Microsoft SQL 2005 Express installation.

• Result 2 — Options disabled in the SQL Express Option window:

During the installation process, you might find both the options disabled in the SQL ExpressOption window.

Click Why are the above options disabled? option to view the reasons of this action. Click OK to continue.

Additional scenario

If you are installing Microsoft SQL 2008 Express on Windows Server 2008 (64-bit) for the firsttime, the a warning message is displayed.

Click Yes to open the Program Compatibility window. Click Run Program to continue.

Figure 2-2 Program Compatibility Assistant window

2 InstallationInstall Logon Collector


9 The Microsoft SQL 2008 Express installation is in progress window is displayed.

The Database Information window opens.

10 Select the following options in the Database Information window:

• Windows authentication: Select to enter the domain and logon credentials for the server that willhouse the Logon Collector database. The SQL server TCP port details are set by default.

• SQL authentication: Select only when you have a separate Microsoft SQL Server installation prior tothe Logon Collector installation. In this case, enter the Microsoft SQL Server user name andpassword that was used during Microsoft SQL Server installation.

11 Click Next.

The Ready to Install the Program window opens.

12 Click Install to proceed.

The Installing McAfee® Logon Collector window is displayed.

13 Click Finish to complete the installation.

Uninstall the softwareFollow these steps to uninstall the Logon Collector.

Task1 On the Windows server, from the Start menu, select Control Panel menu, and then click Add or Remove

Programs.

2 Select Logon Collector, then click Remove and follow the on-screen instructions.

3 If you want to remove the Logon Collector database, leave the checkbox selected and click Next toproceed.

Configuration information such as which domains are being monitored and which Logon Monitorsare connected is not saved. If you have numerous users configured for administering the LogonCollector, you might want to preserve the database.

4 When you are prompted for the database password, click Next to proceed.

5 In the Add or Remove Programs window, select Logon Collector, and click Remove.

6 Click Yes when prompted to remove Logon Collector.

7 Close Add or Remove Programs.

See also Install Logon Collector on page 13Install Logon Monitor on page 18

Uninstall Microsoft SQL Server 2008 Express EditionIf you have installed Microsoft SQL Server 2008 Express Edition as part of installing the LogonCollector, you might want to remove it when you remove the Logon Collector from your computer. Ifyou intend to re-install the Logon Collector, you must leave Microsoft SQL Server 2008 Express Editionon your computer.

Follow these steps to uninstall Microsoft SQL Server 2008 Express Edition.



Task1 On Windows server, from the Start menu, select Control Panel menu, and click Add or Remove Programs.

2 Select Microsoft SQL Server 2008, and click Remove.

3 In the Component Selection window, select MLCSERVER: Database Engine and Workstation Components, and clickNext.

4 Click Finish.

5 In the Add or Remove Programs window, select Microsoft SQL Server Native Client, and click Remove.

6 Click Yes when prompted to remove Microsoft SQL Server Native Client.

7 Close Add or Remove Programs.

Access the Logon Collector web interfaceUse the Logon Collector web interface to monitor domains and Logon Monitors, generate reports, andperform administrative tasks.

Task1 Open a browser and enter the URL of the Logon Collector.

For example, if you accepted the default ports, you might enter https://127.0.0.1:8443/.

The value "8443" in the URL might differ depending on the installation.

If you are connecting to the web interface for the first time over an HTTPS connection, an invalidcertificate warning will appear. Click Continue to this website (or the equivalent) to continue.

The Log On window appears.

2 Enter the user name and password configured during installation, and click Log On.

The Main Status window of the web interface appears.

Install Logon MonitorA local Logon Monitor is included in the Logon Collector installation. You do not need a specialpassphrase or license key to install the Logon Monitor. You may install as many instances of the LogonMonitor (each on its own server) as are needed to provide adequate coverage for the domaincontrollers in your monitored domain.

You should install a Logon Monitor as close as possible to the domain controllers with which it willcommunicate. This minimizes the impact of the traffic resulting from the communication.

The Logon Monitor is part of the Logon Collector download bundle.

2 InstallationAccess the Logon Collector web interface


Prerequisites:

• Earlier versions of the Logon Collector or Logon Monitor must be uninstalled before installing thisversion of the software.

• You must be logged on to the server as an administrator.

See also Domain controllers and logon collection on page 7Uninstall the software on page 17Uninstall Logon Monitor on page 19

Install a Logon Monitor

Task1 Using Windows Explorer, locate the Logon Monitor folder.

Download the software from the location described in the Download the software section of thisguide.

2 Double-click Setup.exe.

3 For a new installation of the Logon Monitor, click Generate Self Signed Certificate on the Configuration tab ofthe McAfee Logon Monitor Configuration window.

The certificate is required to communicate with the Logon Collector. If you are re-installing theLogon Monitor, the previous installation’s certificate remains in the store, and you can continue touse it.

4 Complete the configuration changes, and click OK.

See also Logon Monitor configuration on page 44Download the software on page 13

Uninstall Logon MonitorFollow the steps below to uninstall a Logon Monitor.

Ensure that the Logon Monitor you want to uninstall is not being used to watch any domain controllersfor any Logon Collector.

Task1 On the Windows server, from the Start menu, select the Control Panel menu, and click Add or Remove

Programs.

2 Click McAfee Logon Monitor, then click Remove.

3 When prompted by the InstallShield Wizard for McAfee Logon Monitor, click Next to begin the removalprocess.

4 On the Program Maintenance window, click Remove , and click Next.

5 Click Remove.

6 Click Finish.

If you plan to re-install the Logon Monitor, then consider that the previous installation’s certificateremains in the store and you can continue to use it.

InstallationInstall Logon Monitor 2


See also Install Logon Collector on page 13Install Logon Monitor on page 18

2 InstallationInstall Logon Monitor


3 Upgrade

You can upgrade from Logon Collector 2.2 to Logon Collector 3.0.

Contents Key considerations for an upgrade Upgrade the software from 2.2 to 3.0 using the installer Verify the upgrade

Key considerations for an upgradebe aware of these issues before upgrading.

• You cannot upgrade from Logon Collector 2.1 to Logon Collector 3.0 because Microsoft SQL Server2008 Express Edition supports only from Logon Collector 2.2 and later.

If Logon Collector 2.1 is installed, you must uninstall Logon Collector 2.1 and Microsoft SQL Server2005 Express Edition before upgrading.

• The entire Logon Collector configuration along with the following information is retained on theLogon Collector server when an upgrade is done:

• Configured domains

• Added certificates

• Remote Logon Monitors

After an upgrade, the local Logon Monitor settings and configuration are reset to default values. Makesure to note these values prior to an upgrade.

As with any upgrade, McAfee strongly recommends that you always first try the upgrade in a testenvironment. Logon Collector3.0 does not support upgrades from ePO versions of Logon Collector 2.x.

3


Upgrade the software from 2.2 to 3.0 using the installerBefore you begin• Note the local Logon Monitor settings and configuration values. After upgrade, these

values are reset to default.

• These Microsoft operating systems are supported for an upgrade:


• Windows Server 2012


.NET framework 4.5 is installed as part of Windows Server 2012 / R2. This version hascompatibility issues with SQL Server 2008 Express. We highly recommend enablingthe .NET framework 3.5 to successfully install Logon Collector 3.0.

Use the installer you downloaded to upgrade Logon Collector.

Task1 Navigate to the folder on your local directory that contains the downloaded Logon Collector

installer. Double-click Setup.exe and start the Logon Collector 3.0 setup.

2 Read and accept the license, and proceed with the installation.

3 Confirm the destination folder. Click Next.

This password must be the same as in the previous (Logon Collector 2.2) installation.

4 Enter the user name and password for the Logon Collector administrator. Verify the password.

This must be the same as in the previous (Logon Collector 2.2) installation.

5 Confirm the port numbers.

Since you already have an existing database, the Microsoft SQL Server options are disabled.

6 Verify that the Database Server option in the Database Information window retains the same information asthat in the Logon Collector 2.2 installation.

Click Next. The Ready to Install the Program window opens.

7 Click Install to begin the upgrade process. The Installing McAfee Logon Collector window opens.

8 Click Finish to complete the upgrade process.

See also Install the software on Windows Server on page 14

Verify the upgradeSelect Menu | Configuration | About to verify a successful upgrade.

3 UpgradeUpgrade the software from 2.2 to 3.0 using the installer


4 Identities collection

This section gives the details of identities collection.

Contents About identities collection Manage monitored domains

About identities collectionIdentities can be collected in one of the following ways:

• Monitor a domain with a local Logon Monitor: Any Logon Collector installation contains the LogonMonitor. You must add a domain that the Logon Collector collects information from.

• Monitor a domain with a remote Logon Monitor: You can add remote Logon Monitors to the LogonCollectors.

See the Deployment section for a discussion of when to use Logon Monitors to monitor a domain.

See also Add a domain to monitor on page 24Add a Logon Collector certificate to a Logon Monitor on page 28Deployment on page 8

Manage monitored domainsYou can manage the domains that are monitored in the Monitored Domains page. In this page you canperform the following tasks:

• Add a new domain • Manage Exchange Servers/DomainControllers

• View the monitored domain details • Manage Query Order

• Edit username and password • Remove a monitored domain

Identity Data Store (IDDS) is the in-memory database specific to the Logon Collector. A size limit isset to the Logon Collector which means the total number of the directory objects (users and groups)must always be less than 200000. Make sure that the domain you are adding to the Logon Collectordoes not exceed this limit. Also, check the existing number of users and groups in IDDS before addinga new domain. Exceeding the size limit will stop the Logon Collector from monitoring all the domainsand the clients will lose connection with the Logon Collector.

The following sections gives you more information on managing the monitored domains.

4


Tasks• Add a domain to monitor on page 24

Add a domain to monitorBefore you beginEnter the credentials for the domains that are monitored directly by the Logon Collector.

• Obtain management access to the client that polls a given domain for identities.

• Install and configure a Logon Collector.

• Acquire the appropriate domain credentials from your Windows domain administrator.

The administrator account you intend to use to access the domain controller must be in thesame domain from which you want to obtain identities.

If you want to use an account other than the administrator account, see the Create anon-administrator account section to access the security event log on a domain controllersection.

Follow these steps to add a monitored domain:

Task1 Select Menu | Configuration | Monitored Domains.

2 Click New Domain. The Domain Name tab is displayed.

Update the following fields:

4 Identities collectionManage monitored domains


Parameter Description

Domain Name Type the name of the domain in the Domain Name field.

Secure LDAP Secure LDAP is a feature where the LDAP connection gets encrypted by TLS(Transportation Layer Security) for the protection of data exchanges. Before enablingthis feature, it is required to verify that the Secure LDAP is also enabled in thedomain controller. Secure LDAP communication between the Logon Collector and thedomain controller is enabled in port 389. SSL connection is not enabled on port 636.1 Select the checkbox Secure LDAP, if you want to enable LDAP communication to be

secure.The domain certificate window is displayed with the certificate details. The domaincertificate is issued by Certification Authority(CA) that is setup in the domaincontroller.

The domain certificate displays the following information:

• Subject - Specifies the Computer name of the domain.

• Issuer - Specifies the details of the issuer.

• Issued On - Specifies the date of issue of the certificate.

• Expires On - Specifies the expiry date of the certificate.

• SHA 1 Fingerprint - Specifies the 40-digit hexadecimal hash value number of thesecure hash algorithm.

• MD 5 Fingerprint - Specifies the 32-digit MD 5 hexadecimal hash value number.

2 Click OK to close the window.

The Secure LDAP feature gets enabled only when you click OK. It remains disabledwhen you click Cancel.

User Name Type the name of the user of the monitored domain. By default only the admin userof the domain can be added. To add non-admin users, permissions should be set inthe domain controller.

Password Type the relevant password for the username.

3 Click Next. The Domain Controller tab is displayed.

Connections are made to each domain controller belonging to that particular domain. If theconnection is not successful with any of the domain controllers, an error message with the detailsof the failure is displayed.

4 For each listed domain controller, specify a primary and, optionally, a backup logon monitor.

Identities collectionManage monitored domains 4


To add a backup logon monitor, click New Logon Monitorbutton in the Logon Monitors page.

a Click the drop-down list under Primary and select a Logon Monitor.

b [Optional] Click the drop-down list under Backup and select a Logon Monitor that operate in theevent the primary logon monitor is unavailable.

c Click Next. The Query Order tab is displayed.

5 Click the up or down arrow buttons to move and arrange the domain controllers in the list. Onlythose domain controllers for which the Logon Collectors are chosen are displayed in this page.Specify the order in which LDAP queries are made to the domain controllers for user and groupinformation. In general, the closest domain controllers should be placed at the top of the list toincrease response times and reduce network bandwidth.

The Secure LDAP checkbox is displayed as selected, if you have already selected this option in theDomain Name tab.

If the Secure LDAP checkbox is selected in the Domain Name tab while adding a domain, one of theDomain Controllers in the Query Order tab will automatically have this option selected.

6 Click Save to save the changes.

If a domain controller is disconnected, the LDAP query fails and the status button goes red.By default, Logon Collector is configured to perform LDAP query every 12 hours. After thenetwork connection is re-established and the status still shows red, we recommend removingthe domain and add it again.

When there is a change in domain controller's certificate, remove the domain and add it againfrom the Monitored Domains page.

In Secure LDAP, TLS encryption is made using Start TLS command. The authentication duringbinding and unbinding of the LDAP connection to the domain controller is done using Kerberosand not TLS. So, when the communication logs are viewed using a packet analyzer tool, itcan be observed that only the data packets are encrypted and not the binding and unbindinglogs.

