Professional Documents
Culture Documents
0
Administration Guide
Contents
Important terminologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Server settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Email Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Configuring the IP address for Trellix Logon Collector server client communication. . . . . . . . . . . . . . . . . . . . . 43
Configure TLC Communication IP Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Server certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Configuration tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Remote tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Configuration basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Error scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Disable a cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Reconfigure a cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Option 1: Run. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Option 2: Edit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Tab 1: Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Tab 2: Actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Tab 3: Schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Tab 4: Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Option 3: View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Option 1: Run. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Option 2: Edit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Tab 1: Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Tab 2: Actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Tab 3: Schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Tab 4: Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Option 3: View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
User management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Manage users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Delete a user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Manage contacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Delete a contact. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Query actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
View dashboards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Important terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Integration requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
How Logon Collector - Trellix Intrusion Prevention System Manager integration works. . . . . . . . . . . . . . . . . . . 89
Establishment of trust between Trellix IPS Manager and Logon Collector server. . . . . . . . . . . . . . . . . . . 91
Integration requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Using Active Directory User elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Scalability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Scalability details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Create a non-administrator account to access the security event log on a domain controller. . . . . . . . . . . . . . . . . 102
Logon Monitors can be used to poll nearby domain controllers and forward collected information to the Logon Collector,
shortening the distance domain controller communication must travel.
Important terminologies
A domain is a logical group of identified resources on a network, whether users, computers, or networked application services.
These resources are collected for the domain into a distributed directory, shared in a group of domain controllers. Members of
a domain only need to authenticate one time to the closest domain controller. All the other resources in the domain are made
accessible based on their privileges in the domain.
An identity is the set of characteristics that uniquely identifies a user. A user’s identity includes user name, authentication status,
group membership, primary group, and current IP address. The user or system primary group can be fetched and passed on to
clients.
Each time a user logs on to the network or requires access to any domain-controlled resource such as a printer, server, or file
share, the domain controller creates an event log entry in a special, protected log file called the Security Event Log. This log file is
available to remote systems such as the Logon Collector and the Logon Monitor by way of a Microsoft interface called Windows
Management Instrumentation (WMI).
To minimize the burden placed on a domain controller by Security Event Log queries (using WMI), the Logon Collector or Logon
Monitor contacts the domain controller on behalf of Trellix appliances that require the Security Event Log information. Each
domain controller only has to accommodate a single connection instead of multiple connections for each Trellix appliance.
Because the overhead of using WMI can be expensive, you can deploy Logon Monitors close to the domain controllers on
your network. Doing so routes the greatest amount of traffic, WMI communication between the domain controllers and Logon
Monitor, along a relatively short distance. The communication overhead between a Logon Monitor and a Logon Collector is low,
enabling you to optimize your deployment of logon collecting.
Deployment
The Trellix Logon Collector and Logon Monitor can connect to multiple domain controllers across multiple domains and forests.
Each Logon Collector can be contacted by multiple clients and can have multiple Logon Monitors. When deploying Logon
Collectors and Logon Monitors, consider the following:
• The network overhead of WMI communication can be expensive. WMI communication occurs between the domain
controller and the Logon Monitor. Trellix recommends that you use a single Logon Monitor for all your Trellix security
devices so that only one WMI session is needed on each domain controller.
• Trellix recommends that you place the Trellix Logon Collector or Logon Monitor on the same geographical location
as that of the domain controller. Communication between a Logon Monitor and the Logon Collector over a WAN link
is often faster than the communication between the domain controller and the Logon Collector over the same WAN
link. The faster the Logon Collector receives this information, the faster the client can associate an IP address with the
matching identity.
• Connect to domain controllers that add value to the monitoring strategy. The Logon Monitor should connect to the
domain controller from which the users to be monitored log on. For example, if you are monitoring in an area of the
network such as New York, and you never see users from San Francisco, then you might not need to monitor the users
that log on to a domain controller in San Francisco. Conversely, if the users in San Francisco use services in the New York
data center you are monitoring, then you will greatly benefit from watching the security event log of the San Francisco
domain controller and determining the identity of these users.
• Take advantage of the IT support infrastructure. If your infrastructure is administered by different groups of system
administrators that correspond to the already existent Windows architecture, you might want to work with them. The
Logon Collectors and Logon Monitors are installed as services on Windows Server 2012, Windows Server 2012 R2,
Windows Server 2016, or Windows Server 2019. The administration of these servers might already be part of a larger
system administration strategy, and you might want to abide by it.
• Depending on your security requirements, you might want to dedicate a separate server to run the Trellix Logon
Collector or a pair of servers in High Availability mode. If the server on which the Trellix LC is installed is compromised, it
might cause great loss of functionality to your security architecture.
