Enterprise Reporting - BeyondTrust...Reporting Server SQL Server Reporting Services (SSRS) 2008 R2 or later is required. The server should ideally be dedicated solely to this role

Defendpoint 4.0 Enterprise Reporting Setup Guide Strictly private & confidential

Enterprise Reporting

April 2015

Setup Guide Version 4.0

Copyright Notice

The information contained in this document (“the Material”) is believed to be accurate at the time of printing, but no representation or warranty is given (express or implied) as to its accuracy, completeness or correctness. Avecto Ltd, its associated companies and the publisher accept no liability whatsoever for any direct, indirect or consequential loss or damage arising in any way from any use of or reliance placed on this Material for any purpose.

Copyright in the whole and every part of this document belongs to Avecto Ltd (“the Owner”) and may not be used, sold, transferred, copied or reproduced in whole or in part in any manner or form or in or on any media to any person other than in accordance with the terms of the Owner’s Agreement or otherwise without the prior written consent of the Owner.

2 Defendpoint 4.0 ER Setup Guide

Table of Contents Introduction and Overview ........................................................................................................... 6

Configuration Options ........................................................................................................... 7

1.1.1. Option 1 – Single Box Solution ....................................................................................... 7

1.1.2. Option 2 – Enterprise Scaled Out Deployment ............................................................... 8

SQL Server Database ........................................................................................................... 8

Event Collector ...................................................................................................................... 9

Reporting Server ................................................................................................................... 9

Client Configuration ............................................................................................................... 9

Database Sizing and Resource Consumption .................................................................... 10

1.6.1. Data Retention Considerations ..................................................................................... 10

1.6.2. Database Sizing ............................................................................................................ 11

1.6.3. SSRS Sizing .................................................................................................................. 12

Pre-installation Tasks ................................................................................................................. 13

Accounts.............................................................................................................................. 13

2.1.1. Creating the ReportWriter Account ............................................................................... 15

Defendpoint Event Management Installation ........................................................................... 16

Prerequisites ....................................................................................................................... 16

Installation ........................................................................................................................... 16

Defendpoint Enterprise Reporting Installation ........................................................................ 21

Prerequisites ....................................................................................................................... 21

Installation ........................................................................................................................... 21

Security Configuration ............................................................................................................... 26

SQL Server Reporting Services .......................................................................................... 26

Viewing Dashboards and Reports ............................................................................................. 28

Upgrading Enterprise Reporting ............................................................................................... 33

Assumptions ........................................................................................................................ 33

Upgrade............................................................................................................................... 33

7.2.1. Upgrade the Event Parser ............................................................................................. 33

7.2.2. Upgrade the Reporting Pack ......................................................................................... 34

7.2.3. Post Upgrade Checks ................................................................................................... 36


Database Maintenance ............................................................................................................... 37

Rebuilding Indexes .............................................................................................................. 37

Database Backups .............................................................................................................. 37

Creating a Maintenance Plan .............................................................................................. 38

Purging Defendpoint Data ................................................................................................... 38

8.4.1. Connecting to Enterprise Reporting .............................................................................. 38

Automatic Purging ............................................................................................................... 40

Manual Purging ................................................................................................................... 41

Shrinking the Database ....................................................................................................... 41

Appendix 1. Event Management and Behavior .......................................................................... 42

A 1.1.1. Event Parser SQL Connection .................................................................................. 42

A 1.1.2. Data Transmission .................................................................................................... 42

A 1.1.3. Monitoring and Recovery .......................................................................................... 42

A 1.1.4. Reprocessing Data .................................................................................................... 43

Appendix 2. Installing Enterprise Reporting for Defendpoint ePO Edition ............................ 44

A 2.1. Defendpoint Reporting ........................................................................................................ 44

A 2.1.1. Accounts .................................................................................................................... 46

A 2.1.2. Creating the ReportWriter Account ........................................................................... 48

A 2.2. Defendpoint Event Management Installation ...................................................................... 49

A 2.2.1. Prerequisites ............................................................................................................. 49

A 2.2.2. Installation ................................................................................................................. 49

A 2.3. Defendpoint Enterprise Reporting Installation .................................................................... 54

A 2.3.1. Prerequisites ............................................................................................................. 54

A 2.3.2. Installation ................................................................................................................. 54

A 2.4. Configuring Avecto Reporting and McAfee Queries & Reports for Enterprise Reporting Data ..................................................................................................................................... 59

A 2.4.1. Configuring access to Reporting Server Charts ........................................................ 59

A 2.4.2. Configuring access to Reporting Server for ePO Queries ........................................ 60

A 2.4.3. Server Tasks – Avecto Event Staging....................................................................... 61

A 2.4.4. Server Tasks – Avecto Pre-caching Reports (optional) ............................................ 63

A 2.4.5. Server Tasks – Avecto Event Purge ......................................................................... 64

A 2.4.6. Performance Limitations ........................................................................................... 66



Introduction and Overview This document explains how to install and configure Avecto Defendpoint Enterprise Reporting, which enables organizations to monitor and report on activity from Windows desktops and servers.

Defendpoint Enterprise Reporting (ER) leverages Windows Event Forwarding to centralize audit data to one or more Windows Event collector server hosts. Please refer to Windows Event Centralization solution guide for more information.

http://www.avecto.com/documents/solution-guides/EventCentralization.pdf

Once audit data are collected, one (or more) instances of the Avecto Event Management component load the data into the Avecto Defendpoint database on a Microsoft SQL Server instance. All audit event data are stored in one logical SQL Server instance.

ER reports provide visibility to the audit data. ER reports are implemented as custom reports in Microsoft SQL Server Reporting Services 2008 R2 or later.

Microsoft SQL Server Reporting Services is typically hosted independently from the audit events SQL Server database instance, except for small implementations and evaluation scenarios where it may share the audit database server host.

Enterprise Reporting is also available in the Avecto Defendpoint ePO Edition. With the Defendpoint ePO Edition, event centralization and report presentation are built on the ePO framework agent and ePO server, with audit data storage in MSFT SQL Server as described in this guide. Please refer to the Defendpoint ePO Administration Guide for instructions specific to the ePO Edition.



Configuration Options

There are two options for deploying the solution:

Option 1 - use a single box solution, which is suitable for evaluating the product, or for SME installations.

Option 2 - use a scaled out deployment, which is recommended for larger production environments.

1.1.1. Option 1 – Single Box Solution

In this deployment scenario, a single server is used to provide all functions. This server should ideally be running Windows Server 2008 or later (Server 2008 R2 recommended), but for evaluation purposes it could be a client version of Windows, such as Windows 8.