In the High Availability mode, when the primary Logon Collector server goes down, allconfigurations including the Secure LDAP connection that is enabled are replicated from theprimary Logon Collector server to the secondary Logon Collector server.



The domain controllers that are connected to the primary Logon Collector server, switch-overto the secondary Logon Collector server when the primary Logon Collector server becomesunreachable. If the Secure LDAP communication is enabled in the primary Logon Collectorserver, after the switch-over, the Secure LDAP connection remains enabled.

After the switch-over, the configuration changes can only be done in the active secondaryLogon Collector server. When the primary Logon Collector comes up again after a time, itreceives the replicated configuration from the active secondary Logon Collector server and sothe Secure LDAP configuration gets replicated to the primary Logon Collector server.

When both the primary and the secondary Logon Collector server goes down, the server thatcomes up first becomes the active Logon Collector server.

Tasks• Error Scenarios in LDAP connections on page 27

• Add a Logon Monitor on page 28

See also About identities collection on page 23

Error Scenarios in LDAP connectionsLDAP connection to the domain controller may get an error in certain scenarios . The following aresome of the reasons that could cause an error.

• Time mis-match between Logon Collector and domain controller.

• The DNS information is incorrect.

• The username and password does not match.

• In a Secure LDAP scenario, when TLS is not enabled in the domain controller, you may experienceconnectivity issues to the domain controller.

View monitored domain detailsThis section describes the details that can be viewed on the monitored domains .

Task1 Select Menu | Configuration | Monitored Domains. The Monitored Domains page is displayed.

2 In the left panel, select the domain in the Domains list. The following details are displayed in theright panel.

Field Description

DomainName Displays the name of the domain that is monitored.

User Name Displays the name of the user in the monitored domain

Domain Controllers Displays the name of the domain controllers, the configured logon monitor, andthe LDAP communication type (Secure or Non Secure).

Exchange Servers Displays the exchange server IP address and the configured logon monitor

To search for a monitored domain, you can use the Filter list text field in the left panel and type thename of the monitored domain.

Add Logon MonitorThis section describes how to add remote Logon Monitor to the Logon Collector.



Contents Add a Logon Collector certificate to a Logon Monitor Add a Logon Monitor Remove a Logon Monitor

Add a Logon Collector certificate to a Logon MonitorBefore you can add a remote Logon Monitor to a monitored domain on a Logon Collector, you mustfirst provide the Logon Collector certificate information to the Logon Monitor.

Task

1 Install the Logon Monitor and have the McAfee Logon Monitor Configuration application running.

2 On the computer on which you installed the Logon Monitor, open a web browser.

You will be trading information between the Logon Monitor and the Logon Collector. Having a webbrowser open with the Logon Collector web interface makes this task easier to accomplish.

3 Log on to the Logon Collector web interface and click Menu | Configuration | Server Settings.

4 Click Identity Replication Certificate in the list of Setting Categories.

5 In the McAfee Logon Monitor Configuration application, click the Remote tab.

6 If necessary, click New to add a new certificate to the Logon Monitor.

7 Copy the value for Common Name (CN) on the Logon Collector to the Common Name field on the LogonMonitor.

8 In the Logon Collector web interface, scroll down until Logon Monitor Fingerprint field is visible.

9 Copy the value for Logon Monitor Fingerprint on the Logon Collector to the Certificate Hash field on the LogonMonitor.

10 Click OK.

11 Repeat these steps for any other Logon Collectors that the Logon Monitor will be communicatingwith.

With the Logon Collector certificate(s) on the Logon Monitor, you can add the Logon Monitor to anyof the Logon Collectors to collect logons for a monitored domain.

See also About identities collection on page 23Remote tab on page 45

Add a Logon Monitor

Task

1 Select Menu | Configuration | Logon Monitors.

2 Click New Logon Monitor.

3 Type a name for the remote Logon Monitor in the Logon Monitor Name field.

The name is an arbitrary label used within Logon Collector to identify the Logon Monitor.

4 Type the host name or IP address for the remote Logon Monitor.

5 Type the port number, or accept the default value of 50443.



6 Click Next or OK depending on how you are adding the Logon Monitor.

A connection is attempted to the Logon Monitor.

• If the connection is successful, the certificate is displayed. To accept the certificate, click Save orOK depending on how you are adding the Logon Monitor.

• If the connection is unsuccessful, an error message is displayed.

Remove a Logon MonitorIf you want to remove a remote Logon Monitor, you must ensure it is not monitoring any domaincontrollers.

Follow these steps to remove a Logon Monitor.

Task

1 Select Menu | Configuration | Monitored Domains.

2 Select a domain and then click Manage Exchange Servers / Domain Controllers.

3 For each domain controller, ensure the Logon Monitor you want to delete is not listed as either thePrimary or Backup Logon Monitor.

If the Logon Monitor is listed, click the drop-down list and select a different Logon Monitor.

4 Repeat steps 2 and 3 until you are sure the Logon Monitor you want to delete is not being used.

5 Select Menu | Configuration | Logon Monitors.

6 Select the Logon Monitor you want to delete, then click Delete Logon Monitor.

7 Click OK to confirm the deletion.

Edit username and password

TaskSometimes, the password may require to be reset for some users in the domain controller. When it isreset, it is you should edit it in the Logon Collector. The following are the steps to edit the username orpassword.

1 Select Menu | Configuration | Monitored Domains. The Monitored Domains page is displayed

2 Click Edit Username/Password.The following fields are displayed.

Field Description

Domain Name Displays the name of the domain that is monitored. This field is not editable

User Name Displays the name of the user for the monitored domain. Edit the username ifrequired.

Password Type the password for the user that is reset in the domain controller.

3 Click Save to save the changes.

Managing exchange serversLogon Collector can monitor exchange servers. Logon Collector supports logon events for userslogging in through Microsoft Outlook thick client or Outlook Web Access (OWA) from internet browsersrunning on Windows and MAC systems.

POP3 and IMAP clients are not supported.



Add an exchange server to a monitored domainYou can add an exchange server and monitor logon events from Outlook users. View the Status pagefor the added exchange servers.

You can add an exchange server only to an existing monitored domain.

Task1 Select Menu | Configuration | Monitored Domains. The Domains page is displayed.

2 Select a domain and click Manage Exchange Servers / Domain Controllers.

3 In the Exchange Servers area, click Add Exchange Server.

4 In Exchange Server, enter the fully qualified domain name (FQDN) of the exchange server.

We recommend to add an exchange server's IP address to the IP Ignore List. Navigate to Menu |Configuration | Server Settings. Select MLC Group / IP Ignore List and enter the server IP address.

5 Under Logon Monitor, go to Primary drop-down list and select localhost if you want to use Logon Collectorserver's local Logon Monitor or select a remote Logon Monitor if the Logon Monitor is installed on adifferent system.

6 [Conditional] If you have more than one Logon Monitor, you can select a backup Logon Monitorfrom the Backup drop-down list.

You can select a local Logon Monitor as primary and a remote Logon Monitor as backup or viceversa. Alternatively, you can select different remote Logon Monitors as primary and backup.

Logon Collector server uses the backup Logon Monitor if the primary Logon Monitor goes down.

7 Click Save.

8 Click Status | <domain name> | Controller Logon Collecting. Make sure the Message area's Status displaysCollecting logons from <exchange server>.

Remove an exchange serverYou can remove and stop monitoring logon events from an exchange server.


2 Select a domain and click Manage Exchange Servers / Domain Controllers.

3 From the existing Exchange Servers, decide on the exchange server you want to delete and click DeleteExchange Server.

Manage Query OrderYou can set the order in which the LDAP queries are made.



Task1 Select Menu | Configuration | Monitored Domains and click Manage Query Order. The Active Directory Query Order

page is displayed.

2 Click the up or down arrow buttons to move and arrange the domain controllers in the list. Onlythose domain controllers for which the Logon Collectors are chosen will be displayed in this page.Specify the order in which LDAP queries are made to the domain controllers for user and groupinformation. In general, the closest domain controllers should be placed at the top of the list inorder to increase response times and reduce network bandwidth.

3 Select or unselect the Secure LDAP check-box, to enable or disable Secure LDAP.

4 Click Save to save the changes

Remove a monitored domainYou can remove a monitored domain from the Logon Collector whenever required.


2 Click Remove Domain.

3 Click OK to confirm the removal of the monitored domain



5 Server settings

This section gives the configuration details as well as the different features in the Server Settings window.

Contents About server settings About Personal Settings Logon Monitor configuration

About server settingsUse the Server Settings window to configure a variety of settings. To edit a particular setting:

Task1 Select Configuration | Server Settings.

2 Select a setting category and click Edit in the lower right corner of the window.

3 Edit the information and click Save.

Tasks• MLC Advanced Settings on page 36

This section describes the advanced configuration settings of McAfee® Logon Collectorserver. The Logon Collector configuration file has the parameters to configure the LogonCollector server.

• MLC Group / IP Ignore List on page 38Logon Collector gives you the option to ignore user IP addresses and user group namesbased on your monitoring needs.

• MLC Group Filter on page 39A group filter in Logon Collector enables you to filter user groups and send only relevantinformation to clients like McAfee Network Security Manager.

See also Active Directory User login on page 34

Email Server on page 34Identity replication certificate on page 34Local Logon Monitor settings on page 34Printing and exporting on page 43Server certificate on page 43

5


Active Directory User loginSelect this option to allow Active Directory users to log on to the Logon Collector if they have at leastone permission set.

See also About server settings on page 33Manage permission sets on page 76

Email ServerSpecify the email (SMTP) server to be used for emailing reports.

Option Definition

SMTP server name Name of the SMTP server.

SMTP server port Port number of the SMTP server, usually port 125.

Authentication The method of authentication, if any, for the SMTP serverSelect Authenticate and specify the required credentials if the specified SMTP serverrequires authentication.

From address The email address to be included in the From field.

See also About server settings on page 33Export the audit log on page 82Define export criteria on page 86

Identity replication certificateThe identity replication certificate identifies the Logon Collector to other entities with which itcommunicates and establishes a trusted connection. For example:

• The Logon Monitor Fingerprint value is provided to a Logon Monitor.

• The Base 64 value is provided to clients such as the McAfee® Firewall Enterprise Control Center.

You can generate a new self-signed certificate or use a provided certificate and private key bybrowsing to their locations. You must also provide a passphrase, if there is one, when you use aprovided certificate.

Changing the certificate can lead to any one of the following problems:

• Existing client may not be able to reconnect.

• The High Availability cluster might break.

See also About server settings on page 33

Local Logon Monitor settingsConfigure the local Logon Monitor settings.

5 Server settingsAbout server settings


Option Definition

DistinguishedName

Contains the Common Name and other attributes that the local Logon Monitor needsto identify the certificate found in its store (see Store Name below) to be used toauthenticate to the Logon Collector server.For example, cn=dlc.centserv.org,o=centserv,c=us could be the Distinguished Name,comprised of the certificate’s Common Name (cn), organization name (o) and countryof origin (c). To use a self-signed certificate, you only need to use the Common Name(prefixed with cn=) for identification.

Store Name The Store Name, or Certificate Store name, is where the local Logon Monitor looks tofind its certificates. The default setting for the Store Name is McAfeeLogonMonitor\MY. This uses the Store Type CERT_SYSTEM_STORE_SERVICES.

Store Type Certificate stores are organized by type. The default type(CERT_SYSTEM_STORE_SERVICES) should suffice in most instances.

Server Port The port for the local Logon Monitor service to listen on. As long as another service isnot listening on the specified port, use your choice of port. The default is port 50443.Valid port numbers are 1-65535.

CertificateChecking

Specifies the type of check to perform on any Accepted Remote Certificates.• Certificate Hash — [Recommended] Verifies that the hash configured for the given

common name matches the hash stored.

• Certificate Store — The Certificate Store check is where the certificate must be signedby a certificate authority found in the Certificate Store.

• Certified Not Required — It does not check any certificate. This option does not providesecure communications to access the Logon Collector.

McAfee recommends using Certificate Hash as the most secure method.

Connection Type Specifies whether the Logon Collector connection is encrypted or not. This setting isintended for troubleshooting only. This setting must be set to the default value(Encrpted (TLS)) or the Logon Collector may not function correctly.

Debug Level The amount of information written to the log file. The level of detail increases withthe debug level. The default value is zero (0), with no extra log detail recorded.

File Location Where in the system the log file is stored. By default the installation location forLogon Collector is C:\Program Files\McAfee\McAfee Logon Collector\LoginCollector.

File Size The maximum size, in kilobytes, to which the log file may grow before rotating. Thesystem keeps up to five log files in the selected location. LoginMonitor.log is themost recent file, followed chronologically by LoginMonitor.log.1 toLoginMonitor.log.4.

AuthenticationType

The type of authentication for the connection between the local Logon Monitor serviceand any domain controllers. Kerberos and NTLM authentication are supported, withKerberos as the default.

CPU DisconnectThreshold

Specifies when the local Logon Monitor introduces rate-limiting if services on amonitored domain controller consume too much CPU too quickly. If the CPU thresholdis crossed, the local Logon Monitor stops polling a domain for twenty minutes. Afterthe twenty minute window, which should give the CPU time to handle its load, thelocal Logon Monitor reconnects. If you find that the local Logon Monitor frequentlyresorts to rate-limiting, try disabling the Allow Backlog Queries option.

Maximum BacklogRecords

Maximum number of records for which a backlog query will run.