• It is important to keep the server on which the Trellix Logon Collector or Logon Monitor is installed up to date by
applying the Microsoft security patches on a timely basis. It is equally important to follow the Microsoft security best
practices to harden this server.
• If possible, remote and local access to the Logon Collector or Logon Monitor server should be limited to its
administrators only.
• Follow the instructions from the section Use NTLMv2 with Logon Collectors to securely protect the credentials in the
server and to use only secure authentication protocols.
• It is possible to configure domain controllers to allow the Logon Monitor to access the Security Event Log without using
Administrator logon credentials. This is recommended. Refer to the section Create a non-administrator account to access
the security event log on a domain controller for more details.
Restriction:
Trellix Logon Collector does not function if you have enabled SSL port 636 on the Domain Controllers (Active Directory) and
have disabled non-SSL port 389. Trellix Logon Collector fails to connect to Domain Controller (Active Directory) on SSL port
636.
Note
The WMI communication happens between Logon Monitor and domain controller.
Installation
This section includes the installation process of Trellix Logon Collector and Logon Monitor.
When you install the Trellix Logon Collector for the first time, you might see a message that states, “The Windows registry entry
NtfsDisable8dot3NameCreation value will be changed to 0”.
Note
You will receive this message only if the Windows registry entry value has not been modified.
You can either proceed by making this change in the registry or you can proceed without the change.
Note
If you accept the change in the registry and proceed, you can have spaces in the installation location. If you do not accept the
change in the registry, you must ensure that the installation location path does not contain any folder with white spaces in its
name. You must also ensure that the folder name does not exceed 8 characters.
Prerequisites
Review the installation prerequisites for the Trellix Logon Collector and the Logon Monitor before installing the software.
• Logon Collector 2.2 and 3.0 client supports Logon Collector 3.0 servers. 3.0 client does not support Logon Collector 1.x
and 2.x servers.
System requirements
Trellix Logon Collector and Logon Monitor run as Microsoft Windows services on a Windows Server, and require a system that
meets these minimum requirements:
Operating System — Domain controllers Any one of the following Microsoft servers:
Browser
• Microsoft Internet Explorer 8.x and above
• Mozilla Firefox 25 and above
• Google Chrome 40 and above
Microsoft SQL Server Versions later than Microsoft SQL server 2008, or
SQL Server 2008 Express edition
Tip
Consider installing the Logon Monitor on a virtual machine as the Logon Monitor is a less demanding application, and does
not transmit as much information as the Logon Collector.
Note
The Logon Monitor memory usage depends on the number of users and groups in its database.
Proper Domain Name System (DNS) resolution is a critical prerequisite for identities collection. The computers on which Trellix
Logon Collector or Logon Monitor are installed, and the client configured to collect identities must be configured to refer to a
DNS server that must be able to:
Note
When the DNS settings are changed, Logon Collector cancels its old DNS cache after 30 seconds, and then applies new DNS
settings. You should wait at least for 30 seconds to resolve the domain.
Note
You can install Logon Monitor separately, if you need a remote Logon Monitor.
Note
If you are already running Trellix ePolicy Orchestrator - On-prem, the Logon Collector service will be incompatible with it.
Download the bundled Trellix Logon Collector and Logon Monitor software from the Trellix website.
Task
1. Go to the Trellix Download Server (https://www.trellix.com/en-us/downloads/my-products.html).
2. Log on using your Grant Number and registered Email Address.
The Find Products page opens.
3. In the Category filter, select Utilities & Connectors.
4. Select the Trellix Logon Collector version required (for example, Trellix Logon Collector 3.0.11). The Available Downloads
page opens.
5. Download the zip file for the Logon Collector installation. Extract the files to your local directory.
6. Find the Logon Collector installation program and download it to your local directory.
The Logon Monitor is part of the Trellix Logon Collector bundle that you download.
Note
If you want to have a separate remote Logon Monitor installation, select the Trellix Logon Monitor folder and find the
installation program.
The Trellix Logon Collector installation wizard will install the Logon Collector and the local Logon Monitor on any one of the
following Operating Systems:
Note
The Logon Collector 3.0.10 installer or above does not contain the Microsoft SQL Server software. You should install the
Microsoft SQL Server software separately before installing the Logon Collector.
Note
You need to download and install JRE version 1.8.0_331 or later before installing Trellix Logon Collector 3.0.11.
At any point of the installation, click Back or Cancel to return to the previous step or cancel the installation, respectively.
Task
1. Navigate to the downloaded Logon Collector folder in your local directory.
2. Double-click Setup.exe.
The installation wizard for Trellix Logon Collector opens. If your system has less than 4 GB RAM, a memory error message
is displayed.
