SIEM, Log Management, Security, Compliance, Server Monitoring and Uptime Monitoring Software
Table of Contents

Windows Agent Installation

In this Topic

Tutorials

How to Install the Corner Bowl Server Manager Agent on Windows

How to Install the Corner Bowl Server Manager Agent on Windows

Background

Server Manager includes a Windows Agent to remotely manage Windows hosts. Our agent-based solution solves several security and performance issues with existing built-in technologies and security implementations. To understand the benefits, we must first understand the technologies used to remotely manage Windows hosts without an agent.

Agentless Management

Windows

Windows Event Logs are downloaded using remote WMI while Text Logs use either Windows Shares, SFTP/SSH or FTP/S to download logs. Most monitors, such as CPU, Memory and Disk Space use remote WMI to query information. Other monitors, such as Windows Certificates and Performance Counters, rely on other seemingly undocumented Microsoft APIs.

Security and Performance Concerns
  • Attack Surface Reduction Rules do not permit remote WMI event subscriptions.
  • In most hardened environments, monitoring and compliance services are not permitted to run as domain or local administrators.
  • In most hardened environments, remote WMI and other Microsoft APIs are not permitted.
  • Cloud-based servers cannot typically be managed by remote WMI.
  • Windows blocks discovery and remote management of remote Windows Certificate Stores.
  • WMI is needlessly slow when transmitting Event Log entries and often throws what seems are random errors on a random basis.
  • WMI requires multiple ports, one of which is randomly assigned. The randomly assigned port can be configured to use a fixed port, however, the fixed port must be configured on each client host.
  • In rare cases, WMI corrupts itself requiring the WMI service to be restarted or repaired.
  • Hosts that periodically connect to the local network (e.g. Law Enforcement laptops), can be difficult to manage on a polling schedule. The polling schedule must be fast enough to catch each managed laptop when they just so happen to be logged into the local network often generating unnecessary traffic as well as a high number of errors in the meantime.

Agent-Based Management Benefits

  • Both the Windows Management Service and the Windows Agent Service can be run using the built-in SYSTEM Account eliminating the requirement to run as a Domain Administrator.
  • All data is transmitted over a single TLS 1.2 capable TCP/IP port using a highly efficient binary protocol stack that downloads Windows Event Logs 12 times faster than remote WMI.
  • Linux Audit Logs are efficiently accessed, parsed, and filtered directly on Linux hosts prior to transmitting the latest filtered entries to the Management Server.

The Corner Bowl Server Manager Agent

Many of the Windows Templates include an Agent-Based Template flag. Once an Agent-Based Template is assigned to a remote host, Server Manager uses Windows Shares to upload the Agent installation file to the host then uses WMI to remote install onto the host. If Server Manager is unable to penetrate the firewall to upload and remote install, you have the option to manually install the Agent to the remote host. Once installed, by default, the Agent connects once a minute to get list of templates to execute. The connection frequency can be overridden. Once Templates and Filters are received, the Agent executes the Templates and applies the Filters. Finally, data is transmitted to the management server.

Important
The Agent requires the .Net 7 Runtime. Our installers automatically install the runtime when not already installed, however the installer needs Internet access. If Internet access is not available, please download and install the runtime from Microsoft.

System Requirements

The Windows Agent requires the Microsoft .Net 7 Runtime or higher to be installed.

How to Remotely Install the Windows Agent

  • Add the hostname or IP add to Corner Bowl Server Manager. For more information see: Adding Hosts.
  • Once added, from the Host Properties View, select the Agent Tab, then click the Install Agent button.
  • Server Manager will also automatically install the Agent after an Agent-Based Template has been assigned to the host or the host is assigned to a host group that has an Agent-Based Template already assigned.

How to Manually Install the Windows Agent

  • From each target host, install the .Net Runtime 7.0.x.
  • From the host you have installed Server Manager, copy the following file to each target host:
    C:\Program Files\Corner Bowl\Server Manager\ServerManagerAgentInstaller.exe
  • From each target host, open a command prompt as Administrator then run the executable with the following command line options:
    ParameterDescription
    HOSTThe fully qualified hostname of the host Server Manager is installed.
    PORTThe port to connect with. The default value is 21843
    TLSENABLEDtrue to enable TLS 1.2. Please note the server must be configured to use TLS. For more information see: Server Configuration
    TLSCERTIFICATEThe optional TLS client certificate to use for TLS 1.2.
    -qSilently run the installation.
    -norestartSuppress reboot.
    For Example:
    ServerManagerAgentInstaller.exe -q HOST=1.2.3.4 PORT=21843
Note
Firewalled and Air Gapped Installations: The Agent requires .Net 7 Runtime. The installer's bootstrapper checks, then automatically downloads the required framework from Microsoft. If remote managed hosts are firewalled or air gapped, you can instead download a version of the installer that includes .Net 7 within the installation's bootstrapper from Corner Bowl Software's' website. Once downloaded, use this version of the installer.

How to Re-Configure the Agent

  • Once installed, if you need to change the target hostname or would like to enable TLS 1.2, you must modify the tcpserver.json configuration file located in the ProgramData directory:
C:\ProgramData\Corner Bowl\Server Manager Agent\tcpserver.json

Configuration File Reference

For more information see: Server Configuration

How to Configure Templates to Run on the Agent

  • Select File | New Template. The Select Template Type view displays.
  • Click the Template type to create. The Template Properties view displays.
  • Select the Agent Template Tab
  • Use the Enabled Check Box to flag the template as an Agent-Based Template.
  • Use the Trigger Check Box to trigger actions when assigned hosts do not connect within the configured time span.
  • Use the On Host Not Connecting Drop-Down to assign the actions to fire when assigned hosts do not connect within the configured time span.

Troubleshooting

If the Agent does not appear to be connecting or processing Templates, view the Agent's verbose output log for detailed information. The log file is located in the following directory on each remotely managed host:

C:\ProgramData\Corner Bowl\Server Manager Agent\agent.log
  • Open a text editor as an Administrator, then open the file. To view the most recent entries, scroll to the bottom of the file.
  • Re-open the file after at least 2 minutes. 9 times of out of 10, there is a connection error due to the tcpserver.json file not specifying the correct host or other invalid parameter, a firewall blocking the default port, 21843, on the Corner Bowl Server Manager Service host, or the Agent Server is configured to use DNS or FQDN lookup when instead the local hostname is expected. All of these error scenarios are easily identified when tailing the agent.log file.

Related Topics

Adding Hosts

Agent-Based Management

Server Configuration