Getting Started
- System Requirements
- Installation
- Assign Service Logon As Credentials
- Registration
- Version Support Policy
Agent-Based Management
Common Tasks
- Account Lockout Monitoring and Reporting
- Event Log Archiving for JSIG and CMMC Compliance
- Exporting and Importing Configuration Objects
- Merging Logs
- Amazon S3 Bucket Support
- Azure File Share Support
Data Providers
- Data Provider Properties
- SQLite Properties
- MySQL Properties
- Microsoft SQL Server Properties
- File System Properties
Directory Services
Auditing
- Audit Work Items
- Self-Auditing
- Group Policy Auditing
- Password Expiry Auditing
Hosts
- Adding Hosts
- Host Properties
- Batch Update Hosts
- Agent Properties
- Logon As Properties
- SFTP Properties
- FTP/S Properties
- SNMP Device Connection Properties
- WMI
- Contact
- Exclusions
- Inventory
- Docker
- Host Assignments
Templates
- Template Properties
- Batch Update Templates
- Assign Templates
- Log Management Templates
- SCAP Compliance Monitor
- Active Directory User Monitor Templates
- File and Directory Monitor Templates
- Windows Monitor Templates
- Network and Application Monitor Templates
- SSL Certificate Monitor Templates
- Email Monitor Templates
- SNMP Monitor Templates
- Windows Accounts Templates
Monitors
- Monitor Hierarchy
- Temporarily Suppress Monitors Actions
Reports
- Report Properties
- Security Reports
- Generic Log Reports
- File and Permission Reports
- Summary Reports
- Artificial Intelligence Reports
  - AI Anomaly Detection Report
  - AI Anomaly Detection Report (Template Triggers)
Auto-Configurators
Filters
- Simple Filters
- Complex Filters
Actions
- Database Actions
- Desktop Actions
- Email Actions
- Event Log Actions
- Executable Actions
- File Actions
- IIS IP Address Restriction Actions
- Microsoft Teams Actions
- PowerShell Actions
- Report Actions
- Service Actions
- SMS Actions
- SNMP Trap Actions
- Syslog Actions
- Template Actions
- IIS IP Address Restriction Actions
- Action Variables
Schedules
- Fixed Schedules
- Range Schedules
- Real-Time Schedules
Environment Variables
Options
- Email Settings
- Security Settings
- Syslog Server Settings
- SNMP Trap Server Settings
- Log Viewer Settings
- Web Proxy Settings
- Miscellaneous Settings
- Logging Settings
SNMP
- SNMP Browser
SSH Shell
Syslog
Shared Views
- Active Directory User and Group Filters
- Assign Actions
- Assign Azure Audit Logs
- Assign Consolidated Logs
- Assign Directories
- Assign Disks
- Assign Event Logs
- Assign Files
- Assign Services
- Assign Shares
- Auto-Config Host Assignment Properties
- Define CSV and W3C Log Entry Columns
- Define Log Entry Columns
- Define Log Entry Columns with Regular Expressions
- Executable Status
- Executable Timeline
- Explicitly Assigned Logs
- File Explorer
- General Executable Properties
- Report Columns
- Report Date/Time Ranges
- Report Security Event Log Filters
- Select Folder or File
- Target Files and Sub-Directories
Command Line Interface
Server Configuration
Agent Configuration
Troubleshooting
- Arithmetic Overflow
- Access Denied
- MySQL: Fatal error encountered during command execution
- Invalid Class
- No Such Interface Supported
- Quota Violation
- The File Exists Errors
- The Interface is Unknown
- The RPC Server is Unavailable
- NetBIOS Errors
Terminology

Windows Agent Installation

In this Topic

Tutorials
Background
System Requirements
How to Remotely Install the Windows Agent
How to Manually Install the Windows Agent
How to Update the Windows Agent
How to Configure the Agent
How to Configure Templates to Run on the Agent
Troubleshooting

Tutorials

How to Install the Corner Bowl Server Manager Agent on Windows

Background

Server Manager includes a Windows Agent to remotely manage Windows hosts. Our agent-based solution solves several security and performance issues with existing built-in technologies and security implementations. To understand the benefits, we must first understand the technologies used to remotely manage Windows hosts without an agent.

Agentless Management

Windows

Windows Event Logs are downloaded using remote WMI while Text Logs use either Windows Shares, SFTP/SSH or FTP/S to download logs. Most monitors, such as CPU, Memory and Disk Space use remote WMI to query information. Other monitors, such as Windows Certificates and Performance Counters, rely on other seemingly undocumented Microsoft APIs.

Security and Performance Concerns

Attack Surface Reduction Rules do not permit remote WMI event subscriptions.
In many hardened environments, monitoring and compliance services are not permitted to run as domain or local administrators.
In many hardened environments, remote WMI and other Microsoft APIs are not permitted.
Cloud-based servers cannot typically be managed by remote WMI.
Windows blocks discovery and remote management of remote Windows Certificate Stores.
WMI is needlessly slow when transmitting Event Log entries and often throws what seems are random errors on a random basis.
WMI requires multiple ports, one of which is randomly assigned. The randomly assigned port can be configured to use a fixed port, however, the fixed port must be configured on each client host.
In rare cases, WMI corrupts itself requiring the WMI service to be restarted or repaired.
Hosts that periodically connect to the local network (e.g. Law Enforcement laptops), can be difficult to manage on a polling schedule. The polling schedule must be fast enough to catch each managed laptop when they just so happen to be logged into the local network often generating unnecessary traffic as well as a high number of errors in the meantime.