SQL Server 2008 R2 Express with Advanced Services (or later) should be installed on this server, which can be downloaded from here:

http://www.microsoft.com/en-us/server-cloud/products/sql-server-editions/sql-server-express.aspx

Select the Reporting Services feature in the feature selections page of the MSSQL installer and to install Reporting Services to use “Native Mode”.

Microsoft SQL Server Express Database Instance

Defendpoint Event Management

Database, Event Collector and Reporting Server

Forwarded Event Log

Microsoft SQL Server Reporting Services (SSRS)

Event Log

Client(s)

Web Browser

(Dashboard & Reports)

Defendpoint Client


http://www.microsoft.com/en-us/server-cloud/products/sql-server-editions/sql-server-express.aspx

1.1.2. Option 2 – Enterprise Scaled Out Deployment

In this deployment scenario the Event Collector(s), Database and Reporting Server are each installed on their own dedicated server(s).

SQL Server Database

The database is used as a repository for all the data collected from the clients. The minimum version of SQL Server required is SQL Server 2008R2. Clustered databases are also supported.

Although Defendpoint supports both Windows Integrated Authentication and SQL Server Authentication, it is recommended that Windows Integrated Authentication is used.

Note: TCP/IP Connections must be enabled on the SQL Server to allow the Event Collector service to submit events.

The database is created during the installation of the Defendpoint Event Management component. By default, the database is named AvectoPrivilegeGuard, and the installation provides the option to provide a custom database name.

Note: Microsoft SQL Server CE is not supported.

Web Browser

(Dashboard & Reports)

Microsoft SQL Server Database Instance

Defendpoint Event Management

Forwarded Event Log

Microsoft SQL Server Reporting Services (SSRS)

Event Log

Client(s)

Event Collector(s) Reporting Server

Defendpoint Client


Event Collector

The Defendpoint Event Parser is a service responsible for detecting new Defendpoint Events, and submitting them to the database. Typically, the Event Parser is installed on a dedicated Windows Event Collector Server, and by default will scan the ForwardedEvents Log for new events. The Event Parser service may be configured to scan the Application Event Log if required to do so, by editing the following Registry value:

HKEY_LOCAL_MACHINE\Software\Avecto\Privilege Guard Event Parser\ REG_SZ “EventLog”

It is recommended that the Event Collector host should be built on Windows Server 2008 R2 or later, and ideally should be dedicated solely to this role. If you are using Windows Server 2008 as the Event Collector, it is necessary to upgrade to Windows Remote Management 2.0. This will allow Windows 7 clients to be monitored without any additional configuration (Windows Server 2008 R2 already includes WRM 2.0). You may configure multiple Event Collector servers which feed into a single database.

Note: The Event Parser service(s) are the only components which establish direct connections to the events database. This keeps the number of concurrent connections to a minimum.

Reporting Server

SQL Server Reporting Services (SSRS) 2008 R2 or later is required. The server should ideally be dedicated solely to this role. Though the events database and SSRS can be hosted on the same SQL Server instance, it is recommended that the SSRS instance should be separate from the database instance, to prevent it impacting on the performance of the database.

The SSRS reports are installed and pre-configured during the installation of the Defendpoint Reporting Pack component. By default, the SSRS instance is named ReportServer, and the SQL Server installer provides the option to provide a custom name.

Client Configuration

Windows Event Forwarding is the technology used to gather events from the clients running Defendpoint. Please refer to the separate solution guide, which details the installation and configuration of Windows Event Forwarding, which should be configured for all of the computers running the Defendpoint Client that need to forward events.


The minimum operating system level required on each client is Windows XP SP3. Events can be forwarded to any of the supported Windows Server Operating system versions (Windows Server 2003 through Windows Server 2012).



Each client must have Windows Remote Management (WRM) 1.1 or greater installed. The following table details the default installation for each operating system:

Operating System Windows Remote Management Version

Windows XP SP3 Not Installed

Windows Vista 1.1

Windows 7 2.0

Windows 8 3.0

Windows Server 2003 Not Installed

Windows Server 2008 1.1

Windows Server 2008 R2 2.0

Widows Server 2012 3.0

As you can see from this table, only Windows XP and Windows Server 2003 clients require a version of WinRM to be deployed. It is recommended that WinRM 1.1 (also known as WS-Management) is deployed on these clients, which can be downloaded from here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=845289ca-16cc-4c73-8934-dd46b5ed1d33&displaylang=en

Database Sizing and Resource Consumption

1.6.1. Data Retention Considerations

The Audit Event database and Microsoft SQL Server Reporting Services database used to support Avecto Defendpoint Enterprise Reporting may be hosted and scaled independently.

It's important to identify the length of time that Defendpoint audit event data must be retained in the Defendpoint database as it drives resource utilization projections, and initial allocation.

Defendpoint Enterprise Reporting is designed to report on activity in recent time, not as a long term archival data storage solution.

Avecto provides a database purge utility that may be used to purge data manually, or automatically on a configured period to ensure database growth is capped.

Unlimited database growth inevitably reduces query execution performance, and increases resource utilization for queries.

Important: Prior to purging large sets of data, please ensure your SQL Transaction logs are able to grow to accommodate. It may be necessary to delete data in stages when setting this up for the first time.




In order to facilitate your decision making regarding retention time in the Defendpoint database, please refer to the following sections in our standard documentation:

Description of the views of data exposed in Defendpoint Enterprise Reporting - the Reporting Dashboard Guide.

Description of the events audited by Defendpoint in the Administration Guide: Chapter 25 – Auditing and Reporting – Events.

Description of the Workstyle parameters. You may consider these as the fields that are collected in the audit events, eventually stored in the Defendpoint Audit Events database. Defendpoint Administration Guide: Workstyle Parameters – Appendix D.

1.6.2. Database Sizing

The Audit Event database has to be sized to accommodate substantial data volume, matching the number of clients generating audit data and the desired retention period.

Database storage requirements may be estimated roughly using the following calculation:

Number of hosts X Number of events per host per day X 5Kb per event X Number of retention days

For example, an organization of 10,000 hosts, with each host generating an average of 15 events per day, requiring a 30 day retention would require a database capacity of:

10,000 X 15 X 5 X 30 = 22,500,000Kb, or 21.5Gb

A typical event volume would be 10-20 events per host per day and varies based on Defendpoint auditing configuration, user job function (role/workstyle) and user activity patterns.

Note: Please refer to the Defendpoint Database sizing calculator to further explore database sizing and growth expectations.

Database resource utilization (CPU, Memory) is highly variable depending on the hardware platform.