Server settingsAbout server settings 5


Option Definition

Allow BacklogQueries

Specifies whether the local Logon Monitor checks the domain controller security eventlogs for identity-related events that may have occurred while it was not connected.With this option enabled, the local Logon Monitor can query back into the time it wasdisconnected rather than simply resuming at the time it reconnects. Note thatbacklog querying cannot occur when the local Logon Monitor first connects to thedomain controller. The query is done for the value of Maximum Backlog Records oruntil the time of the last connection, whichever comes first.Backlog queries are likely to affect the performance of heavily loaded or legacycomputers and are not recommended. If you find that the local Logon Monitor isfrequently resorting to rate-limiting, try disabling this feature.

Accepted RemoteCertificates

Certificates from remote Logon Collectors accepted by this Logon Collector.Certificates must pass the criteria defined in Certificate Checking.

See also About server settings on page 33Logon Monitor configuration on page 44

MLC Advanced SettingsThis section describes the advanced configuration settings of McAfee® Logon Collector server. TheLogon Collector configuration file has the parameters to configure the Logon Collector server.

You can use the MLC Advanced Settings option or edit the mlc-config.xml file to configure thesesettings.

• Domain Controller Backoff Time — Logon Collector stops sending the WMI queries to thedomain controller if the CPU usage of the latter is beyond the configured CPU threshold. The LogonCollector waits for 20 minutes by default before sending the WMI queries to that domain controller.

Setting too small value for controllerbackofftime is not recommended as it might increase the loadon domain controller. McAfee recommends a minimum value of 10 minutes.



• Logon Collector V1 Compatibility — Logon Collector 1.0 and Logon Collector 1.0.1 do notpropagate the user or group name changes in the Active Directory to the clients. However, LogonCollector 3.0 propagates the user and group name changes information to the clients. This causesMcAfee Firewall ACLD to core as it depends on this functionality of Logon Collector.

Using the v1 compatibility mode of Logon Collector 3.0 behaves exactly as Logon Collector 1.0 withrespect to this functionality. As a result of this, Firewall ACLD does not core as soon an upgrade toLogon Collector 3.0 happens.

By default, Logon Collector 3.0 runs on the compatibility mode.

• Remove White Space from Unique Name — Logon Collector 1.x used an algorithm forgenerating uniqueName for user and group objects that would remove the white spaces. As a resultof this, the algorithm responsible for the generation of unique names was not creating theuniqueName.

Example:

Group 1

cn: ProductServices

un: [email protected]

Group 2

cn: Product Services

un: [email protected]

The same "un" is generated for Group 1 and Group 2 even though their "cn"s are different.

Configure Logon Collector using MLC Advanced SettingsSelect Server Settings | MLC Advanced Settings to configure advanced settings for the Logon Collector.Alternatively, you can configure these settings using the xml file.

Task1 Select Menu | Configuration | Server Settings.

2 Select MLC Advanced Settings and click Edit. The Edit MLC Advanced Settings page is displayed.

3 [Logon Collector setting] In the Domain Controller Backoff Time field, enter the time in minutes.

4 [For clients] Select or deselect the MLC V1 Compatibility checkbox. By default, this checkbox isselected.

5 [For clients] Select or deselect the Remove White Space from Unique Name checkbox. By default, thischeckbox is deselected.

In Logon Collector these user and user group names remain as-is.

6 Click Save.

7 Restart the Logon Collector service.



Configure Logon Collector advanced settings using the xml fileFollow the steps below to configure advanced settings on the xml file if you want to configure theLogon Collector server.

1 Stop the Logon Collector service.

2 Go to <MLC_INSTALL_FOLDER>/server/conf/mlc‑config.xml.

3 Edit the xml file.

• Domain Controller Backoff Time

Change the value of the parameter (in minutes):

<config name="controllerbackofftime" value="20" type="common" />

• Logon Collector V1 Compatibility

Change the value of the parameter (true or false):

<config name="enable-v1-compatibility" value="true“ type="common"/>

• Remove White Space from Unique Name

Change the value of the parameter (true or false):

<config name="removeWhiteSpaceFromUniqueName" value="false" />

4 Restart Logon Collector service.

If the Logon Collector service takes a longer time to stop, open Task Manager, select the Processes tab,locate the Tomcat process, and click End Process.

MLC Group / IP Ignore ListLogon Collector gives you the option to ignore user IP addresses and user group names based on yourmonitoring needs.

In many organizations, there are Exchange Servers. When users log on to OWA, the domain controllergets the IP Address of the Exchange Server. The system administrator can add the exchange server IPAddress to the IP Ignore List.

Similarly, many systems are configured to perform some automated tasks. These systemscontinuously log on to domain controller using bot user credentials. The system administrator cancreate a user group and add these bot users to the group. This user group can be added to the GroupIgnore List.

• Group Ignore List — If a user is member of a group and this user group name (or one of its parentgroup) is added to Group Ignore List, all logon events from that user are ignored.

• IP Ignore List — If a user logs on from an IP Address and that IP Address is added to IP Ignore List, alllogon events from that IP Address are ignored.

Ignore user IP addresses and user group namesYou can select Server Settings| | MLC Group / IP Ignore List to ignore user IP addresses and user group names.

Task

1 Select Menu | Configuration | Server Settings.

2 Select MLC Group / IP Ignore List and click Edit. The Edit MLC Group / IP Ignore List page is displayed.

3 In Group Ignore List, enter the user group names as comma-separated values.



4 In IP Ignore List, enter the user IP addresses as comma-separated values.

5 Click Save.

MLC Group FilterA group filter in Logon Collector enables you to filter user groups and send only relevant informationto clients like McAfee Network Security Manager.

The group filter feature optimizes data sent to clients from Logon Collector. On the other hand, thefiltered user groups minimize the volume of transactions in the network and enable clients to use lessresources when caching the data from Logon Collector.

The MLC Group Filter option is available under Menu | Configuration | Server Settings | Setting Categories.

Considerations for High Availability mode

Make sure to take care of these points when Logon Collector is in High Availability mode:

• The group filter settings can be configured on primary server only.

• Group filter configuration is replicated from primary to secondary server.

• When the secondary server is in standby mode, it is not possible to make group filter changes.

• If the primary goes down, you can make group filter changes from the secondary server.

Contents Configure a group filter Send filtered groups to clients

Configure a group filterYou can create a group filter and send only relevant details to clients.

Before you beginIf the client is connected, disconnect the client from Logon Collector server prior toconfiguring the group filter.

If the client is in connected state before configuring a group filter, the client has alreadyreceived all the user groups instead of the filtered user groups.

TaskFor option definitions, press F1 or click Help in the interface.

1 Go to Menu | Configuration | Server Settings | Setting Categories and click MLC Group Filter.

2 Click Edit. The Edit MLC Group Filter page is displayed.

3 Select the Enable Filter checkbox.

4 From Quick Find, select ALL DOMAINS or select a specific domain. The Available Groups and details for adomain are displayed.

You can also enter a search keyword and click Apply.



5 Press the Ctrl key and select the user groups from the list. Click Add. The Added Groups are displayed.

You can click Add all to select all user groups. If you then click Save, the group filter is disabled. This isbecause all user groups are selected and no filter as such is created.

If you wish to remove any user groups, click Remove to refine your filter.

6 Click Save. The group filter is configured and the MLC Group Filter page is displayed.

You can now connect the client to Logon Collector so that it can receive only filtered user groups anddetails. Users who are members of the selected user groups are sent to the client, and also the logonevents are sent only for users of the selected user groups.

Send filtered groups to clientsLogon Collector can configure a group filter, save the filter settings, connect to the client, and sendfiltered user groups and details.

These are the high-level steps to send filtered user groups to clients.

Task1 Add a monitored domain — Populates Logon Collector’s database with all the user groups

2 Configure a group filter — Select from the available user groups and save the group filter settings

3 Connect to the client — Client receives the filtered user groups and information

Users who are members of the selected user groups are sent to the client. The logon events are sentonly for users of the selected user groups.

Configuring the IP address for Logon Collector server clientcommunicationWhen multiple IP addresses are present in the Logon Collector server, it listens on all the IP addresses.

During High Availability failover, when the primary server is inactive or is not reachable, the secondaryserver changes from standby to active state. The latter continues to establish communication with theprimary server. Once the primary server is active, the secondary server changes its state to standby(or passive) and the primary server regains its active state.

When the primary server is unavailable, the Logon Collector clients have to retry all the IP addressesof the primary server before switching over to the secondary server. This delays the failover processfor the client.

To overcome this problem, the Logon Collector allows you to selectively choose the IP addresses forcommunication. Logon Collector HTTPS port will continue to listen to all the IP addresses. The clientscommunication and High Availability communication will happen through the selected IP address.When the primary server is not available, the Logon Collector clients have to retry only the configuredprimary IP address before switching to the secondary server.

Configure MLC Communication IP AddressTo configure MLC Communication IP Address:


2 Click MLC Communication IP Address.



3 Click Edit at the bottom right corner to select an IP address from the drop-down list.

Figure 5-1 Edit MLC Communication IP Address

4 Click Save.

MLC User Login TimeoutThe Logon Collector provides an option to modify the duration of the logon event in the LogonCollector server. By default, the logon event is stored in the Logon Collector server for 6 hours.

Configure MLC User Login TimeoutTo configure MLC User Login Timeout:




2 Click MLC User Login Timeout.

Figure 5-2 MLC User Login Timeout

3 Click Edit at the bottom right corner to modify the time. The logon event will be stored in the LogonCollector server according to the configured time.

Figure 5-3 Edit MLC User Login Timeout

4 Click Save.



Printing and exportingConfigure the settings for exported documents.

Figure 5-4 Printing and Exporting option


Server certificateIn this section, you configure the certificate that the Logon Monitor uses to authenticate itself to theLogon Collector.

Ensure that you have a certificate for the Logon Monitor, whether it is a newly generated (by the LogonMonitor) self-signed certificate or one generated by a Certificate Authority. The Logon Monitor will notfunction without a certificate. However, for a local Logon Monitor, you do not need a self-signedcertificate.

• Distinguished Name — The Distinguished Name contains the Common Name and other attributesthat the Logon Monitor needs to identify the certificate found in its store (see Store Name below)that should be used to authenticate to the server.

For example, string cn=dlc.centserv.org,o=centserv,c=us could be the Distinguished Name,comprised of the certificate’s Common Name (cn), organization name (o) and country of origin (c).To use a self-signed certificate, you only need to use the Common Name (prefixed with cn=) foridentification.

• Store Name — The Store Name, or Certificate Store name, is where the Logon Monitor looks tofind its certificates. The default setting for the Store Name is McAfeeLogonMonitor\MY. This uses theStore Type CERT_SYSTEM_STORE_SERVICES. If the Logon Monitor is running in standalone mode, usethe Store Name MY. This uses the Store Type CERT_SYSTEM_STORE_CURRENT_USER.



• Generate Self-Signed Certificate — Only available when the Distinguished Name field is notblank, the Generate Self-Signed Certificate button generates a self-signed certificate and places itin the certificate store identified by Store Name.

For a separate installation of Logon Monitor, you must generate a certificate so that you can connectthe Logon Monitor to a Logon Collector.

• View Certificate — Only available when the Distinguished Name field is not blank, the ViewCertificate button displays a Windows-standard certificate viewer displaying the certificate matchingthe Distinguished Name, if one is found in the store.


About Personal SettingsUse the Personal Settings window in Menu | Configuration | Personal Settings to edit the password for whomeveris currently logged on and the period in minutes for non-Dashboard tables to refresh if they are set toauto-refresh. .

Logon Monitor configurationThe Logon Monitor runs as a Windows service and starts automatically after every power cycle. Thissection describes configuring the Logon Monitor software.

You configure the Logon Monitor with an application named Logon Monitor Configuration on theWindows computer on which you installed the Logon Monitor software. If you are not configuring theLogon Monitor as part of the installation, go to the Start menu and select Logon Monitor Configuration (forexample, by default in Start | Programs | McAfee Logon Monitor | Logon Monitor Configuration) to display the McAfeeLogon Monitor Configuration window.

You do not have to restart the Logon Monitor service when you make configuration changes. Changestake effect after you click OK. Logon Monitor configuration information is stored in the Windows Registry.

See also Install a Logon Monitor on page 19Local Logon Monitor settings on page 34

5 Server settingsAbout Personal Settings


Configuration tabThe Configuration tab contains the settings for the Logon Monitor.

Figure 5-5 Configuration tab

Remote tabThe Remote tab contains the certificate common name and certificate hash of any Logon Collector towhich this Logon Monitor connects.

Server settingsLogon Monitor configuration 5


The Logon Monitor accepts any number of certificates in the Remote tab.

Figure 5-6 Remote tab

See also Add a Logon Collector certificate to a Logon Monitor on page 28

Use MMC to manage Logon Monitor certificatesLogon Monitor uses the Microsoft Certificate store to manage the certificates it generates. After youinstall the Logon Monitor, the easiest way to view the certificates is to use the Microsoft ManagementConsole (MMC) to view the Certificate store for the Logon Monitor service.

To use MMC:

Task1 Start MMC (Start | Run | MMC).

2 Navigate to File | Add/Remove Snap-in to display the Add/Remove Snap-in window.

3 Click Add to display the Add Standalone Snap-in window.

4 Select Certificates and then click Add to display the Certificates snap-in window.

5 Select Service account on the Certificates snap-in window, and then click Next.

5 Server settingsLogon Monitor configuration


6 Select Local Computer, and then click Next.

7 Select Logon Collector from the list of services and then click Finish.

8 Click Close on the Add Standalone Snap-in window.

9 Click OK on the Add/Remove Snap-in window to close the same.

MMC displays the certificate information for the Logon Monitor.

10 Right-click a certificate or a store to import certificate lists in the display.

Import or remove a server or client CA certificate for Logon MonitorSee the Microsoft documentation on the Certificate snap-in for MMC for information on importing acertificate as a Certificate Authority (CA) for Logon Monitor.