Agent-Based Management Benefits

Both the Windows Management Service and the Windows Agent Service can be run using the built-in SYSTEM Account eliminating the requirement to run as a Domain Administrator.
All data is transmitted over a single TLS 1.2/3 capable TCP/IP port using a highly efficient binary protocol stack that downloads Windows Event Logs 12 times faster than remote WMI.
Windows Event Logs are efficiently accessed, parsed, and filtered directly on each managed host prior to transmitting the latest filtered entries to the Management Server.

System Requirements

The Windows Agent requires the .Microsoft .NET 8 Runtime to be installed, however, the air gapped installer embeds the .NET 8 Runtime within the installation bootstrapper, so there is no need to pre-install the .NET 8 Runtime.

How to Remotely Install the Windows Agent

To remotely install the agent, the Corner Bowl Server Manager Service must first be runnign as a Domain Administrator. The installer is uploaded to the remote host using Windows Shares then remotely executed using Remote WMI. If either of these technologies are not available, you must manually install the agent.

Add the hostname or IP add to Corner Bowl Server Manager. For more information see: Adding Hosts.
Once added, from the Host Properties View, select the Agent Tab, then click the Install Agent button.
Or
assign an Agent-Based Template to either the host's parent host group or directly to the host. Once assigned, by default, the Agent Server automaitcally installs the agent on the target host. For more information see: Agent-Based Management

How to Manually Install the Windows Agent

From the Management Server, copy the agent installer, ServerManagerAgentDotNetInstaller.exe, to the target host. The file is located in the following path:

C:\Program Files\Corner Bowl\Server Manager\Agent Installers\Windows\ServerManagerAgentDotNetInstaller.exe

Notice

The ServerManagerAgentDotNetInstaller.exe installer has been optimized for firewalled and air gapped installations and includes an embedded version of the .NET 8 Runtime installer. When using this installer, there is no need to manually install the .Microsoft .NET 8 Runtime.

From the target host, open a command prompt as Administrator then run the executable with the following command-line options:

Parameter	Description
HOST	The fully qualified hostname of the host Server Manager is installed.
PORT	The port to connect with. The default value is 21843
TLSENABLED	true to enable TLS 1.2/3. Please note the server must be configured to use TLS. For more information see: Server Configuration
TLSCERTIFICATE	The optional TLS client certificate to use for TLS 1.2/3.
-q	Silently run the installation.
-norestart	Suppress reboot.

For Example:

ServerManagerAgentDotNetInstaller.exe -q HOST=1.2.3.4 PORT=21843

How to Update the Windows Agent

Once installed, the agent uses the Corner Bowl TCP/IP connection to the server to download both major and minor updates, then automatically installs the downloaded version.

Important

Endpoint protection solutions, such as McAfee/Trellix ENS, may require you to temporarily disable their services in order to properly install or uninstall the Agent and/or dependent components such as the .NET Runtime.

How to Configure the Agent

Once installed, if you need to change the destination hostname or would like to enable TLS 1.2/3, you must modify the agent's configuration file.

The agent's configuration file is located in the following path:

C:\ProgramData\Corner Bowl\Server Manager Agent\tcpserver.json

Configuration File Reference

{
    "Host": "SERVERNAME", 
    "Port": 21843, 
    "IdleTimeout": 300, 
    "ReceiveTimeout": 120, 
    "SendTimeout": 120, 
    "TempDirectory": "d:\temp", 
    "TlsConfiguration": {
      "Enabled": true, 
      "Certificate": null, 
      "RequireRemoteCertificate": false, 
      "AllowSelfSignedCertificate": true, 
      "CheckCertificateRevocation": false, 
      "AllowCertificateChainErrors": true 
    }
}

For more information see: Agent Configuration

How to Configure Templates to Run on the Agent

Select File | New Template. The Select Template Type view displays.
Click the Template type to create. The Template Properties view displays.
Select the Agent Template Tab
Use the Enabled Check Box to flag the template as an Agent-Based Template.
Use the Trigger Check Box to trigger actions when assigned hosts do not connect within the configured time span.
Use the On Host Not Connecting Drop-Down to assign the actions to fire when assigned hosts do not connect within the configured time span.

Troubleshooting

If the Agent does not appear to be connecting or processing templates as expected, you can view the agent's verbose output log for detailed information. The agent's log file is located in the following path:

C:\ProgramData\Corner Bowl\Server Manager Agent\agent.log

To View Agent's' Verbose Output and Errors

Open a text editor as an Administrator, then open the file. To view the most recent entries, scroll to the bottom of the file.
If your agent is unable to connect or remain connected, re-open the file after at least 2 minutes. Typically one of the following error scenarios will be present:
- There is a connection error due to the tcpserver.json file not specifying the correct host, or other invalid parameter.
- A firewall is blocking the default port, 21843, outbound or inbound on the Corner Bowl Server Manager Server host.
- The host has been added using the localhost name, the Agent Server is configured to use DNS or FQDN lookup and is not configured to add new hosts. The server correctly responds by disconnecting the client.
All of these error scenarios are easily identified when tailing the agent.log file.

Table of Contents