Example Use Case Volumes

Based on an organization of 10,000 hosts requiring a 42 day (six weeks) retention.

Discovery: Between 40 – 60 events per machine per day

(4.6K per event (based on real world data))

Average total: 67.06 GB

Production: Between 2 – 10 events per machine per day

(4.6K per event (based on real world data))

Average total: 5.66 GB

Note: If the number of events ‘per machine per day’ is raised to 15 then the Average total increases to 16.99 GB


Important: These figures are based on v3.8 data and do not take into account the increased volume of events associated with the additional module in Defendpoint v4.0 – Sandboxing.

Key considerations:

Volume of inbound audit event records

As seen above, the number of events per hour may be estimated following simple calculations.

The audit event records are bulk inserted (no integrity checks, transactions) in batches of 100 by the Event Management component, and post-processed by a scheduled job that normalizes the audit event records into the Audit Event database schema.

Queries triggered from MSFT SQL Reporting Services Reports

As the database grows in size, the resource impact of the reporting platform queries becomes important.

The volume of data maintained in the audit event database will affect the duration and resource cost of these queries.

To maintain good performance, it is recommended that the ER Purge Utility is used to limit the timespan of audit event data retained in the database.

Finer-grained audit data management and clean-up is possible using the ER Database Administration Dashboard. The Database Administration Dashboard allows the purging of audits related to specific applications and suppression of incoming audit items related to those applications. For more information please refer to the Database Administration description in the Reporting Dashboard Guide.


1.6.3. SSRS Sizing

The Microsoft SQL Server Reporting Services database remains relatively small and capacity planning does not become important.

A dedicated server should be sized according to Microsoft SQL Server Minimum Specifications and assessed periodically.


Pre-installation Tasks

Accounts

Before commencing with the installation of Enterprise Reporting components, it is recommended that the following accounts are created. The installation steps in subsequent sections of this guide will refer to these accounts.

Accounts Required for Installation

Name Details Account Type Permissions / Rights

ERInstaller Use this account to install the EventManagement and ReportingPack components

Windows account

Windows permission - Local Administrator

DatabaseCreator Used by the EventManagement installer to create the Defendpoint database

Windows account or SQL Authentication account

SQL Server permission – sysadmin

Note: The database must be installed by a user whose default schema is DBO. For more information, refer to http://technet.microsoft.com/en-us/library/ms190387(v=sql.105).aspx

ReportWriter Used by the Reporting Pack installer to configure the SSRS data source and deploy the Defendpoint reports

Windows account

SSRS site level role - System Administrator

Note: Where the Windows or SQL Server icons are displayed, valid actions will be required on the system indicated.


http://technet.microsoft.com/en-us/library/ms190387(v=sql.105).aspx


Accounts Required for Runtime

Name Details Account Type Permissions / Rights

EventParser Used by the Event Collection service to connect to the Avecto database and write event data

Windows Account

SQL Server permission - Database write access Windows group member - Event Log Readers

Windows permission - Network access (for remote SQL Server instance)

ReportReader Used by the Reporting Pack reports to allow read access to the Defendpoint database


Requires Log On Locally rights on server hosting SSRS.

(SELECT and EXECUTE permissions are assigned during the installation process)

DataAdmin Used by the Reporting Pack reports to allow write access to the Defendpoint database to purge undesired data.

This account, and product feature is optional – please see section 4.2 Installation for more information.







2.1.1. Creating the ReportWriter Account

To add a System Administrator role to the Reporting Services site:

1. Browse to the SQL Server Reporting Services Report Manager URL (this can be located in the Reporting Services Configuration Manager, under Report Manager URL).

2. Click on Site Settings and then select Security.

3. Click New Role Assignment, and enter the DOMAIN\Username of an authorized account. Assign the username the System Administrator role.

4. Click OK to create the new role.


Defendpoint Event Management Installation The Defendpoint Event Management Software should be installed on the Event Collectors (or the single server if using Deployment Option 1). As part of the install, you will specify the database connection details, and the installer will create the Defendpoint database (if it doesn’t already exist) and configure the connection to the database.

Important: The Avecto ER Event Management installer creates a database and database permissions through embedded SQL scripts. If your database administration team does not allow creation of databases, or database permissions by installers, please contact Avecto support for assistance with an alternative approach.

Prerequisites

Before installing the Event Management component you will require the following user accounts:

ERInstaller

DatabaseCreator

EventParser

DataAdmin (optional)

ReportReader (optional)

Note: If you are using a single server, as in Deployment Option 1, then you may be able to run the Defendpoint Event Collector service as the SYSTEM account, assuming the SYSTEM account can write to the database. In this case you will not require a Windows user account for the Defendpoint Event Parser Service.

Note: The SQL Server configuration must have TCP/IP communications enabled to allow the Event Parser Service to submit events to the database.

Installation

To install Defendpoint Event Management Software, run the appropriate installation package with an account that has ERInstaller privileges:

For 32-bit systems run DefendpointEventManagement_x86.exe



1. Run the appropriate installation package.

2. Click Next to continue. The License Agreement dialog will appear.

3. After reading the license agreement, select I accept the terms in the license agreement and click Next to continue. The Customer Information dialog will appear.


4. Enter your name and the name of your organization and click Next to continue. The Destination Folder dialog will appear.

5. If you wish to change the default installation directory then click the Change button and Select a different installation directory.

6. Click Next to continue. The Database Server dialog will appear.


7. Specify the details of the database server, and enter the DatabaseCreator account.

Note: The credentials specified here are used to create and configure the Defendpoint database, and are not used after the installation is finished.

Note: If Windows Authentication is specified for the SQL Connection, then the account of the installing user MUST have Alter Any Login and Create Any Database permissions on the SQL Server instance, in order for the Reporting Services Instance User to be created. If you receive an error 15247, verify these permissions have been granted.

8. Click Next to continue. The Event Parser Service dialog will appear.

9. Specify the EventParser account for the Event Parser Service. Click the Browse button to select the account if desired.

Note: This account will be given write access to the database, and will be added to the Event Log Readers group on the Event Collector server. It will also be granted the Log on as a service right on the Event Collector server.


10. Click Next to continue. The Reporting Services dialog will appear.

11. Optionally enter the ReportReader account which the Reporting Services Instance will use.

12. Optionally enter the DataAdmin account to allow data purging using administration rights.

Note: This account will be added to the Defendpoint database, and configured to allow Reporting Services access to the database. The account can be either based on an existing Windows user or a SQL Server Authentication user can be created.

