How Enterprise Auditing Works

Version 2

    Verified Product Versions

    Management Center 10.0Management Center 8.7Management Center 8.6Management Center 8.5

    Introduction

     

    The aim of this article is to:

    • Provide detailed information on how Enterprise Auditing works within the Management Center, to aid troubleshooting and understanding of the product.
    • Explain how configuration and event data flows between the Management Server and endpoints with the Deployment/Client Communications Agent installed.

    NOTE: Enterprise Auditing is separate from the 'Auditing' which can be set in the configuration of EM, AM and PM. Enterprise auditing is not dependent on you setting up auditing within your configuration for one of these products.

    Detail

     

    I've documented this feature against version 10.1 Feature Release 1 of the Management Center. When comparing this to the behaviour on older versions you may notice the events are located in varying locations within the console. For details please review the product guide for your specific version of the Management Center.

     

    Part 1 - Configuring auditing through the Management Console

     

    Auditing is initially set on a per-Deployment Group basis within the Management Console, under "Home > Deployment Groups > 'Group Name' > Settings > Auditing", by checking the specific events you wish to capture:

     

    At this point, the auditing configuration is written to the database.

    NOTE: Certain events are "High Volume" and will generate a large amount of data, which can lead to performance issues within the Console if left enabled for a long period of time. You will be warned before enabling these events, although if you are having problems please see the following article: Unable to Delete a High Number of Alerts or Events via the Management Console.

    Part 2 - Auditing Configuration is sent to endpoints

     

    Each time the Deployment Agent polls the Management Server, it sends XML data describing it's current configuration, which the Server replies to with the 'Latest' configuration. The Deployment Agent must then update the endpoint accordingly.

    In the case of auditing, a list of events which should be captured and sent to the server is persisted into the following location:

    Registry Key: HKLM\SOFTWARE\AppSense Technologies\Communications Agent\events

    Value Name:  filter

    Value Type:   REG_SZ

    Value Data:   A list of comma-separated event IDs

     

    Part 3 - Deployment Agent captures events on the endpoint

     

    Now that the auditing configuration has been received, the Deployment Agent will begin to capture any events where the ID matches one listed in the 'filter' value.

    Once events have been captured they are placed in the following folder, with the naming convention "<MachineName>-<TimeStamp>.evt":

    C:\Program Files\AppSense\Management Center\Communications Agent\upload

     

    Part 4 - Events are uploaded to the Management Server

     

    The Deployment Agent will upload the collected events periodically based on the "Event Data Uploads" poll period, which is configured under "Home > Deployment Groups > 'Group Name' > Settings" here:

    Event data is uploaded using the Background Intelligent Transfer Service (BITS), with the Deployment Agent creating BITS jobs to upload data to the following location on the server:

    C:\Program Files\AppSense\Management Center\Server\Web Site\Deployment\Events\<Deployment Group GUID>

     

    Microsoft provide the following utilities for administration of BITS jobs:

     

    Part 5 - Events are transferred from the Management Server to the database

     

    Although the events are now present on the server in the 'Events' folder, they will not yet be visible in the Management Console as they are read from the Management database.

     

    It is the job of the Events Dispatcher service to monitor the 'Events' folder and ensure that any uploaded events are transferred to the database.

     

    Once this process is completed the events should be visible in the Management Console in 3 locations:

    1. Per Machine
    2. Per Deployment Group
    3. All Events

    Special Case - High Priority Events

     

    There are a number of events which are considered 'High Priority', for example:

    9095 - AppSense Application Manager cannot find a valid configuration.

    9756 - The Deployment Agent identified an error with the BITS service.

    Priority events are not configurable, although for reference a full list can be found within the registry of an endpoint, at the following location:

    Registry Key: HKLM\SOFTWARE\AppSense Technologies\Communications Agent\events

    Value Name:  priority filter

    The main difference between priority events and normal events is that they are uploaded immediately via http, regardless of the "Event Data Uploads" poll period you have configured.