This is only useful when the Logon Monitor is using Certificate Checking.

Use NTLMv2 with Logon MonitorsMcAfee recommends that you use Kerberos as the authentication type. If you want to use NTLM, youshould use NTLMv2 as described in this section. The default authentication method in Windowsenvironments, LM hash, generates a weak response that can be used by an attacker to perform anoff-line, brute-force attack in order to guess the actual password.

Read this section to learn how to use the NTLMv2 authentication method for a more secure connectionbetween a Logon Monitor and a domain controller.

McAfee recommends that you use the NTLMv2 authentication method on Windows 2008 and Windows2012 servers when you are running a Logon Monitor. This enables the Logon Monitor to use NTLMv2 toauthenticate to the domain controllers. This can only be accomplished by modifying the Registry; nochanges are required on the domain controllers.

This procedure requires modifying the Windows Server Registry. Improper editing of the Registry couldleave your system completely unusable or in an unstable state. Make a backup of your Registry beforeleave your system completely unusable or in an unstable state. Make a backup of your Registry beforeproceeding. For more information, see Microsoft support article 322756 (http://support.microsoft.com/kb/322756/). If the Windows Server offers other services and there are clientsthat do not support NTLMv2 (for example, Windows 95 or Windows 98), this change prevents these oldclients from using the server.

To force the use of NTLMv2:

Task1 Log on to the Windows Server where the Logon Monitor runs.

2 Start the Registry editor (Start | Run | regedit).

3 Navigate to the key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

4 Right-click the value LmCompatibilityLevel.

See: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/76052.mspx

5 Click Modify.

6 Type the number 5 (only use NTLMv2 authentication and negotiate NTLMv2 session security if theserver supports it) and click OK.

Server settingsLogon Monitor configuration 5


http://support.microsoft.com/kb/322756/

http://support.microsoft.com/kb/322756/

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/76052.mspx

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/76052.mspx

7 Restart the Windows Server.

8 Ensure the IAM status on the Logon Collector is UP after 10 minutes.

5 Server settingsLogon Monitor configuration


6 High Availability (Clustering)

This chapter discusses about the High Availability (HA) feature.

The terms High Availability and cluster are used interchangeably throughout the chapter.

Contents Overview Configuration basics Configuration data replication Logon events replication Limitations Disable a cluster Reconfigure a cluster

OverviewThe high availability feature enables the McAfee® Logon Collector to exist in the form of primary serverand secondary server. In this scenario, when the primary server is inactive or is not reachable, thesecondary server changes from standby to active mode. The latter keeps polling the primary server tocheck if it is available again. Once the primary server is active, the secondary server changes to thestandby state. The clients that were connected to the primary server, switch over to the secondaryserver when the primary server becomes unreachable. When the primary server becomes activeagain, the clients switch back to the primary server.

Logon Collector can exist in the following modes:

• Standalone

• Cluster

Logon Collector can exist in the following states:

• Active

• Standby

Configuration basicsThis section gives the details about the configuration basics of the High Availability feature.

6


Prerequisites for High AvailabilityListed below are the prerequisites for the High Availability feature:

• Two Logon Collector servers (primary and secondary server) must be available.

• The domain controller(s) to be monitored must always be reachable from both the Logon Collectorservers.

• Both the primary and secondary servers must communicate with each other.

• Both the primary and secondary servers should either have the self-signed certificate or thecertificate signed by common CA.

High Availability setupTo configure a cluster:

Task1 Install Logon Collector on two different servers (Windows Server 2008 or Windows Server 2012).

2 On the server that you intend to select as primary, select Menu | Configuration | Cluster Configuration.

Figure 6-1 Cluster Configuration option

The Cluster Configuration window opens.

6 High Availability (Clustering)Configuration basics


3 Click Edit. The Edit Cluster Configuration window opens.

Figure 6-2 Cluster Configuration window

4 Select the Enable clustering box, and select Primary. Click Save.

Figure 6-3 Edit Cluster Configuration window for primary server configuration

5 On the server that you intend to select as secondary, select Menu | Configuration | Cluster Configuration toopen the Cluster Configuration window.

High Availability (Clustering)Configuration basics 6


6 In the Edit Cluster Configuration window, select the Enable Clustering box and select Secondary. Enter thefollowing details:

• Primary Server (<IP Address>:<Https port>)

• Admin username for primary server

• Admin password for primary server

Figure 6-4 Edit Cluster Configuration window for secondary server configuration

Click Next. The Enable Cluster Task window opens.



7 Click Yes to display the HTTPS port certificate of the primary server.

The cluster will be formed only if you accept the certificate.

This message gives the information about the configuration settings after a cluster formation iscomplete.

Figure 6-5 Enable Cluster Task window

Click No if you do not want to overwrite the configuration settings.

8 In the Primary MLC Certificate window, click Accept Certificate and Enable Clustering.

This initiates the certificate exchange between the primary and secondary servers, and enables thetrust establishment.

Figure 6-6 Primary MLC Certificate window

The Cluster Configuration window opens.



9 The Cluster Configuration window shows the following details:

• MLC Cluster Configuration Enabled: The status of cluster configuration

• Status — The status of the server

• Primary Server IP address — The IP address of the primary server

• Https port number of primary server — The https port number used by the peer server during clustercreation

• JMS port number of primary server — The Java Messaging Services (JMS) port number used by the peerserver and clients for transferring data

Figure 6-7 Cluster Configuration window after cluster formation

See also Reconfigure a cluster on page 59

Configure High Availability in Public Key Infrastructure (PKI)setupYou can also configure the High Availability feature in Public Key Infrastructure (PKI) setup. The stepsto configure the cluster in this scenario remains the same as described earlier.

Pre-requisites for High Availability in Public Key Infrastructure (PKI) setup

The following steps are the pre-requisites for high availability in Public Key Infrastructure (PKI) setup:

1 Select Menu | Configuration | Trusted CAs and add the CA root certificate on both the High Availabilitypeers.

2 Select Menu | Configuration | Server Settings | Identity Replication Certificate to replace the Identity Replicationcertificate with the CA-signed certificate for the respective servers.

The CA root certificate and the CA-signed certificate should be added for the clients.

Error scenariosAn error message will be displayed for any one of the following scenarios:



• The certificate used by the primary server is self-signed, while the certificate used by thesecondary server is signed by CA.

• The certificate used by the secondary server is self-signed, while the certificate used by theprimary server is signed by CA.

• The certificates used by the primary and secondary servers are signed by two different CAs. In thiscase, the cluster configuration is successful, but the status will be displayed in red.

The following figure shows the error message.

Figure 6-8 Error message

Check the status of cluster formationThis section discusses how to check the status of cluster formation.



1 Select Menu | Reporting | Status to verify the cluster formation status.

2 In the Status window, click Cluster Manager to view the message from the cluster member.

Figure 6-9 Status message of cluster formation in the primary server

Figure 6-10 Status message of cluster formation in the secondary server

Important:

The overall {IAM} status is RED since the {LAM} component status is RED.

Figure 6-11 Status window



Configuration data replication• When a cluster is created, the primary server overrides the existing configuration of the secondary

server.

• The secondary server exists in any one of the following states:

• Active — When the secondary server is disconnected from the primary server, it is known as theactive secondary server.

• Standby — When the secondary server is connected with the primary server, it is known as thestandby secondary server.

The passive secondary server does not allow you to make configuration changes; an error messagewill be displayed if you do so. The configuration changes can only be done on the active secondaryserver.

• Replication from the primary to the secondary server:

Once the cluster is configured, the configurations are replicated from the primary to the secondaryserver.

• Replication from the active secondary server to the primary server:

When the primary server goes down and comes up after a period of time, it receives theconfiguration details from the active secondary server.

• When the secondary server runs in standby mode, the {LAM} status is RED in the Status window.This is a normal behavior because the Logon Collector stops {LAM} when it runs in standby mode.

Logon Collector should not be deployed on a DHCP machine: The peer Logon Collector serversshould communicate with each other during a cluster formation. But, this may not be possible if theLogon Collector is deployed on a DHCP machine. McAfee products connected to the Logon Collectorserver on a given IP address will also be disconnected when there is a change in the IP address due toDHCP configuration. McAfee therefore, recommends that you avoid deploy the Logon Collector on aDHCP system.

Logon events replicationReplication from the primary to the secondary server

The logon events on the active Logon Collector server are replicated to the standby Logon Collectorserver.

Replication from the active secondary server to the primary server

When the primary server goes down and comes up again after a period of time, it receives thereplication data (logon events, users, groups) from the active secondary server.

When both primary and secondary servers are down, you must bring up first the server that has thelatest configuration followed by the other server. If you fail to do so, the data replicated across theservers might not be the latest.

High Availability (Clustering)Configuration data replication 6


LimitationsThe following list shows the limitations of the High Availability feature:

• The split network scenario is not supported. It is important to ensure that the communicationsbetween primary and secondary are never interrupted. For example, if the network connectivitybetween the primary and the secondary server is down, the secondary server assumes that theprimary server is not responding, waits for 5 seconds, and becomes active. When thecommunication is re-established, the primary server always overrides the configuration of thesecondary server.

• The high availability feature works in the PKI setup, but the primary and secondary certificatesmust be signed by the same signer. Certificate Revocation List (CRL) is not supported.

• Other McAfee products using the Logon Collector 1.0 client library will not be benefitted with thisfeature; but they can continue to work in this scenario.

Disable a clusterTo disable a cluster:

Task1 On the secondary server, select Menu | Configuration | Cluster Configuration.

2 Deselect Enable clustering, and click Save.

The Disable Cluster Task window opens. Click Yes to continue.

Figure 6-12 Disable Cluster Task window for secondary server

6 High Availability (Clustering)Limitations


3 Go to the Cluster Configuration window of the primary server.

4 Deselect the Enable clustering checkbox and click Save.

The Disable Cluster Task window opens. Click Yes to continue.

Figure 6-13 Disable Cluster Task window for primary server

When the cluster is disabled, the secondary server removes all configurations including logonmonitors and domains, and functions as a standalone server.

The primary server will retain the configurations and will continue to monitor theconfigured domains as a standalone server.

See also Reconfigure a cluster on page 59

Reconfigure a clusterThe cluster can be reconfigured if the role of the servers needs to be reversed (for example, if youwant the secondary server to behave as the primary server and vice versa).

Follow the steps below to reconfigure a cluster:

1 Disable the cluster.

2 Enable the cluster with new primary and secondary server configurations.

High Availability (Clustering)Reconfigure a cluster 6


6 High Availability (Clustering)Reconfigure a cluster


7 On-demand group and user refresh

This chapter gives the details of on-demand group and user refresh.

You can refresh the new user information anytime. This enables the Logon Collector server tosynchronize its user/group data with the domain controller.

If the administrator adds a user to an Active Directory group in order to grant access to a resource,the administrator may use on-demand group refresh to update the Logon Collector and allow useraccess to the resource, without having to wait until the group refresh happens in background.

McAfee recommends you to avoid running the group and user refresh tasks at the same time. Run thegroup refresh task approximately 20 minutes before the user refresh task to allow the group refreshtask to be completed.

Other options displayed in the Server Tasks user interface that are not explained in this chapter are notrelated to the Logon Collector.

Contents MFS Scheduler 2.5 On-demand group refresh On-demand user refresh Server Tasks Log

7


MFS Scheduler 2.5You can perform the on-demand group and user refresh tasks if the MFS Scheduler 2.5 is enabled.MFS Scheduler 2.5 is enabled by default. Go to Menu | Software | Extensions to view the MFS Scheduler2.5 in the list of the installed extensions.

Figure 7-1 MFS Scheduler 2.5

Both the user refresh and group refresh are implemented using MFS Scheduler. The interval for thescheduler tasks are stored in the SQL server and not in mlc-config.xml. Any change in the interval ofthese tasks will not be replicated from the primary to the secondary server.

On-demand group refreshSelect Menu | Automation | Server Tasks to configure MLC Refresh Groups server task.

Figure 7-2 MLC Refresh Groups option

Options of group refreshThis section gives the details of the various options of group refresh.

7 On-demand group and user refreshMFS Scheduler 2.5


Option 1: Run

Before you beginUse this option to manually refresh the group information in the Logon Collector database(IDDS) by retrieving the latest group information from the domain controller datastore.

To manually refresh the group information:

Task1 Select Menu | Automation | Server Tasks. Click the Run option of MLC Refresh Groups.

2 Under MLC Refresh Groups, click Run.

The Server Task Log page opens. This page gives the results of group refresh action. By default, therecords are sorted by time, with the latest record on top.

Figure 7-3 Results of group refresh action

3 Click MLC Refresh Group record to view the details.

Figure 7-4 Server Task Log Information page

Option 2: EditUse this option to change the scheduler settings for a task.

Select Menu | Automation | Server Tasks. Select MLC Refresh Groups and click Edit.

On-demand group and user refreshOn-demand group refresh 7


Tab 1: Description

Task1 In the Server Task Builder page, the following details are displayed under the Description tab:



Name MLC Refresh Groups

Notes Refresh all groups for all directories

Schedule status The schedule of the taskEnabled — to enable an automatic refresh

Disabled — to disable an automatic refresh

McAfee does not recommend using the Disabled action.

Figure 7-5 Server Task Builder page

2 Click Next. The Actions tab opens.

3 Click Save.

Tab 2: ActionsThis tab shows the actions performed by Logon Collector.

7 On-demand group and user refreshOn-demand group refresh


Task1 Under the Actions field, the MLC Group Sync option is selected by default.