13. Click Next to continue. The Ready to Install the Program dialog will appear.

14. Click Install to complete the installation.


Defendpoint Enterprise Reporting Installation Enterprise Reporting should be installed on the SQL Server Reporting Services Instance (or the single server if using a ‘single box’ solution).

Prerequisites

Before installing the ReportingPack component you will require the following user accounts:

ERInstaller

ReportReader

ReportWriter

Installation

To install Defendpoint Reporting Pack:

1. Run the DefendpointReportingPack.exe installation package as a user with the ReportWriter permissions:




4. Enter your name and the name of your organization and click Next to continue. The Database Server dialog will appear.


5. Specify the details of the report server URL (the reports will fail to upload if you enter an incorrect URL). You must also specify the database to be used by the SQL Server Reporting Services instance.

6. If you are unsure of the correct Report Server URL to use, you can find it in the Reporting Services Configuration Manager under Web Service URL:

7. Click Next to continue. The Reporting Services Authentication dialog will appear.


8. Enter the ReportReader account as the account used to connect to the data source.

Note: This is used by the Reporting Services to connect to the database instance when generating dashboards and reports. The account should be the same account that was specified as part of the Defendpoint Event Management Installer.

Note: If Credentials stored locally in the report server is not selected, then any users authorized to access Enterprise Reporting must have their account credentials added to the SsrsRole database role.

9. Click Next to continue. The Reporting Services Admin Authentication dialog will appear. This feature is optional and may not be desirable in environments that need to keep tight control over purging of audit data.

10. The purpose of this report is to allow the purging (and subsequent exclusion) of applications from the populating the database with unwanted data. For more information see the Enterprise Reporting Dashboard Guide.

11. Use the DataAdmin account for this purpose.





Security Configuration

SQL Server Reporting Services

If you chose Credentials supplied by the user running the report or Windows Integrated Security for Reporting Services Authentication, then each user or group of users who are permitted to view reports should be granted Browse permissions in SQL Server Reporting Services (SSRS).

1. Browse to the SSRS Report Manager, using the ReportWriter account (you can locate the correct URL from within the Reporting Services Configuration Manager, under Report Manager URL):

Note: You may need to run Internet Explorer with Administrator rights to initially configure the security.

2. Click Folder Settings to view the security of the top level, and then click New Role Assignment to grant access to a user or group.

3. Specify the group or user, tick the Browser role, and click OK.


4. If the Data Administration reports were installed, security on the subfolder should restrict access to the SSRS System administrator and users authorized to purge data.


Viewing Dashboards and Reports Once all components have been installed, and the security has been configured, the dashboards and reports can be viewed. The starting point for the reports is erpActivities, which you will find in the Avecto Defendpoint (Privilege Guard) reports folder.

If you are unsure of the correct URL to use, you can find it in the Reporting Services Configuration Manager under Web Service URL:

Note: By default, the web service URL is http://<reportingserver>/ReportServer

Once you have navigated to the correct URL, click on the Avecto Privilege Guard web directory, and then click on the erpActivities report:


Note: Once you have navigated to the erpActivities report, save the address to your browser’s Favourites list.


There are several dashboards in Enterprise Reporting:

Actions - Summarizes audited items categorized by the type of action taken. This allows focusing on the topic of interest – elevation, blocking etc.

Target Types - Summarizes specific application types that have launched and have been audited. This dashboard includes a sub-report All, where all raw application type data can be viewed in a tabular report.

Workstyles - Summarizes all Defendpoint workstyle usage, including coverage statistics. It identifies the top ten workstyles responsible for various application outcomes e.g. elevate, blocked, passive audited or allocated a custom token. This dashboard includes a sub report All, where all raw workstyle data can be viewed in a tabular report.

Users - Summarizes how users have interacted with messages, challenge / response dialogs and the shell integration within the specified time range.

Deployments - Summarizes Defendpoint Client deployments. The report shows which versions of Defendpoint are currently installed across the organisation. It includes asset information about endpoints such as operating system and default language to assist with workstyle targeting.

Discovery - Summarizes all unique applications that have been discovered. It differentiates between those that required admin rights and those that did not.

Requests – Summarizes information about the requests that have been raised over the specific time frame. A blocked message with a reason entered or a cancelled challenge / response message is considered to be a request.

Events - Summarizes information about the different types of events that have been raised over the specified time frame. It also shows how long it is since the different hosts raised an event.

Database Administration – Exposes applications creating excess data that floods the database and impacts performance. It allows purging and suppression of application audits when applications are observed to create undesired audits.

Note: The Database Administration dashboard is not available from the Enterprise Reporting interface.

If they have been selected during the Reporting Pack installation (see section 4.1 Step 10) they are available from the root directory: http://<reportingserver>/ReportServer/

1. Navigate to the root directory in the internet browser address bar and click on Avecto Privilege Guard.

2. Click on Admin and then click on ErpEventsAdmin.

3. The Database Administration dashboard will be displayed.

For more information on the purging and suppression options available from the Database Administration dashboard please refer to the Enterprise Reporting Dashboard Guide.


There are also several summary reports for key items which are common throughout the various Dashboards in Enterprise Reporting. Summary Reports are available anywhere that the Information

logo i is displayed, by clicking on the logo:

Application Summary Report - Detailed statistical overview of a particular unique application.

Event Summary Report - Detailed Event Log style summary of a specific event instance.

User Summary Report - Detailed statistical overview of a particular user account.

Host Summary Report - Detailed statistical overview of a particular host computer.

Workstyle Summary Report - Detailed statistical overview of a particular Defendpoint workstyle.

Many charts and tables in the dashboards can be clicked to drill down into more detailed information. For more information on the dashboards and reports in Enterprise Reporting, refer to the Enterprise Reporting Reference Guide by clicking the HELP link.



Upgrading Enterprise Reporting

Assumptions

This guide assumes that there is already a working installation of the Defendpoint Enterprise Reporting (ER) installed on a supported operating system(s).

Upgrade

This upgrade path can be applied to both standalone ER configurations and to configurations spread over multiple machines.

Note: When installing ER, the Reporting Pack and Event Management installers should be the same version e.g. “4.0.122.0”. However, it is permitted to use a different version of the Defendpoint Console and Client in conjunction with ER, just be aware that the Defendpoint Client generates the data that populates ER, so if any new features have been added to the reporting pack, it would only be populated if the Defendpoint Client is on a version that supports the data generation.

7.2.1. Upgrade the Event Parser

1. Stop the Event Parser Service on the Event Collector machine

2. If the Defendpoint Client is also running on the Event Collector machine, stop the Avecto Defendpoint Service for the duration of the installation otherwise it will be necessary to delete the Avecto Defendpoint Event Management program and restart the machine before being able to proceed with the upgrade.