Click Yes to continue the installation with the current available memory.
Note
You can click No to cancel the installation and proceed with the same after a sufficient memory of minimum 4 GB RAM
is ensured.
A pop-up window might appear to enable the Windows 8.3 file naming convention. Click Yes to continue with the
installation.
Enabling this option generates a short name in the Windows 8.3 file naming convention for lengthy file names.
Note
Trellix recommends that you to select an empty folder or follow the default installation location format.
Note
You will need the Web Server Secure port for opening the Logon Collector web interface.
7. Click Next.
The Database Information window opens.
8. Enter the Database Server details and select any of the following options in the Database Information window:
• Windows authentication: Select to enter the domain and logon credentials for the server that will house the Logon
Collector database. Provide the SQL server TCP port details.
Note
• SQL authentication: Select only when you have a separate Microsoft SQL Server installation prior to the Logon
Collector installation. In this case, enter the Microsoft SQL Server user name and password that was used during
Microsoft SQL Server installation.
9. Click Next.
The Ready to Install the Program window opens.
10. Click Install to proceed.
The Specify JRE Location window opens.
Note
Task
1. On the Windows server, from the Start menu, select Control Panel, and then click Uninstall a program under the
Programs category.
2. In the Programs and Features window, select Trellix Logon Collector, then click Uninstall, and follow the on-screen
instructions.
3. If you want to remove the Trellix Logon Collector database, leave the Remove the Trellix Logon Collector database
during uninstall checkbox selected and click Next to proceed.
Configuration information such as which domains are being monitored and which Logon Monitors are connected is not
saved. If you have numerous users configured for administering Trellix Logon Collector, you might want to preserve the
database.
4. The Database Information window opens. Enter the Database Server details and credentials as per the authentication
option chosen during the installation of the software and click Next to proceed.
5. In the Remove the Program window, click Remove to proceed with the uninstallation.
6. The Files in use window opens. Choose Automatically close and attempt to restart applications option and click OK.
Note
If you opt for Do not close applications (A reboot will be required.) option, you need to reboot the server machine later
for the changes to take effect.
Task
1. Open a browser and enter the URL of the Trellix Logon Collector.
For example, if you accepted the default ports, you might enter https://127.0.0.1:8443/.
Note
The value "8443" in the URL might differ depending on the installation.
Note
If you are connecting to the web interface for the first time over an HTTPS connection, an invalid certificate warning will
appear. Click Continue to this website (or the equivalent) to continue.
You should install a Logon Monitor as close as possible to the domain controllers with which it will communicate. This minimizes
the impact of the traffic resulting from the communication.
The Logon Monitor is part of the Trellix Logon Collector download bundle.
Prerequisites:
• Earlier versions of the Logon Collector or Logon Monitor must be uninstalled before installing this version of the
software.
• You must be logged on to the server as an administrator.
Note
Download the software from the location described in the section Download the software.
2. Double-click Setup.exe.
3. The installation wizard for Trellix Logon Monitor opens. Click Next to continue.
4. The License Agreement window opens. Read the license agreement, select the I accept the terms in the license
agreement option, and then click Next.
5. By default, the destination folder for the installation is set to C:\Program Files(x86)\Trellix\Trellix Logon Monitor\. You
may click Change to select a new location. Click Next to proceed.
6. On the Ready to install the Program window, click Install.
7. For a new installation of the Logon Monitor, click Generate Self Signed Certificate on the Configuration tab of the Trellix
Logon Monitor Configuration window.
The certificate is required to communicate with Trellix Logon Collector. If you are re-installing the Logon Monitor, the
previous installation’s certificate remains in the store, and you can continue to use it.
Caution
Ensure that the Logon Monitor you want to uninstall is not being used to watch any domain controllers for any Logon
Collector.
Task
1. Using Windows explorer, locate the Trellix Logon Monitor folder, and double-click setup.exe.
2. The InstallShield Wizard for the Trellix Logon Monitor opens. Click Next to proceed.
3. On the Program Maintenance window, select Remove and click Next.
4. On the Remove the Program window, click Remove to begin the removal process.
5. The Files in use window opens. Choose Automatically close and attempt to restart applications option and click OK.
Note
If you opt for Do not close applications (A reboot will be required.) option, you need to reboot the server machine later
for the changes to take effect.
Upgrade
This section describes key considerations and step-by-step procedure for upgrading Trellix Logon Collector from older versions
to newer or latest version. .
• You cannot upgrade from Logon Collector 2.1 to Logon Collector 3.0 because Microsoft SQL Server 2008 Express Edition
supports only from Logon Collector 2.2 and later.