Figure 7-6 Actions tab

2 Click Next. The Schedule tab opens.

3 Click Save.

Tab 3: ScheduleThe Schedule tab enables you to change the scheduler settings for the task.

Task1 In the Schedule tab, enter the following details:



Schedule Type Select any one of the following schedule types from the drop-down list:• Hourly • Monthly

• Daily • Yearly

• Weekly • Advanced

McAfee recommends that you to select the Daily option for Schedule Type.

Start Date Select the date from when you want to start the task.




End Date Select the date by when you want to stop the task.

McAfee recommends you to select the No End Date option so that no end date isconfigured for the task.

ScheduleClick to add a new scheduled time. Click to remove an existing scheduledtime. At — Select the At option from the drop-down list to run the task at a specifictime. Between — Select the Between option from the drop-down list to run multipletasks in a specific range of time.

Figure 7-7 Schedule tab

McAfee recommends that you set the schedule time such that the MLC Group Refresh task starts atleast 20 minutes before the MLC User Refresh task.

2 Click Save.

Tab 4: SummaryGo to the Summary tab to view the following details:


Name The name of the task

Notes Any notes related to the task

Task Owner The owner of the task

Schedule Status The status of the scheduled task

7 On-demand group and user refreshOn-demand group refresh



Schedule The details about start date, end date, time frame, and next runtime of the scheduledtask

Actions The actions of the scheduled task such as MLC Group Sync

Figure 7-8 Summary window

Click Save.

Option 3: ViewUse this option to view the settings for the refresh groups.

Select Menu | Automation | Server Tasks. Select MLC Refresh Groups and click View.

The Server Tasks Details page opens. This page displays details of the group refresh action.

Figure 7-9 Server Task Details page



On-demand user refreshSelect Menu | Automation | Server Tasks to configure MLC Refresh Users server task.

Figure 7-10 MLC Refresh Users option

Options of user refreshThis section gives the details of the various options of user refresh.

Option 1: Run

Before you beginUse this option to manually refresh the user information in the Logon Collector database(IDDS) by retrieving the latest user information from the domain controller datastore.

To manually refresh the user information:

Task1 Select Menu | Automation | Server Tasks. Click the Run option of MLC Refresh Users.

The Server Task Log page opens. This page gives the results of user refresh action. By default, therecords are sorted on time, with the latest record on top.

Figure 7-11 Results of user refresh action

7 On-demand group and user refreshOn-demand user refresh


2 Click the MLC Refresh Users record to view the details.

Figure 7-12 Server Task Log Information page

Option 2: EditUse this option to change the scheduler settings for a task.

Select Menu | Automation | Server Tasks. Select MLC Refresh Users and click Edit.

Tab 1: Description

Task1 In the Server Task Builder page, the following details are displayed under the Description tab:

• Name — MLC Refresh Users

• Notes — Refresh all users for all directories

On-demand group and user refreshOn-demand user refresh 7


• Schedule status — The schedule of the task

• Enabled — to enable an automatic refresh

• Disabled — to disable an automatic refresh

McAfee recommends that you avoid using the Disabled action.

Figure 7-13 Server Task Builder page

2 Click Next to go to the Actions tab.

3 Click Save.

Tab 2: ActionsThis tab shows the actions performed by Logon Collector.



Task1 Under Actions field, MLC User Sync option is selected by default.

Figure 7-14 Actions tab

2 Click Next. The Schedule tab opens.

3 Click Save.

Tab 3: ScheduleThe Schedule tab enables you to change the scheduler settings for the task.

Task1 In the Schedule tab, enter the following details:

• Schedule Type — Select any one of the following schedule types from the drop-down list:

• Hourly • Monthly

• Daily • Yearly

• Weekly • Advanced

McAfee recommends that you select the Daily option for Schedule Type.

• Start Date — Select the date from when you want to start the task.

• End Date — Select the date by when you want to stop the task.

McAfee recommends that you select the No End Date option so that no end date is configured forthe task.



•Schedule — Click to add the new scheduled time. Click to remove existing scheduledtime.

• At — Select the At option from the drop-down list to run the task at a specific time.

• Between — Select the Between option from the drop-down list to run multiple tasks in a specificrange of time.

Figure 7-15 Schedule tab

McAfee recommends that you set the schedule time such that the MLC Group Refresh task starts atleast 20 minutes before the MLC User Refresh task.

2 Click Save.

Tab 4: SummaryGo to the Summary page to view the following details:

• Name — The name of the task

• Notes — Any notes related to the task

• Task Owner — The owner of the task

• Schedule Status — The status of the scheduled task



• Schedule — The details about start date, end date, time frame, and next run time of the scheduledtask

• Actions — The actions of the scheduled task such as MLC User Sync

Figure 7-16 Summary

Click Save.

Option 3: ViewUse this option to view the settings for the refresh users.

Select Menu | Automation | Server Tasks. Select MLC Refresh Users and click View.

The Server Tasks Details page opens. This page displays the details of the user refresh action.

Figure 7-17 Server Task Details page



Server Tasks LogSelect Menu | Automation | Server Task Log to view the group refresh and user refresh results of earlierexecutions.

Figure 7-18 Server Task Log page

7 On-demand group and user refreshServer Tasks Log


8 User management

This section gives the details of user management for administrative access to the Logon Collectoritself. To add users to the Active Directory, use the normal Active Directory configuration mechanismsin Windows.

Contents Manage users Manage permission sets Manage contacts

Manage usersYou can add users to Logon Collector and specify what access they have to the system.

Add or modify a userTo add or modify a user:

Task1 Select Menu | User Management | Users.

2 Click New User to add, or click Actions | Edit to modify.

3 Define the user.

a Type a name for the user, or change the existing one.

b Specify whether the user is able to log on or not.

You cannot disable the logon status of the last remaining global administrator.

c Select an authentication type.

If you are modifying a user, first click Change Authentication or Credentials.• For Logon Collector authentication, type a password and confirm it.

• For Windows authentication, type the user name and domain.

d [Optional] Provide other details for the user: full name, email address, phone number, andnotes.

8


e Assign a permission set.

• Select Global administrator to provide complete access to the Logon Collector.

• Select a specific permission set or sets by clicking them.

4 Click Save.

See also Manage permission sets on page 76

Delete a userTo delete a user:

Task1 Select Menu | User Management | Users.

2 Select a user or users by selecting the checkbox next to the contact name.

3 Select Actions | Delete.

Manage permission setsA permission set is a group of permissions, divided into sections that can be granted to any user byassigning it to a user’s account. One or more permission sets can be assigned to any user that is not aglobal administrator. Global administrators have all permissions to all features.

Permission sets grant permissions only — no permission set ever removes a permission.

See also Active Directory User login on page 34Add or modify a user on page 75Create a query group on page 82

Create permission setsUse this task to create a permission set.

Task1 Select Menu | User Management | Permission Sets, then click New Permission Set.

2 Type a name for the permission set and select the users to which the set is assigned.

3 Click Save.

4 Select the new permission set from the Permission Sets list.

Its details appear to the right.

5 Click Edit next to any section from which you want to grant permissions.

6 On the Edit Permission Set window that appears, select the appropriate options, then click Save.

7 Repeat for all desired sections of the permission set.

8 User managementManage permission sets


Delete permission setsUse this task to delete a permission set. If the permission set has users assigned to it, those users willlose the permissions granted to them.

You must be a global administrator to perform this task.

Task1 Select Menu | User Management | Permission Sets, then select the permission set that you want to delete

in the Permission Sets list.


2 Click Actions | Delete.

The Action pane informs you whether any users are assigned to the permission set and gives youthe opportunity to cancel the action.

3 Click OK in the Action pane.

The permission set no longer appears in the Permission Sets list.

Duplicate permission setsUse this task to duplicate a permission set. Duplicating a permission set creates an in-memory copy ofthe selected permission that can be modified and saved with another name.

You must be a global administrator to perform this task.

Task1 Select Menu | User Management | Permission Sets, then select the permission set that you want to edit in

the Permission Sets list.


2 Click Actions | Duplicate, type a New name in the Actions pane, then click OK.

3 Select the new duplicate in the Permission Sets list.


4 Click Edit next to any section for which you want to grant permissions.

5 On the Edit Permission Set window that appears, select the appropriate options, then click Save.

6 Repeat for all sections of the permission set for which you want to grant permissions.

Manage contactsTo make selecting recipients for reports and data easier, Logon Collector provides a Contacts featurewhere you can define names and email address for contacts.

See also Define export criteria on page 86

User managementManage contacts 8


Add or modify a contactTo add or modify a contact:

Task1 Click Menu | User Management | Contacts.

2 Click New Contact to add, or click Actions | Edit to modify.

3 Type a name for the user, or change the existing one.

The contact must include a name, and you can select either a first name only, a last name only, orboth.

4 Type an email address.

5 Click Save.

Delete a contactTo delete a contact:

Task1 Click Menu | User Management | Contacts.

2 Select a user or users by clicking the checkbox next to the contact name.

3 Click Actions | Delete.

8 User managementManage contacts


9 Reporting

This section gives the details about the status of the product to verify that components are running asexpected.

Contents About the Status page View who is logged on View the audit log Manage audit log queries Define filter criteria Define export criteria View dashboards

About the Status pageUse the Status page to verify that components are running as expected. A round Status indicator islocated beside each component. Components and statuses are described in the following table. For allsystems, a green status indicator indicates that the system is operating correctly.

Table 9-1 System components

The systemcomponent

Reports on Yellow statusindicates

Greenstatusindicates

Red status indicates

ID Manager{iam}

overall systemstatus.

one or more ofthe componentstatuses areyellow.

Working fine One or more of the followingcomponents are red:• Login Acquisition Manager

• Id Replication Manager

• Login State Manager

• Id Data Store

Check specific componentsto identify the cause of thecomponent failure. Checkspecific components toidentify the cause of thecomponent failure.

Login AcquisitionManagerlam

current state ofqueries to domaincontrollers.

one or moredomains areyellow or red.

Working fine All domains are red.

9


Table 9-1 System components (continued)

The systemcomponent

Reports on Yellow statusindicates

Greenstatusindicates

Red status indicates

ID ReplicationManager

status of theIdentity Replicationto the clients.

Not applicable Working fine An exception has occurred.A brief message describingthe exception is provided.

Check the Logon Collectorlogs to further identify thecause of failure.

Login StateManager{lsm}

whether the LoginState Managerinitialized correctly.

Not applicable Working fine Initiation failed.Check the Logon Collectorlogs to identify the cause offailure.

ID Data Store{idds}

statistics on thenumber ofobjected stored.

Not applicable Working fine Initiation failed.Check the Logon Collectorlogs to identify the cause offailure.

ID Resolution{pnd}

whether queriesfor userinformation fromActive Directoryhave been servicedafter a logon isdetected.

there are morethan 1000 logonsin the pendingqueue waiting foruser informationto be resolved.

Working fine No red status.

Logon Flow{logons}

how many logonshave beendetected withinlast minute.

no logons havebeen detected inthe last hour.

Working fine No logons have beendetected in the last twelvehours.

Cluster Manager{cluster}

the health ofcluster and themessages beingexchangedbetween thecluster members.

Not applicable that theclustermanager isworking fine.

The communication betweenthe cluster members is downor one of the clustermembers is not available.

See also View dashboards on page 87

View who is logged onLogon Collector provides a report of the IP addresses that a user is using.

To view who is currently logged on and to what IP address:

Task1 Select Menu | Reporting | Logon Report.

2 [Optional] To search on a particular IP address or user name, type the value into the Quick find field,then click Apply.

9 ReportingView who is logged on


3 [Optional] Configure the display of columns:

a Select Actions | Choose Columns.

b Align the columns by clicking a left or right arrow to move the column.

c Remove a column by clicking the X button.

Reset your changes by clicking Use Default.

Tasks• Export report of who is logged on on page 81

Export report of who is logged onBefore you beginYou can save reports of who is logged on and email them.

To email a report of who is logged on:

Task1 Select Menu | Reporting | Logon Report.

2 Specify the contents of the report by applying filters as desired.

3 Select Actions | Export Table.

View the audit logBefore you beginLogon Collector provides an audit log report that lists the changes made to the serverconfiguration.

To view the audit log:

Task1 Select Menu | User Management | Audit Log.

2 [Optional] Define an advanced filter.

3 [Optional] Select a pre-defined filter from the drop-down list.

4 [Optional] Click an audit log entry to see the information for a single row displayed as rows insteadof columns.

5 [Optional] Configure the display of columns:

a Select Actions | Choose Columns.

b Align the columns by clicking a left or right arrow to move the column.

c Remove a column by clicking the X button.

Reset your changes by clicking Use Default.

ReportingView the audit log 9


Tasks• Export the audit log on page 82

See also Define filter criteria on page 85

Export the audit logYou can save specific views of the audit log and email them.

To email an audit log:

Task1 Select Menu | User Management | Audit Log.

2 Specify the contents by applying filters as desired.

3 Select Actions | Export Table.

See also Email Server on page 34Define filter criteria on page 85Define export criteria on page 86

Manage audit log queriesAudit log queries enable you to retrieve specific views of the audit log instead of the more simple viewavailable. Queries against the audit logs are grouped into private and shared groups.

Create a query group

Task1 Select Menu | Reporting | Queries.

2 Select Group Actions | New Group.

3 Type a name to identify the group.

4 Specify the group’s visibility.

• Private group — appears in My Groups.

• Public group — appears in Shared Groups.

• By permission set — appears in Shared groups but accessible only to those that are assignedthe selected permission sets.

See also Manage permission sets on page 76

9 ReportingManage audit log queries


Delete a query group

Task1 Click a group name.

2 Select Group Actions | Delete Group.

3 Click OK to confirm the deletion.

Edit a query group

Task1 Click a group name.