3. Run the new DefendpointEventManagement installer. The installer will remember the previously entered settings. However it is also to possible to change the settings at this point if required.

4. Once the installer has finished a Successfully Completed message will be displayed:


5. Verify that the program has upgraded by reviewing the Programs and Features list:

6. The Avecto Defendpoint Event Parser service will have been upgraded and will have started automatically.

Note: If running the Defendpoint Client on the Event Collector, the Avecto Defendpoint service should be restarted.

7.2.2. Upgrade the Reporting Pack

1. On the Reporting Server machine, run the DefendpointReportingPack installer.

2. The installer will remember previously entered details. Continue through the dialog if the details are correct. Otherwise make the necessary amendments.

3. On the Reporting Services Authentication dialog, ensure that the authentication method selected is correct. If you are using Credentials supplied by the user running the report it will be necessary to re-enter the credentials as they are not stored locally on the machine.


4. Repeat this step on the Reporting Services Admin Authentication dialog.

5. Complete the installation. The installer will confirm that the installation completed successfully.

6. Verify the update by checking the version number which is listed in two places:

Programs and Features

Under the Report stamp listed on the ER report


7.2.3. Post Upgrade Checks

If the Event Parser and the Reporting Pack have been upgraded without error, any new events generated should be appearing in the upgraded report. If the events aren’t appearing in the report verify the following:

1. Check that the Event Parser Service is running on the Event Collector.

2. Verify the account being used for the Event Parser Service is valid i.e. local account should only be used if running ER on a single machine.

3. Verify that events are being generated on the client and are being forwarded to the Event Collector (will appear in the Event Viewer’s Forwarded Event Log).

4. Verify that events are appearing in the SQL Server’s database. Check the Staging table if the events aren’t appearing in the Events table.


Database Maintenance Microsoft SQL Server Management Studio offers database administrators (DBA) a set of tools for ensuring that databases are optimized, regularly backed up, and free of inconsistencies. Tasks can be created as Maintenance Plans, and the SQL Server Management Studio includes a wizard for the creation of core Maintenance Plans.

Note: It is highly recommended that database maintenance tasks are performed only by qualified DBA’s.

Below are a subset of Maintenance Plan tasks Avecto recommends are configured for the Defendpoint Enterprise Reporting database.

Note: Other Maintenance Plan tasks are offered by Microsoft SQL Server, and your DBA may suggest other plans that best suit your organization.

Rebuilding Indexes

Microsoft SQL Server maintains indexes whenever events and data are added to or purged from the Defendpoint database. Over time, these indexes may become fragmented. Heavily fragmented indexes can cause degradations in database performance and result in increased report generation times. Rebuilding the indexes will improve database performance and restore report generation times to their optimum.

Therefore, it is recommended that a Maintenance Plan is applied to SQL Server to ensure that indexes are regularly rebuilt.

If you are unsure of whether your Defendpoint Enterprise Reporting database indexes are causing a degradation in performance, then you can observe their percentage fragmentation in SQL Server Management Studio. The Processes table of the ER database is typically a high volume table, and most likely will become fragmented first.

To check the index fragmentation of the ER database in SQL Server Management Studio:

1. Navigate to Databases > Avecto Defendpoint (Privilege Guard) > Tables > dbo.Processes > Indexes.

2. Right-click on IDC Processes and select Properties.

3. In the Index Properties dialog, select Fragmentation.

4. The Total Fragmentation is displayed as a percentage.

Note: If you wish to perform a manual rebuild of a tables indexes, you can right click the Indexes node of any table and select Rebuild All.

Database Backups

Backing up the ER database on a regular basis is important for preserving Defendpoint activity in the event of a hardware or system failure on the SQL server that may cause a corruption. Backed up databases can be quickly restored with minimum disruption to the business.

There are several options for backing up a different components of a database. Avecto recommends performing a backup of the entire database.


Therefore, it is recommended that a Maintenance Plan is applied to SQL Server to ensure that the ER database is fully backed up on a regular basis.

Creating a Maintenance Plan

Maintenance Plans allow you to create a workflow of maintenance tasks in SQL Server to ensure that your databases are fully optimized and backed up. Plans can be created manually, or by using the built-in wizard, and can be performed manually or automatically on a schedule.

Note: Maintenance Plans are executed as SQL Server Agent jobs, and so the SQL Server Agent must be running.

To create a Maintenance Plan in SQL Server Management Studio:

1. Navigate to Management > Maintenance Plans.

2. Right-click Maintenance Plans and choose Maintenance Plan Wizard.

3. Proceed through the wizard to the Select Maintenance Tasks page and check the following recommended tasks (as a minimum):

Rebuild Index

Backup Database (Full)

4. Proceed through the wizard (setting any options as appropriate) to the Define Rebuild Index Task page.

5. Select the AvectoPrivilegeGuard Database and click OK.

6. Proceed through the wizard (setting any options as appropriate) to the Define Back Up Database (Full) Task page.

7. Select the AvectoPrivilegeGuard Database and click OK.

8. Set the backup schedule, backup location, and any other options as appropriate.

9. Proceed through the wizard (setting any options as appropriate). Click Finish to complete the wizard and create the new Maintenance Plan.

The new plan will now be listed under the Maintenance Plans node and can be edited at any time. The Maintenance Plan can be run manually by right-clicking and choosing Execute.

Purging Defendpoint Data

Enterprise Reporting includes an optional ER Purge Tool, which allows old data to be purged from the Defendpoint database. The ER Purge Tool can be downloaded from the Avecto website. Once you have installed the ER Purge Tool, it can be run from the Windows Start Menu.

Note: Prior to purging large sets of data, please ensure your SQL Transaction logs are able to grow to accommodate. It may be necessary to delete data in stages when setting this up for the first time.

8.4.1. Connecting to Enterprise Reporting

When launched, you will first be asked to connect to the database you wish to purge. Enter the name or IP Address of the SQL server instance and the name of the Defendpoint Database.


The tool supports either pass through Windows authentication, or you may specify an SQL account and password by checking the Use SQL Authentication box.

Note: You must connect to the SQL Server with db_owner privileges for both the Defendpoint database and also the msdb database, in order to use the ER Purge Tool.

For convenience, successful connection settings (not including the password) are recalled the next time the tool is run.

Once connected, the tool will begin to collect summary statistics for the database. These statistics are collected in the background, and depending on the size of the database, may take several seconds to appear.


The statistics collected are:

Number of processes

Number of events

Number of user sessions

Number of host sessions

Note: The total number of events and processes may not be the same. This is expected as some actions, such as Privilege Monitoring may generate multiple events for the same process.

When a purge is performed, then any data relating to processes, events, user sessions and host sessions older than the specific period of months will be deleted.

The ER Purge Tool offers two modes of configuration, Automatic Purging and Manual Purging.

Automatic Purging

The ER Purge Tool allows you to configure an automatic purge job via the SQL Server Agent. If there is an existing job configured on the SQL Server instance, then the current job settings will be automatically populated, otherwise automatic purging will default to Do not automatically purge data.

To configure an automatic purge:

1. Expand the drop down box and choose Automatically Purge Data.

2. Specify the number of months (1 to 12) for which older data should be purged.

3. Specify the frequency of how often the automatic purge should be performed (each day, each week or each month).

4. Click Update Settings to create or update the automatic purge.

Note: In order to configure an automatic purge, the SQL Server Agent must be running.

Once configured, the SQL Server Agent will automatically purge data according to the age and frequency set.

Daily – The purge will occur at 00:00:00 each day.

Weekly – The purge will occur at 00:00:00 each Monday.

Monthly – The purge will occur at 00:00:00 each first day of the month.

For advanced SQL administrators, the purge schedule may be further configured by editing the SQL Server Agent job via the SQL Server Management Studio.

Note: If editing the SQL Agent job from within the SQL Server Management Studio, you may receive the following error:


Creating an instance of the COM component with CLSID {AA40D1D6-CAEF-4A56-B9BB-D0D3DC976BA2} from the IClassFactory failed due to the following error: c001f011. (Microsoft.SqlServer.ManagedDTS)"

This is a known Microsoft issue. Please refer to http://support.microsoft.com/kb/2315727 for steps to resolve this issue.

Manual Purging

If at any time you wish to perform a manual purge of Defendpoint data, you can use Manual Purging. To configure a manual purge:

1. Specify the number of months (1 to 12) for which older data should be purged.

2. Specify a timeout in seconds for how long the purge task should be allowed to run before it is terminated, or accept the default timeout of 300 seconds.

3. Click One-time Purge to activate the manual purge.

4. At the confirmation prompt, click Yes to confirm.

Once the purge operation has completed, you will receive a confirmation.

Note: The ER Purge Tool must remain running for the duration of the manual purge.

Shrinking the Database

If a large amount of data is being purged from the Defendpoint database, it is recommended that the database is shrunk once the purge has completed. Shrinking the Database reduces the disk space consumed by the database and log files by removing empty data and log pages.

A database shrink can be configured as a Maintenance Plan within SQL Server Management Studio, and can be configured to run on a regular schedule.


http://support.microsoft.com/kb/2315727

Appendix 1. Event Management and Behavior

A 1.1.1. Event Parser SQL Connection

The connection between the Event Parser and the Database is established using Microsoft SQL Native Client (OLE DB) provider http://technet.microsoft.com/en-us/library/ms131687.aspx

The connection is secured using Windows Authentication.

The Avecto Event Parser executes as a Windows service using user credentials that have access to insert data into the AvectoPrivilegeGuard Audit event database. See the Accounts table below for more information.

The connection is secured using Windows Authentication.

The Event Parser executes as a Windows service using user credentials that have access to insert data to the AvectoPrivilegeGuard Audit event database.

The connection is established when the first event is processed, and kept open thereafter. If the connection is broken while executing commands the parser will keep trying to recreate connection. Data will not be lost due to an occasional loss of connection.

A 1.1.2. Data Transmission

The Event Parser service processes audit events in the shortest time possible, using a batching approach.

Note: This number of events processed in each batch is not configurable in the current release

The Event Parser “subscribes” to the Event Log, and is notified of new events.

When the Event Parser is notified that new data is available, it processes all the events available in batches of 100.

Audit data are inserted to the AvectoPrivilegeGuard Audit event database using bulk SQL insert to optimize performance.

The AvectoPrivilegeGuard SQL database is designed to eliminate duplicate audit data, so there is no need to roll back partial failures – transactional inserts are not used.

If data insert fails, the Event Parser will continue to retry, it will not skip over events.

For example, if the Event Parser Service’s account password expires, the Event Parser will fail to establish or reconnect to the database and “get stuck” retrying the same insert until the condition is rectified. This is by design, to ensure no data is lost.

If the failure persists for an extended period, the Windows Event Log may begin to “roll over” causing the oldest audit events to be removed. Be sure to maximize the event log size, and monitor growth rate to ensure audit data is retained as long as necessary.

A 1.1.3. Monitoring and Recovery

To diagnose failures in the Event Parser service look in the Windows Application event log on the Windows Event Collector host.


http://technet.microsoft.com/en-us/library/ms131687.aspx

The Event Parser service will raise events if errors occur, such as failure to connect to the database. These events typically contain information required to diagnose the problem. If this is insufficient, debug logging can be enabled. The debugging logs are designed for advanced diagnostics by Avecto staff.

Please open a support case for this as it is not something customers would be expected to handle on their own.

A 1.1.4. Reprocessing Data

If, for any reason data needs to be reprocessed (such as if the database is deleted and recreated), the Event Parser can be made to reparse the entire event log. This is always safe to do, as the database is fully resilient to duplicate data being added - it will discard duplicate data.

Be aware that reprocessing all the events will cause a great deal of database activity in a short period of time. It is best to plan this during periods of low activity in your environment.

To do this:

1. Stop the Avecto Defendpoint Event Parser service

2. Delete the registry key: HKEY_USERS\<Event Parser User SID>\Software\Avecto\Privilege Guard Event Parser\

3. Start the Avecto Defendpoint Event Parser service.


Appendix 2. Installing Enterprise Reporting for Defendpoint ePO Edition

This section explains how to install and configure Avecto Defendpoint Enterprise Reporting, which enables organizations to monitor and report on activity from Windows desktops and servers.

Defendpoint is implemented as a server extension to McAfee ePolicy Orchestrator, enabling agent deployment, policy management through the ePO Policy Catalog, and granular auditing and reporting of Defendpoint activity using ePO integrated dashboards and query editor as well as Avecto’s own reporting module.

Reporting event centralization can be via the ePO server and/or via Windows Event Forwarding. These events can be displayed using the reports module built into the Defendpoint Extension or via custom queries using the standard ePO reporting facilities.

Also provided are Threat Event linked audit events which are stored in the ePO database and displayed via the built in dashboards and queries.

The Defendpoint ePO Edition Enterprise Reporting module uses the Defendpoint Enterprise Reporting database to store Defendpoint audit data for reporting.