2 Select Group Actions | Edit Group.

3 Change the name of the group, and optionally the group’s visibility.

4 Click Save.

Create audit log queriesTo create an audit log query:


2 Click New Query, then click Next to begin the Query Wizard.

3 Define the chart type.

a Select the type of chart by clicking it.

b Configure the chart.

The available options differ depending on the type of chart you select.

c Click Next to proceed in the query wizard.

4 Configure the display of columns.

a Align the columns by clicking a left or right arrow to move the column.

b Remove a column by clicking the X button.

c Click Next to proceed in the query wizard.

5 [Optional] Configure filters.

6 Click Run.

The query is run and the results are displayed.

7 [Optional] Click Edit Query to adjust criteria.

8 When you are satisfied with the report, click Save.

ReportingManage audit log queries 9


9 Finish configuring the query:

a Type a name to identify the query.

b [Optional] Type notes to describe the query.

c Assign the query to a query group.

Define a new group or select from the list of existing groups.

10 Click Save.

The query appears on the main Queries window. You may need to clear the Quick find text box.

Import audit log queriesBefore you beginYou can save your audit log queries outside the Logon Collector as files, and then importthem into the Logon Collector.

To import a query as a file:


2 Select Actions | Import Query.

3 Click Browse to navigate to the file that contains your audit log query.

4 Assign the query to a query group.

Define a new group or select from the list of existing groups.

5 Click Save.

The query appears on the main Queries window. You may need to clear the Quick find text box.

Query actionsBefore you beginTo apply Actions to queries:

9 ReportingManage audit log queries


Task1 Select the checkbox next to the desired query, or click the Queries checkbox at the top to apply an

action to all queries.

2 Select an action from the list.

Select this action To do this

Delete Delete the selected queries.

Duplicate For single queries only, create a duplicate of the selected query.In the Duplicate window, type a new name for the query, and assign thequery copy to a query group.

Edit For single queries only, enables you to alter the properties that affect theresults for the selected query.

Export Data Export the results of the selected queries as an email attachment.

Export QueryDefinition

For single queries only, export the query definition as an XML file.In the Opening query window, specify whether to open the file with an XMLapplication, or save the file.

The file is saved according to the path defined for your web browser.

Import Query Import a query stored as a file.

Move to DifferentGroup

Move the selected queries to a different group.

New Query Create a new query.

Run Execute the query and view the results.

View Query SQL For single queries only, view the selected query as a SQL statement.

Tasks• Import audit log queries on page 84

• Create audit log queries on page 83

See also Define export criteria on page 86

Define filter criteriaFilter criteria are available when you select:

• The Boolean Pie Chart type

• Next after step 3 of the Query Wizard

• Advanced Filter for Audit Log

Available properties are Action, Completion Time, Details, Priority, Start Time, Success, and User Name.

ReportingDefine filter criteria 9


To manage criteria for the filter:

Task

1 Click the right arrow in the Available Properties column to activate that property.

2 [Optional] Click the plus sign at the end of the Property row to create an additional comparison item.

3 By default, an additional item is evaluated with an “OR” operator. Click and in the and/or box tochange this.

4 [Optional] Click the left arrow next to the Property to remove it from consideration.

5 Click OK, or Update Filter depending on how you arrived at the filter criteria.

See also View the audit log on page 81Export the audit log on page 82

Define export criteriaWhen you choose to export data or a table, you must define the format of the exported file.

Task

1 Select an export action:

• For a query, select Export Data.

• For a Logged On report, or Audit Log, select Export Table.

2 Review the information to be exported.

• For queries, the names of the queries are listed.

• For a Logged On report, a unique identifier and the number of data items are displayed.

3 [Optional] Select Zip the output files to compress the report.

4 Select a file format from CSV, XML, HTML, and PDF.

For PDF, also specify a page size, page orientation, optionally select to show filter criteria, andoptionally specify cover page text.

5 Configure the email.

You must already have a configured email server.

a Specify recipients by typing them, or by selecting them from a dialog box.

b Type a subject line.

c Add text for the body of the email message.

6 Click Export.

See also Export the audit log on page 82Query actions on page 84Email Server on page 34Manage contacts on page 77

9 ReportingDefine export criteria


View dashboardsThe Dashboards user interface option is not applicable for Logon Collector 2.1.

See also About the Status page on page 79

ReportingView dashboards 9


9 ReportingView dashboards


10 Integration with other McAfee products

This chapter discusses about the integration of McAfee® Logon Collector with other McAfee® products.

Every client (product) connecting to Logon Collector must have different certificates with unique CommonName. This ensures that more than two clients can seamlessly connect to Logon Collector.

Contents Integration with McAfee Next Generation Firewall Integration with McAfee Firewall Enterprise Integration with McAfee Firewall Enterprise Control Center Integration with McAfee Network Security Manager Integration with McAfee Data Loss Prevention

Integration with McAfee Next Generation FirewallMcAfee Next Generation Firewall (NGFW) with McAfee Logon Collector improves user identification foraccess control by user. Integration with NGFW provides the following benefits:

• Support Active Directory (AD) domains

• High Availability using a primary and secondary Logon Collector server

• Monitoring of logon events from Microsoft Exchange Servers in addition to monitoring events fromthe domain controller (DC).

Integration requirements for McAfee Next Generation FirewallThe following list gives the details of the integration requirements:

• Logon Collector version — 3.0

• Next Generation firewall version — 5.8 and later.

Upgrade path

If you are a Next Generation Firewall user and wish to upgrade to Logon Collector 3.0, perform thesehigh-level steps:

1 Upgrade Logon Collector 2.2 to Logon Collector 3.0.

2 Upgrade Next Generation firewall to the new version that has the Logon Collector 3.0 support.

The following sections provide you the steps to configure the integration with Next GenerationFirewall.

Export SMC certificate

10


TaskYou should export SMC certificate for communicating with MLC.

1 In SMC, navigate to Configuration | Administration | Expand Other Elements | Internal Certificate Authorities.

2 Right click on StoneGate CA and select Properties.

3 In the Certificate tab click Export.

4 Copy the exported certificate to a local folder.

Import SMC certificate to MLCPerform the following steps to import the SMC certificate to MLC.

Task1 In MLC, navigate to Menu | Trusted CA | New Authority | Import Certificate.

2 Click Browse and select the certificate that you copied earlier from SMC.

Export Certificate from MLCYou should export the certificate from MLC and copy it to the SMC server.

In the MLC, perform the following steps:

Task1 Navigate to Menu | Server Settings | Identity Replication Certificate.

2 From the Base 64 field, copy and paste the certificate to a notepad file.

After pasting in the notepad, ensure that you type -----BEGIN CERTIFICATE----- at before thebeginning of the certificate. And also type -----END CERTIFICATE----- after the end of thecertificate.

If you do not add these lines, it will cause fingerprint error when you upload the certificate in SMC.

3 Copy and paste the certificate to a local location.

Configure Next Generation Firewall to MLCYou should configure the Next Generation Firewall to the MLC.

Task1 Navigate to Configuration | Security Engine | Other Elements | Engine Properties.

2 Right click on User Agents and navigate to New | Logon Collector.

3 In the Name field, type the name for the Logon Collector.

4 Type the IP address of Logon Collector in the IP Address field and click OK.

5 In the Certificate tab, click Import and select the certificate copied from the MLC server.

6 Select the Next Generation Firewall that should be configured to the MLC.

7 Right click on the Next Generation Firewall and navigate to Edit Firewall | Add-Ons | User Agent.

10 Integration with other McAfee productsIntegration with McAfee Next Generation Firewall


8 In the User Agent drop-down list select the MLC that you configured in Step 3 and 4.

9 Click Save and upload.

Verify MLC connectionAfter configuring the Next Generation Firewall to MLC, perform the following steps to verify MLCconnection.

Task1 In the System Status page, select the Firewall node.

2 Click on the Appliance Status tab.

3 MLC connection status displays the status in green when the MLC connection is up.

You can also verify the logged in users from MLC, by navigating to Monitoring | Users | FW.

Integration with McAfee Firewall EnterpriseYou can use Passive Passport in McAfee® Firewall Enterprise to allow matching users to connectwithout prompting for authentication.

If your organization uses Microsoft Active Directory, each user is defined as an Active Directory object.The firewall monitors the authentication status, group membership, and current IP address of eachuser by communicating with the McAfee® Logon Collector software, which is installed on a Windowsserver. Users are authenticated by the Active Directory server. They are not prompted forauthentication by the firewall.

Integration requirementsThe following list gives the details of the integration requirements:


• Firewall Enterprise version — 8.x and later

Upgrade path

If you are a Firewall Enterprise user and wish to upgrade to Logon Collector 3.0, perform thesehigh-level steps:

1 Upgrade Logon Collector 2.2 server to Logon Collector 3.0 server.

2 Upgrade Firewall Enterprise to the new version that has the Logon Collector 3.0 client.

Passive identity validationYou can use Passive Passport to allow matching users to connect without prompting for authentication.

The following high-level tasks must be performed to use Passive Passport:

Task1 Define users on an Active Directory server.

2 Install Logon Collector on a Windows server. You can choose to skip this step if you have alreadyinstalled Logon Collector.

Integration with other McAfee productsIntegration with McAfee Firewall Enterprise 10


3 On the Firewall Enterprise Passport window, enable Passive Passport and configure the connectionbetween the Firewall Enterprise and Logon Collector.

4 In the Rule Properties window for access control rules or SSL rules, allow connections for selectedusers and groups based on organizational criteria.

See also Install Logon Collector on page 13

Configure Passive PassportConfigure the Passive Passport using the Firewall Enterprise Admin Console. Refer to the McAfeeFirewall Enterprise Product Guide for details.

Integration with McAfee Firewall Enterprise Control CenterWhen integrated with McAfee® Firewall Enterprise Control Center, Logon Collector polls ActiveDirectory domain controllers for user characteristics, and sends this information to either or both theappliances to correlate network traffic with user behavior. Further, to minimize the burden placed on adomain controller by Security Event Log queries (using WMI), the Logon Collector or Logon Monitorcontacts the domain controller on behalf of McAfee appliances that require the Security Event Loginformation.



• Firewall Enterprise Control Center version — 5.x and later

Upgrade path

If you are a Control Center user and wish to upgrade to Logon Collector 3.0, perform these high-levelsteps:


2 Upgrade Control Center to the new version that has the Logon Collector 3.0 client.

Refer to the section, McAfee Logon Collector in the McAfee Firewall Enterprise Control Center ProductGuide to integrate Logon Collector and Control Center.

Integration with McAfee Network Security ManagerMcAfee Network Security Manager is a browser-based user interface used to view, configure, andmanage McAfee® Network Security Sensor appliance deployments.

Together with the Sensor and the Manager, Mcafee Network Security Platform provides comprehensivenetwork intrusion detection and can block, or prevent, attacks in real time, making it truly an intrusionprevention system (IPS). It is built for the accurate detection and prevention of intrusions, denial ofservice (DoS) attacks, distributed denial of service (DDoS) attacks, and network misuse.

The Manager can display a variety of information about the hosts inside and outside a network.

10 Integration with other McAfee productsIntegration with McAfee Firewall Enterprise Control Center


The Logon Collector integrates with the Manager to display user names of the hosts in your IPS andNTBA deployments. The Logon Collector provides an out-of-band method to obtain user names fromthe Active Directories.

Benefits This integration helps to provide information about source and destination users.

User groups for SensorThese are the number of user groups supported for different Sensor models.

Sensor model Supported user groups

8.0 Sensors 8.1 and above Sensors

M-series up to 2,000 up to 10,000

NS-series up to 2,000

Version 8.0 is not applicable to NS7x00 Sensors.

up to 10,000

Virtual IPS up to 2,000 Not Applicable

Important termsThis section describes the important terms associated with this integration.

Identity Acquisition Agent (IAA)Identity Acquisition Agent (IAA) is deployed on the Network Security Platform side and is used as aninterface to listen to the message service where the updates are published by the Logon Collectorserver.

McAfee® Network Security Manager MLC ListenerMcAfee® Network Security Manager MLC Listener is the registered listener that regularly receives newupdates from the Logon Collector through IAA.



• McAfee® Network Security Manager version — 7.5.3.11 and later

Upgrade path

If you are a McAfee® Network Security Manager user and wish to upgrade to Logon Collector 3.0,perform these high-level steps:


2 Upgrade McAfee® Network Security Manager to the new version that has the Logon Collector 3.0client.

Integration with other McAfee productsIntegration with McAfee Network Security Manager 10


How Logon Collector - McAfee® Network Security Managerintegration worksLogon Monitors of the Logon Collector can be used to poll nearby domain controllers and forwardcollected information on to the Logon Collector, shortening the distance domain controllercommunication must travel.

Identity Acquisition Agent (IAA) is deployed on the McAfee® Network Security Manager side and isused as an interface to listen to the message service where the updates are published by the LogonCollector server. IAA listens to the Logon Collector Active Message Queue (MQ) service and regularlyreceives new updates from the Logon Collector server.

A listener for receiving the updates is registered with the IAA. The registered listener regularlyreceives new updates from the Logon Collector through IAA.

All IP to user bindings data are loaded into a newly created McAfee® Network Security Manager cachefor the first time. The cache is subsequently updated with the differences on subsequent updates. Asall the other components of the McAfee® Network Security Manager can query the McAfee® NetworkSecurity Manager cache, it is not required to communicate with the Logon Collector server each timean update happens.

The McAfee® Network Security Manager and Logon Collector can co-exist in the same server. However,McAfee does not recommend this co-existence as it can hamper the performance depending on the flowof traffic.