A 2.1. Defendpoint Reporting

Defendpoint offers three reporting options when using the McAfee ePO edition. The options may be used together or individually to gain the required functionality. The three options are listed below with their key considerations and advantages:

Avecto Enterprise Reporting in McAfee ePO Extension

ePO Queries and Reports Feature

Avecto Enterprise Reporting in MSFT SQL Reporting Services

Please discuss requirements with Avecto Technical Support to determine the best configuration for your requirements, and appropriate architecture.

There are two main considerations with regard to Enterprise Reporting – where is the data stored and where are reports presented.

If you have any queries during the installation process please contact an Avecto consultant.


Reporting options:

4. Avecto Enterprise Reporting in McAfee ePO Extension:

Data is stored in a dedicated MSFT SQL Server database that can be hosted separately from McAfee ePO Server’s database

Highly detailed dashboards and drill through reports in ePO

Direct addition of applications from reports into policy groups

Access to audit data from Defendpoint policy editor

Can be used in addition to Avecto Enterprise Reporting in MSFT SQL Reporting Services for streamlined additions to policy from reports

5. ePO Queries and Reports Feature

Data is stored in the McAfee ePO Server database or Defendpoint MSFT SQL Server database

Highly configurable dashboards, charts and tabular reports that can incorporate data from other ePO Server products in ePO

Supports custom reporting


6. Avecto Enterprise Reporting in MSFT SQL Reporting Services

Data is stored in a dedicated MSFT SQL Server database that can be hosted separately from McAfee ePO Server’s database

Highly detailed dashboards and drill through reports in MSFT SQL Server Reporting Services web application

Supports custom reporting


Can be used in addition to Avecto Enterprise Reporting in McAfee ePO Extension to get rich, custom reports and other SSRS features

If you are using option 1 above, the following steps are necessary to set up the Avecto Defendpoint Enterprise Reporting Database:


A 2.1.1. Accounts

Before commencing with the installation of the Enterprise Reporting components, it is recommended that the following accounts are created. The installation steps in the Enterprise Reporting Setup Guide refer to these accounts.

Accounts Required for Installation

Name Details Account Type

Permissions / Rights Which ePO reporting options (section 1.1) require this account

ERInstaller Use this account to install the EventManagement and ReportingPack components

Windows account

Windows permission - Local Administrator

1,3, optional for 2

DatabaseCreator Used by the EventManagement installer to create the Defendpoint database


SQL Server permission – sysadmin

Note: The database must be installed by a user whose default schema is DBO. For more information, refer to http://technet.microsoft.com/en-us/library/ms190387(v=sql.105).aspx

1,3, optional for 2

ReportWriter Used by the Reporting Pack installer to configure the SSRS data source and deploy the Defendpoint reports

Windows account

SSRS site level role - System Administrator

3







Accounts Required for Runtime

Name Details Account Type Permissions / Rights Which ePO reporting options (section 1.1) require this account

EventParser Used by the Event Collection service to connect to the Avecto database and write event data

Windows Account

SQL Server permission - Database write access Windows group member - Event Log Readers Windows permission - Network access (for remote SQL Server instance)

1,3, optional for 2

ReportReader Used by the Reporting Pack reports to allow read access to the Defendpoint database




3

DataAdmin Used by the Reporting Pack reports to allow write access to the Defendpoint database to purge undesired data.

This account, and product feature is optional – please see Installation for more information.




1,3, optional for 2




A 2.1.2. Creating the ReportWriter Account

To add a System Administrator role to the Reporting Services site:

1. Browse to the SQL Server Reporting Services Report Manager URL (this can be located in the Reporting Services Configuration Manager, under Report Manager URL).

2. Click on Site Settings and then select Security.

3. Click New Role Assignment, and enter the DOMAIN\Username of an authorized account. Assign the username the System Administrator role.

4. Click OK to create the new role.


A 2.2. Defendpoint Event Management Installation

The Defendpoint Event Management Software should be installed on the Event Collectors (or the single server if using a ‘single box solution’). As part of the install, you will specify the database connection details, and the installer will create the Defendpoint database (if it doesn’t already exist) and configure the connection to the database.

Important: The Avecto ER Event Management installer creates a database and database permissions through embedded SQL scripts. If your database administration team does not allow creation of databases, or database permissions by installers, please contact Avecto support for assistance with an alternative approach.

A 2.2.1. Prerequisites

Before installing the Event Management component you will require the following user accounts:

ERInstaller

DatabaseCreator

EventParser

DataAdmin (optional)

ReportReader (optional)

Note: If you are using a single server then you may be able to run the Defendpoint Event Collector service as the SYSTEM account, assuming the SYSTEM account can write to the database. In this case you will not require a Windows user account for the Defendpoint Event Parser Service.

Note: The SQL Server configuration must have TCP/IP communications enabled to allow the Event Parser Service to submit events to the database.

A 2.2.2. Installation

To install Defendpoint Event Management Software, run the appropriate installation package with an account that has ERInstaller privileges:




1. Run the appropriate installation package.




4. Enter your name and the name of your organization and click Next to continue. The Destination Folder dialog will appear.

5. If you wish to change the default installation directory then click the Change button and Select a different installation directory.

6. Click Next to continue. The Database Server dialog will appear.


7. Specify the details of the database server, and enter the DatabaseCreator account.

Note: The credentials specified here are used to create and configure the Defendpoint database, and are not used after the installation is finished.

Note: If Windows Authentication is specified for the SQL Connection, then the account of the installing user MUST have Alter Any Login and Create Any Database permissions on the SQL Server instance, in order for the Reporting Services Instance User to be created. If you receive an error 15247, verify these permissions have been granted.

8. Click Next to continue. The Event Parser Service dialog will appear.

9. Specify the EventParser account for the Event Parser Service. Click the Browse button to select the account if desired.

Note: This account will be given write access to the database, and will be added to the Event Log Readers group on the Event Collector server. It will also be granted the Log on as a service right on the Event Collector server.


10. Click Next to continue. The Reporting Services dialog will appear.

11. Optionally enter the ReportReader account which the Reporting Services Instance will use.

12. Optionally enter the DataAdmin account to allow data purging using administration rights. This step is only applicable where SSRS is being utilised.

Note: This account will be added to the Defendpoint database, and configured to allow Reporting Services access to the database. The account can be either based on an existing Windows user or a SQL Server Authentication user can be created.