You do not need a special passphrase or license key to install the Logon Collector software.

Configuration details for Logon Collector integrationThis section gives the configuration details for the integration between McAfee® Network SecurityManager and Logon Collector server.

Configure integration at the admin domain levelYou can enable the integration between the McAfee® Network Security Manager and the LogonCollector server at the admin domain level.

Task1 Navigate to Manage | Integration | Logon Collector

The Enable page is displayed.

2 To enable the MLC integration, select the Enable MLC Integration checkbox.

10 Integration with other McAfee productsIntegration with McAfee Network Security Manager


3 Enter the Server Name or IP Address and Server Port details.

Figure 10-1 Enable Logon Collector

4 To complete the integration, you have to synchronize the certificates between the MLC console andthe Manager. Click the Export to file link to export the Manager certificate to MLC.

5 To import the MLC certificate, select Upload MLC Certificate, import the certificate from the location byclicking Choose File.

6 Click Save.

To test the connection, click Test Connection.

Establishment of trust between Network Security Manager and LogonCollector serverLogon Collector communicates with the McAfee® Network Security Manager through a two-way SSLauthentication. This requires the exchange of certificate between the McAfee® Network SecurityManager and the Logon Collector server.

Import the Manager certificate into Logon CollectorExport the Manager certificate, save the file to your local directory, and import the file to LogonCollector. Refer to the McAfee® Network Security Manager documentation for exporting the Managercertificate.

Task1 In the Logon Collector console, select Menu | Configuration | Trusted CAs.

2 Click New Authority to open the New Trusted Authority window.

3 Select Import From File, then click Browse to add the exported file saved in your local directory.

You can also use the Copy/Paste Certificate option.

4 Click Save.

Import the Logon Collector certificateBy default, Logon Collector is pre-installed with a self-signed certificate. If you have a differentcertificate signed by a CA, you can import this certificate and replace the existing Logon Collectorcertificate.

Integration with other McAfee productsIntegration with McAfee Network Security Manager 10


Task1 In the Logon Collector console, select Menu | Configuration | Server Settings.

2 In the Settings Categories section, click Identity Replication Certificate.

3 Upload the Logon Collector certificate.

a Copy the Logon Collector certificate from the Logon Collector console and paste it in a newlycreated file in your local directory.

b Under Import Certificate section, click Upload MLC Certificate in the New MLC Certificate option.

c Select Upload MLC Certificate, then click Browse to add the Logon Collector certificate from your localdirectory.

If the existing Logon Collector certificate is changed, the clients connecting to Logon Collector likeFirewall Enterprise, Network Security Manager need to import the new Logon Collector certificate

Display of Logon Collector details in the Threat AnalyzerYou can view user information received from the McAfee® Logon Collector server in Threat Analyzer.Refer to the McAfee® Network Security Manager documentation for details.

Display of Logon Collector details in Network Security ManagerreportsManager reports display the user information received for Logon Collector. Refer to the McAfee®

Network Security Manager documentation for details.

Integration with McAfee Data Loss PreventionMcAfee® Data Loss Prevention (NDLP or McAfee DLP) is delivered through the low-maintenanceappliance for streamlined deployment, management, updates, and reports. It provides complete datasecurity, data protection outside network, and easy deployment and management.

Historically, McAfee DLP Manager has been linked to SAMAccountName as the main user identificationelement. But if that attribute is applied to users in the same domain who have similar or matchinguser names, they cannot be positively identified. McAfee DLP now keys on the unique alphanumericSID (Security Identifier) that is assigned to each user account by the Windows domain controller.

For example, the user name jsmith might belong to John Smith or Jack Smith, so more informationwould be needed to distinguish between those two users. Those individuals might even be using thesame IP address, which would aggravate the problem of discovering the identity of the actual user.

But each account on an Active Directory server is made up of attributes that identify the individualwho owns the account. Logon Collector matches the unique SIDs that are assigned to each ActiveDirectory user to IP addresses, and all of the parameters associated with that SID are extracted whenLogon Collector moves binding updates from the Active Directory server to McAfee DLP.

Because SAMAccountName was used to index data in earlier releases, that information might be lostduring ad hoc searches when the user has upgraded to 9.0, or when the data residing in the capturedatabase pre-dates the upgrade.

10 Integration with other McAfee productsIntegration with McAfee Data Loss Prevention




• McAfee DLP version — 9.x and later

Upgrade path

If you are an McAfee DLP user and wish to upgrade to Logon Collector 3.0, perform these high-levelsteps:


2 Upgrade McAfee DLP to the new version that has the Logon Collector 3.0 client.

Using Active Directory User elementsAll Active Directory elements are treated as word queries, and can be directed to specific LDAPservers.

When these elements are used in a query, columns supporting the parameter are configured in thesearch window and on the dashboard.

Each of the user elements retrieves the attributes listed.

Parameters available

• User Name — user's name, alias, department, location

• User Groups — user's group

• User City — user's city

• User Country — user's country

• User Organization — user's company or organization

Using McAfee DLP on remote LDAP serversThe ability to monitor user traffic on Active Directory servers now has been extended to directoryservers, making global user management a reality.

The ability of McAfee DLP 9.0 to connect to multiple domain controllers makes this possible. Not onlyis data on local networks captured, but it is extended to all traffic on up to two LDAP servers.

When users can be recognized by name, group, department, city or country, a McAfee DLPadministrator can extract a great deal of significant information by using a few seminal facts togradually gather more details about potential violations.

How Logon Collector is used with McAfee DLPSuppose you know that your company has lost intellectual property to a firm in X country, and yoususpect that the leak came from an insider in your branch of Y city. Because McAfee DLP captures alltraffic on your company's network, you can add an Active Directory server that contains the useraccount of that insider to McAfee DLP Manager, then search for the UserName of that individual andmonitor his communications.

Integration with other McAfee productsIntegration with McAfee Data Loss Prevention 10


You might then search his communications for the name of the lost component, and then find theemail address and geographical location of users outside the company who might have received theinformation.

You might not know what will be in those communications, but you can use what you find to ask thenext logical question.

Logon Collector can be configured with McAfee DLP Manager to resolve user identities by retrievingcollections of user account information from all Active Directory servers that have been added to theMcAfee DLP system.

If your McAfee DLP Manager is configured with Logon Collector and an Active Directory server, endpointprotection can be extended to directory servers managing users all over the world.

If you do not know the user's name, you can gradually develop his identity by searching for users in theY city, searching the user groups in your Engineering division, and identifying a sub-group that mightcontain the user.

How Logon Collector enables user identificationLogon Collector is used to map IP addresses to user identities within Active Directory servers. Withoutit, users may be hard to identify because they may be logged into different or multiple workstations.IP addresses change when DHCP servers automatically assign new addresses, and more than one usermight be logged on to the same workstation.

When a Logon Collector is configured with an McAfee DLP Manager, it resolves user identities byretrieving collections of user account information from all Active Directory servers that have beenadded to the McAfee DLP system. Supporting multiple domain controllers means that large-scaleenterprise operations can be served by McAfee applications.

For McAfee DLP, that means that after Logon Collector is enabled, McAfee DLP administrators canconfigure Active Directory-based queries and rules to find out what activities specific users areengaging in on the network.

Setting up Logon CollectorBefore you beginBefore Logon Collector can be used with McAfee DLP, an Active Directory server must beadded to McAfee DLP Manager. Then secure communications must be established betweenMcAfee DLP and Logon Collector.

To complete the SSL connections:

Task1 Export a certificate from Logon Collector.

2 Import the Logon Collector certificate into McAfee DLP Manager.

3 Export a certificate from McAfee DLP.

4 Import the McAfee DLP certificate into Logon Collector.

5 Restart Logon Collector.

After these steps are complete, secure communications between McAfee DLP and Logon Collectorare enabled, and data on Active Directory servers is available for searching and rule construction.



Authenticating McAfee DLP Manager and Logon CollectorBefore you beginUse this method to connect McAfee DLP to a Logon Collector so that certificates can beexchanged, authenticating each to the other.

When the process is complete, an SSL connection will be set up between them.

Task1 Open a web browser and log on to the Logon Collector.

2 In the Logon Collector server, select Menu | Configuration | Server Settings | Identity Replication Certificate.

3 Scroll to the bottom of the page.

4 Select and copy all text in the Base 64 field.

5 Open a web browser and log on to the McAfee DLP Manager.

6 Select System | Directory Services.

7 Select Add a McAfee Logon Collector from the Actions menu.

8 Type the IP address of the Logon Collector.

9 Click the paste radio button and paste the text into the box.

Save this Base 64 data to a text file on your desktop so you can re-use it.

10 Click Apply.

11 Click Export to save the Network McAfee DLP certificate to your desktop.

12 Open a web browser and type in the address of the Logon Collector.

13 Select Menu | Configuration | Trusted CA.

14 Click New Authority.

15 Go to the netdlp_certificate.cer file you saved to your desktop.

16 Click Open.

17 Click Save.

This adds the McAfee DLP Manager to Logon Collector.

18 Open a Remote Desktop session on the Logon Collector server.

19 Shut down and restart the Logon Collector server.

The connection is now complete.

Integration with other McAfee productsIntegration with McAfee Data Loss Prevention 10


11 Scalability

This chapter describes the details of the performance limits supported by the Logon Collector.

Scalability details Listed below are the performance limits for the Logon Collector:

Fields Numbers

Users up to 200,000

Groups up to 35,000

The total objects(users and groups) should not exceed more than 200000

Logon rate up to 1200 logon events per minute

Clients up to 150

11


11 ScalabilityScalability details


12 Troubleshooting

This chapter gives the information that may assist you with solving a problem.

Contents Verify the domain credentials Create a non-administrator account to access the security event log on a domain controller Add different Kerberos encryption types across domains Logon Monitor logs Logon Collector logs Error uninstalling SQL database instance for Logon Collector Configure Database Settings page to connect to the SQL server Ports used by Logon Collector High memory usage of lsass.exe Saved group filter configuration

Verify the domain credentialsThis section describes how to verify that the credentials you specify for a domain are correct and havesufficient privileges to connect to a domain controller using the Logon Collector. The domaincontrollers you access must be logging security events.

Test your credentials by using the wbemtest.exe tool to connect to a domain controller and run severalqueries.

If you are unable to specify credentials for an administrator account, you can use a non-administratoraccount on the domain controller.

The administrator account that you intend to use to access the domain controller MUST be in the samedomain from which you want to obtain identities.

Successful execution of the queries verifies that the credentials, which you specified have sufficientprivileges for accessing the following on the domain controller:

• security event log

• CPU performance

• WMI connection

• DCOM connection

12


Connect to a domain controllerFollow the steps below to use the wbemtest.exe tool to connect to a domain controller. Theseinstructions only work if the Logon Collector is run on a remote computer and will not work if theLogon Collector is run on local domain controller.

Task1 Open a command prompt and navigate to \Windows\System32\WBEM.

2 Run wbemtest.exe: C:\Windows\System32\WBEM> wbemtestThe Windows Management Instrumentation Tester window appears.

Figure 12-1 Windows Management Instrumentation Tester window

12 TroubleshootingVerify the domain credentials


3 Click Connect to display the Connect window.

Figure 12-2 Connect window

4 Specify the following information:

Option Definition

unlabeled connection \\<dc_name>\root\cimv2

User The user name to authenticate to the domain controller.

password The associated password.

Authority Leave this field blank.

Locale Leave this field blank.

Impersonation level Select Impersonate.

How to interpret empty password Select NULL.

level Select Packet privacy.

TroubleshootingVerify the domain credentials 12


5 Click Connect to proceed.

If the message Access Denied appears, you may have mis-typed the credentials, or the user accountdoes not have the necessary privileges. Try re-typing the credentials, and verify the user account isproperly set up. If you are not using an administrator account, you can use a non-administratoraccount on the domain controller.

The Windows Management Instrumentation Tester window changes to display IWbemServices and Method InvocationOptions.

Figure 12-3 Windows Management Instrumentation Tester window

Successfully authenticating to the domain controller and viewing the above window means theLogon Collector has access to WMI and DCOM connections.

6 Run each of the following queries:

• CPU performance query

Success with this query means the Logon Collector has access to CPU performance on thedomain controller.

• back log query

Success with this query means the Logon Collector has access to the security event log.

• forward log notification query

Success with this query means the Logon Collector has access to the security event log.

You must successfully execute the CPU performance query and either one of the log queries to verifythat you have the correct credentials and therefore, sufficient access privileges.

Run a CPU performance queryFollow these instructions to run a CPU performance query.



Task1 Connect to a domain controller.

2 Click Query.

3 Type the following query:

SELECT * FROM Win32_PerfRawData_PerfOS_Processor WHERE Name=’_Total’

Figure 12-4 CPU performance query

4 Click Apply to view the query results.

Figure 12-5 Query Result window

5 Click Close when the query functionality is proven successful by displaying the contents of thescreen shot above.

6 Run the other queries if you have not already done so.

Run a back log queryFollow these instructions to run a back log query.

TroubleshootingVerify the domain credentials 12



2 Click Query.


SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND (EventIdentifier =672 OR EventIdentifier = 673 OR EventIdentifier = 680 OR EventIdentifier = 4768 OREventIdentifier = 4769 OR EventIdentifier = 4776) AND TimeWritten > 'yyyymmdd'

where yyyymmdd is yesterday’s date.

Figure 12-6 Back log query

4 Click Apply to view the query results.

Figure 12-7 Back log query results

5 Click Close when the query functionality is proven successful by displaying the contents of thescreen shot above.

You do not have to wait for all results to return.




Run a forward log notification queryFollow these instructions to run a forward log notification query.


2 Click Notification Query.


SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'AND TargetInstance.Logfile = 'Security' AND (TargetInstance.EventIdentifier = 672OR TargetInstance.EventIdentifier = 673 OR TargetInstance.EventIdentifier = 680 ORTargetInstance.EventIdentifier = 4768 OR TargetInstance.EventIdentifier = 4769 ORTargetInstance.EventIdentifier = 4776)

4 Click Apply.

Figure 12-8 Forward log notification query results

Results are shown as they are logged.

5 Click Close.

The operation does not complete until you click Close.


Create a non-administrator account to access the securityevent log on a domain controller

Logon Collector supports domains running Windows 2008 R2 and Windows 2012. You cannot installLogon Collector on a Windows 2003 server; however, Logon Collector can monitor Windows 2003domains.

Perform the steps detailed in the KB article KB75890 to create a non-admin account on Windows 2008or 2012 to access the domain controller security event logs.

TroubleshootingCreate a non-administrator account to access the security event log on a domain controller 12


https://kc.mcafee.com/corporate/index?page=content&id=KB75890

Create an account on Windows Server 2003 and 2008

Create an account on Windows Server 2003The following tasks must be completed to create a non-administrator account on Windows Server2003 that is able to access the domain controller security event log:

• Create a new Active Directory group.

• Determine the SID of the newly created Active Directory group.

• Create domain user account.

• Enable permissions.

• Grant DCOM access.

• Enable WMI access to the required namespace.

Create an account on Windows 2000 serverThe following tasks must be completed to create a non-administrator account on Windows 2000 serverthat is able to access the domain controller security event log:

• Create a new Active Directory group. • Grant DCOM access.

• Create domain user account. • Enable read access to the security eventlog.

• Enable WMI access to the requirednamespace.

Additional resourcesResource URL

Microsoft knowledge base article http://support.microsoft.com/kb/323076

Security Descriptor String Format http://msdn.microsoft.com/en-us/library/aa379570(VS.85).aspx

SID string description http://msdn2.microsoft.com/en-us/library/aa379602.aspx

ACE Strings description http://msdn2.microsoft.com/en-us/library/aa374928.aspx

Useful document for SDDL syntax http://www.washington.edu/computing/support/windows/UWdomains/SDDL.htm

DCOM Remote access http://msdn2.microsoft.com/en-us/library/aa393266.aspx

WMI Remote access http://msdn2.microsoft.com/en-us/library/aa393613.aspx

Add different Kerberos encryption types across domainsThe following tasks must be performed to add different Kerberos encryption types across variousdomains.

1 Install the Logon Collector software version 3.0.6.

2 Click Start, goto Administrative Tools | Services and stop services for Logon Collector.

3 Browse to C:\ | Program Files (x86) | McAfee | McAfee Logon Collector | Server | conf.

12 TroubleshootingAdd different Kerberos encryption types across domains


http://support.microsoft.com/kb/323076

http://msdn.microsoft.com/en-us/library/aa379570(VS.85).aspx

http://msdn2.microsoft.com/en-us/library/aa379602.aspx


http://www.washington.edu/computing/support/windows/UWdomains/SDDL.htm

http://www.washington.edu/computing/support/windows/UWdomains/SDDL.htm



4 Add the required encryption types, separated by white space at the end of the file(catalina.properties), preceded by com.securify.ldap.kerberos.enctype=. For example, ifdomain 1 has a Kerberos encryption as rc4-hmac, and domain 2 has a Kerberos encryption asaes256-cts-hmac-sha1-96, then add the two encryption types, separated by white space, at theend of catalina.properties file as follows:

com.securify.ldap.kerberos.enctype=rc4-hmac aes256-cts-hmac-sha1-96

5 Save the file.

6 Start the services for Logon Collector.

Logon Monitor logsThe basic format of the log messages for the Logon Monitor is as follows:

YYYY-MM-DD'T'HH:mm:ss'Z' <LEVEL>: <Msg>

Time is in UTC (hence represented as Z in the basic format).

The example of basic log messages format for Logon Monitor is

2010-11-09T21:23:09Z INFO: DlcServiceMain Service Started.

The following list shows the three types of messages that you can receive:

• Internal messages

• Messages due to Logon Collector communication

• Messages due to Logon Monitor communication

Internal messagesThe internal messages have no qualifier.

Examples of internal messages are as follows:

• 2010-11-09T21:23:09Z INFO: DlcServiceMain Service Started

• 2010-11-09T21:23:09Z INFO: Socket Listening on 50443

Messages generated due to Logon Collector communicationThe messages generated due to Logon Collector communication only occur at level 2 debug or higher.

The format of the messages generated due to Logon Collector communication is as follows:

Format — <Data> <Level>: [CLI:<MLC IP Address>:<Port>] <Message>

Examples:

2010-12-03T16:46:24Z DEBUG: [CLI:127.0.0.1:10248] Connection accepted

2010-12-03T16:46:24Z DEBUG: [CLI:127.0.0.1:10248] Command HELLO

2010-12-03T16:46:24Z DEBUG: [CLI:127.0.0.1:10248] Command CONNECT

TroubleshootingLogon Monitor logs 12


The following sample message can be used to understand the different parts of a message:

STATS RP:0 LR:2010-12-03T16:46:12Z LV:0 PB:0 CB:0 LW:4 BW:243, where

• RP stands for the number of records sent

• LR stands for the last time record sent

• LV stands for number 0-5 which indicates slow communications

Any number larger than 3 indicates that the link might be very slow.

• PB and CB are combined to calculate the number of bytes that are pending to be written

• LW stands for the number of lines written

• BW stands for the number of bytes written (can be used to calculate bandwidth)

Messages generated due to Logon Monitor communicationThe messages generated due to Logon Monitor communication occur at all levels.

The messages generated due to Logon Monitor communication mostly occur at the info level.

The format of the messages generated due to Logon Monitor communication is as follows:

Format — <Data> <Level>: [DC:<DC Name>] <Message>

Examples:

2010-12-03T16:46:24Z INFO: [DC:d2-dc-01.domain2.cai.local] Wmi Connected

2010-12-03T16:46:24Z INFO: [DC:d2-dc-01.domain2.cai.local] DcConnection::run Backlogquery disabled by client request

Example of an error message:

The following error message will appear in Logon Collector Status window: Access Denied (PasswordChange) ERROR: [DC:nsbu-01.domain3.cai.local] Wmi [0x80070005 - Access is denied.]ConnectServer

Example of an error code:

0x80070005 — this is Microsoft error. For more information refer to microsoft.com.

Common Domain Controller errorsThe following table shows the common Domain Controller errors:

Error Description

0x80070005 Access Denied.This error can be displayed due to password issues.

0x8004106C Quota Violation: Patch mismatch between DC and MLCTo overcome this problem, ensure that all patches are applied.

12 TroubleshootingLogon Monitor logs


Error Description

0x800706BA The RPC server is unavailable.This error can be displayed due to one of the following reasons:• password problem • if the system is down

• access control • if WMI is turned off on the system

• patch mismatch

0x80010002 Call was canceled by the message filter (same as 0x800706BA).

0x80090327 An unknown error occurred while processing the certificate.To overcome this problem, check the certificate of the remote Logon Monitor.

For more information refer to http://msdn.microsoft.com/en-us/library/aa394559%28v=vs.85%29.aspx.

Logon Collector logsThe Logon Collector has the following log files available at <MLC_INSTALL_FOLDER>/server/logs fortroubleshooting:

• jakarta_service_20100930.log • orion.log

• jakarta_service_20100930.log • orion.log1

• localhost_access_log.2010-10-12.txt • <MLC_INSTALL_FOLDER>/server/logs

• localhost_access_log.2010-10-12.txt • stderr.log

Of the available logs, orion.log and orion.log1 are the most important.

orion.log is a rotating log. It has a size limit and also a limit on the total number of log files.For example, if you are using orion.log and you reach the maximum size limit, you can moveto orion.log1.

Log format — YYYY-MM-DD HH:mm:ss,mmm <LEVEL> [<Thread>] Message

While troubleshooting, search for the word 'Exception' in the orion log file.

Logon Collector Active Directory communication errors logrecordsCheck for ‘GSS initiate failed’ or LoginException in the Logon Collector Active Directory communicationerrors log records. These error messages indicate that the Logon Collector is unable to access ActiveDirectory.

The most common problems are as follows:

• Wrong password:

• LoginException: Pre-authentication information was invalid (24)

• DNS problem:

• No valid credentials are provided (mechanism level: server not found in Kerberos database (7))

TroubleshootingLogon Collector logs 12


http://msdn.microsoft.com/en-us/library/aa394559%28v=vs.85%29.aspx

http://msdn.microsoft.com/en-us/library/aa394559%28v=vs.85%29.aspx

Troubleshooting DNS problemsTo troubleshoot DNS problems:

• Verify that the SRV records exist for the domain to be monitored• Run the following command from the Logon Collector server command line and verify the output

against the expected output as shown below:

C:\>nslookup -query=SRV _kerberos._tcp.domain1.cai.localServer: net-apps.cai.localAddress: 172.25.59.11Non-authoritative answer:_kerberos._tcp.domain1.cai.local SRV service location: priority = 0 weight = 100 port = 88 svr hostname = dc-01.domain1.cai.local_kerberos._tcp.domain1.cai.local SRV service location: priority = 0 weight = 100 port = 88 svr hostname = dc-02.domain1.cai.localdomain1.cai.local nameserver = dc-02.domain1.cai.localdomain1.cai.local nameserver = dc-01.domain1.cai.localdc-01.domain1.cai.local internet address = 172.25.59.80dc-02.domain1.cai.local internet address = 172.25.59.81

• Verify that both forward DNS and reverse DNS work for the domain to be monitored• Run the following command from the Logon Collector server command line and verify the output

against the expected output as shown below:

C:\>nslookup dc-01.domain1.cai.localServer: net-apps.cai.localAddress: 172.25.59.11Non-authoritative answer:Name: dc-01.domain1.cai.localAddress: 172.25.59.80

C:\>nslookup 172.25.59.80Server: net-apps.cai.localAddress: 172.25.59.11Name: dc-01.domain1.cai.localAddress: 172.25.59.80

Troubleshooting NSLookup failureWhen NSLookup fails, consider the following to troubleshoot:

• Check if it is pointing at the wrong DNS server:

• Make sure that you are using the production DNS server.

• Check if the setup is correct. Make sure that you point the Logon Collector server DNS entries tothe domain controllers.

• Check if there are any entries in C:\Windows\System32\drivers\etc\hosts:

• Check for the entries equivalent to UNIX’s /etc/hosts.

• Check this file for entries that “Mask” the DNS entries. The recommendation is to have onlycomments (‘#’) in this file.

12 TroubleshootingLogon Collector logs


• If you are using production environments, the DNS will not be a problem as Windows relies onproper DNS setup.

• Check if you are using reverse DNS. Make sure that you have added entries in DNS for reverseDNS.

Error uninstalling SQL database instance for Logon CollectorAfter a successful uninstallation of Logon Collector, you might want to uninstall the Microsoft SQLServer instance that was included in the Logon Collector installation. Follow the steps below if you areunable to do so.

Task1 Open Task Manager, and end the sqlserver.exe process for the Logon Collector database instance.

2 Retry to uninstall the SQL database instance for the Logon Collector.

Configure Database Settings page to connect to the SQL serverThe Logon Collector server uses Microsoft SQL server database to store the Logon Collector usercredentials. This helps in authenticating the users when they log onto the Logon Collector admin userinterface.

If the SQL server credential changes, the Logon Collector server cannot connect to the SQL server. Asa result, users will not be able to log on to the Logon Collector admin user interface.

Follow the steps below to overcome this problem.

1 Log on to the Logon Collector server.

2 Open https://localhost:8443/core/config in your browser.

3 Reset the password in the Database Settings page.

Figure 12-9 Database Settings page

TroubleshootingError uninstalling SQL database instance for Logon Collector 12


https://localhost:8443/core/config

Ports used by Logon CollectorEnsure that the following ports are enabled on Firewall for the Logon Collector to function.


61641 JMS port Used for client and High Availability communication

61613 Stomp port Used for C client communication

389 LDAP port Used for the communication between the Logon Collector and domaincontroller

50443 Used for communication between the Logon Collector and Logon Monitor

The WMI communication happens between Logon Monitor and domain controller.

High memory usage of lsass.exeLsass.exe caches data to improve the LDAP query performance. It is normal for this process to havehuge memory (multiple GBs) usage on a domain controller when the domain has a large amount ofdata.

Saved group filter configurationThe group filter configuration is stored locally on the system in the C: directory. This includes files thatcapture group filter status and configuration.

The group filter status details are stored in mlc.config.xml available at C:\Program Files (x86)\McAfee\McAfee Logon Collector\Server\conf\. This file can be modified only after stopping the Logon Collectorserver.

The file has an entry in the form:

<config name="enableFilter" value="Y"type="common" />

If the filter is enabled, value is Y and if disabled, value is N.

The group filter configuration is stored in a groupfilter file available at C:\Program Files (x86)\McAfee\McAfee Logon Collector\Server\conf\mlc\. This file is non-editable.

If you try to modify the groupfilter file, the file might get corrupt.

12 TroubleshootingPorts used by Logon Collector


Index

Cconfiguregroup filter 39

Ffilteringgroup filter

overviewgroup filter 39

Ssensoruser groups 93

Uusers, groups limits 101


Revision D McAfee Logon Collector 3 McAfee Logon Collector 3.0 Administration Guide 1 Introduction...

Documents

Transcript of Revision D McAfee Logon Collector 3 McAfee Logon Collector 3.0 Administration Guide 1 Introduction...