15. On the host where the EventManagement installer was run, the Defendpoint Event Parser Service should be stopped and disabled as it is not required for Enterprise Reporting through McAfee ePO. McAfee ePO has its own mechanism to load audit data into the McAfee ePO or Avecto database respectively.

a) Run services.msc as an administrator. b) Locate the Avecto Defendpoint Event Parser Service. c) Stop the service d) Disable the service

If you are using reporting option 3 (Avecto Enterprise Reporting in MSFT SQL Reporting Services) you will be required to set up the Avecto Defendpoint Enterprise Reporting as described in the Enterprise Reporting Setup Guide.

If you are using option 1 or 3 the Avecto Defendpoint Enterprise Reporting MSFT SQL Database must be configured as a registered server in McAfee ePO.

For Database Sizing and Resource Consumption information please refer to the Database Sizing and Resource Consumption chapter of this guide.

A 2.3. Defendpoint Enterprise Reporting Installation

Enterprise Reporting should be installed on the SQL Server Reporting Services Instance (or the single server if using a ‘single box’ solution).

A 2.3.1. Prerequisites

Before installing the ReportingPack component you will require the following user accounts:

ERInstaller

ReportReader

ReportWriter

A 2.3.2. Installation

To install Defendpoint Reporting Pack:

1. Run the DefendpointReportingPack.exe installation package as a user with the ReportWriter permissions:





4. Enter your name and the name of your organization and click Next to continue. The Database Server dialog will appear.

5. Specify the details of the report server URL (the reports will fail to upload if you enter an incorrect URL). You must also specify the database to be used by the SQL Server Reporting Services instance.

6. If you are unsure of the correct Report Server URL to use, you can find it in the Reporting Services Configuration Manager under Web Service URL:


7. Click Next to continue. The Reporting Services Authentication dialog will appear.

8. Enter the ReportReader account as the account used to connect to the data source.

Note: This is used by the Reporting Services to connect to the database instance when generating dashboards and reports. The account should be the same account that was specified as part of the Defendpoint Event Management Installer.

Note: If Credentials stored locally in the report server is not selected, then any users authorized to access Enterprise Reporting must have their account credentials added to the SsrsRole database role.

9. Click Next to continue. The Reporting Services Admin Authentication dialog will appear. This feature is optional and may not be desirable in environments that need to keep tight control over purging of audit data.


10. The purpose of this report is to allow the purging (and subsequent exclusion) of applications from the populating the database with unwanted data. For more information see the Enterprise Reporting Dashboard Guide.

11. Use the DataAdmin account for this purpose.




A 2.4. Configuring Avecto Reporting and McAfee Queries & Reports for Enterprise Reporting Data

A 2.4.1. Configuring access to Reporting Server Charts

To configure Avecto Reporting and McAfee Queries & Reports for Enterprise Reporting Data:

14. Log in to ePolicy Orchestrator and navigate to Menu > Registered Servers and select New Server.

15. On the next page select Avecto Reporting from the Server type drop-down list and enter an appropriate name e.g. ER. Click Next.

16. Complete the configuration page and click Test Connection. On successful connection click Save.

Note: Avecto recommends you have a user account that is read only and possesses identical SQL Privileges as the Event Parser account and Report Reader account.


A 2.4.2. Configuring access to Reporting Server for ePO Queries

1. Select Menu > Registered Servers and select New Server.

2. On the next page select Database Server from the Server type drop-down list and enter an appropriate name e.g. Avecto Reporting Queries. Click Next.

3. Complete the configuration page and click Test Connection. On successful connection click Save.


A 2.4.3. Server Tasks – Avecto Event Staging

Configure Event Staging to push the data the Enterprise Reporting database:

1. Select Menu > Server Tasks and from the Actions menu select New Task.

2. On the Description page enter an appropriate name e.g. Avecto Event Staging and click Next.

3. On the Actions page, from the Actions drop-down menu, scroll up and select Avecto Defendpoint Reporting Event Staging.


4. Adjust the Time in minute to check for staging events to 55. Deselect Verbose logging and click Next.

5. On the Schedule page adjust the Schedule type to Hourly and click Next.

6. Select Save from the Summary page.

7. From Menu > Server Tasks select and check the Avecto Event Staging box.


8. Select Actions > Enable Tasks.

Note: It is possible to create and run multiple Event Staging tasks as per above if required.

A 2.4.4. Server Tasks – Avecto Pre-caching Reports (optional)

This optional step allows top level Reporting Charts to be generated during non-business hours so that they are immediately available subsequently.


2. On the Description page enter an appropriate name e.g. Avecto Pre-caching Reports and click Next.

3. On the Actions page, from the Actions drop-down menu, scroll up and select Avecto Defendpoint Reporting Pre-Caching.


4. Depending on your data size and requirements select the appropriate Interval Queries options and click Next.

5. On the Schedule page adjust the options to suit your requirements and click Next.

Note: Avecto recommends you run this task through the night so that reports are available at the earliest convenience. Reports caches are re-set at 24:00 hours (local time zone). Therefore the pre-caching server task should be set to run after this time.


A 2.4.5. Server Tasks – Avecto Event Purge

The standard ePO tasks allow for the purging of Threat Events. As Avecto ePO Events are coupled to these, when deleted the Avecto events are also deleted. However in some cases it is desired that the Avecto portion of the event is more aggressively purged to save space. This task enables this by deleting these events older than a specified age whilst keeping the main Threat Event.

Note, these events are the ones held in the ePO database and hence Reporting Server events are in no way affected by this task.


2. On the Description page enter an appropriate name e.g. Avecto Event Purge and click Next.

3. On the Actions page, from the Actions drop-down menu, scroll up and select Avecto Event Purge.


4. Depending on your data size and requirements enter the number of days after which events should be purged and click Next.

5. On the Schedule page adjust the options to suit your requirements and click Next.



A 2.4.6. Performance Limitations

The default configuration of the ePO server is to only allow 2 concurrent tasks that can only share a single processor core. For larger systems this is not adequate for performance. ePO can be reconfigured to make better use of the processor cores for scheduled tasks as described below.

More information can be in the McAfee Knowledge Base article KB83698 https://kc.mcafee.com/corporate/index?page=content&id=KB83698&snspd-0115

1. Select Menu > Server Settings and click on Scheduler Tasks.

2. Click Edit.

3. From Total maximum tasks select Absolute maximum calculation.

This ensures you are not restricted to using only one core for calculations.

Note: The server must be restarted for these changes to take effect.


https://kc.mcafee.com/corporate/index?page=content&id=KB83698&snspd-0115


Documents

Enterprise Reporting - BeyondTrust...Reporting Server SQL Server Reporting Services (SSRS) 2008 R2 or later is required. The server should ideally be dedicated solely to this role