Note
If Logon Collector 2.1 is installed, you must uninstall Logon Collector 2.1 and Microsoft SQL Server 2005 Express
Edition before upgrading.
• You cannot upgrade from Logon Collector 3.0.2 to Logon Collector 3.0.9.
Note
If Logon Collector 3.0.2 is installed, you must uninstall Logon Collector 3.0.2 before upgrading to Logon Collector
3.0.9.
• The Logon Collector 3.0.10 is not compatible with Microsoft SQL Server 2008 Express edition version and the installer
does not contain Microsoft SQL Server. You have to install and configure a later version of Microsoft SQL Server
separately.
• The entire Logon Collector configuration along with the following information is retained on the Logon Collector server
when an upgrade is done:
Configured domains
Added certificates
Remote Logon Monitors
After an upgrade, the local Logon Monitor settings and configuration are reset to default values. Make sure to note these values
prior to an upgrade.
Note
As with any upgrade, Trellix strongly recommends that you always first try the upgrade in a test environment. Logon
Collector 3.0 does not support upgrades from ePO versions of Logon Collector 2.x.
Note
.NET framework 4.5 is installed as part of Windows Server 2012 and Windows Server 2012 R2. This version has
compatibility issues with SQL Server 2008 Express. We highly recommend enabling the .NET framework 3.5 to
successfully install Logon Collector 3.0.
Task
1. Navigate to the folder on your local directory that contains the downloaded Logon Collector installer. Double-click
Setup.exe and start the Logon Collector 3.0 setup.
2. Read and accept the license, and proceed with the installation.
3. Confirm the destination folder. Click Next.
This password must be the same as in the previous (Logon Collector 2.2) installation.
4. Enter the user name and password for the Logon Collector administrator. Verify the password.
This must be the same as in the previous (Logon Collector 2.2) installation.
5. Confirm the port numbers.
Since you already have an existing database, the Microsoft SQL Server options are disabled.
6. Verify that the Database Server option in the Database Information window retains the same information as that in the
Logon Collector 2.2 installation.
Click Next. The Ready to Install the Program window opens.
7. Click Install to proceed.
The Specify JRE Location window opens.
Note
Note
Logon Collector 3.0.10 is not compatible with Microsoft SQL Server 2008 Express and its previous versions.
You should use Microsoft SQL Server version later than the 2008 Express edition. If you are upgrading from
earlier versions of Logon Collector to the 3.0.10 version, consider the following:
Use the installer you downloaded to upgrade the Logon Collector software.
Task
1. Navigate to the C:\Program Files(x86)\McAfee\McAfee Logon Collector\Server\conf folder on your local system that
contains the Logon Collector 3.0.2 installation files and backup the following folder and files.
• mlc (folder)
• broker.ks (file)
• broker.ts (file)
• cluster.ts (file)
• mlc-config (file)
2. Uninstall the Logon Collector 3.0.2. For more information on un-installation, see Uninstall the software.
3. Install the Logon Collector 3.0.10. For more information on installation, see Install the software on Windows Server.
4. Stop the Tomcat service from the Windows Task Manager.
5. Navigate to the C:\Program Files(x86)\McAfee\McAfee Logon Collector\Server\conf folder on your local system that
contains the Logon Collector 3.0.10 installation files. Replace the folder and files from the backup taken in Step 1.
6. Click Start, go to Administrative Tools → Services and restart the Logon Collector service.
7. Log in to the Logon Collector web interface and check whether the pre-configured domain details are reflecting
properly in the Menu → Reporting → Status page.
Note
Trellix Logon Collector version 3.0.11 is not compatible with Microsoft SQL Server 2008 Express and its
previous versions. You should use Microsoft SQL Server version later than the 2008 Express edition. If you are
upgrading from earlier versions of Logon Collector to the 3.0.11 version, consider the following:
Use the installer you downloaded to upgrade the Logon Collector software.
Task
1. Navigate to the C:\Program Files(x86)\McAfee\McAfee Logon Collector\Server\conf folder on your local system that
contains the Logon Collector 3.0.10 installation files and backup the following folder and files.
• mlc (folder)
• broker.ts (file)
• cluster.ts (file)
• mlc-config (file)
2. Uninstall the Logon Collector 3.0.10. For more information on un-installation, see Uninstall the software.
3. Install the Logon Collector 3.0.11. For more information on installation, see Install the software on Windows Server.
4. Stop the Tomcat service from the Windows Task Manager.
5. Navigate to the C:\Program Files(x86)\Trellix\Trellix Logon Collector\Server\conf folder on your local system that
contains the Trellix Logon Collector 3.0.11 installation files. Replace the folder and files from the backup taken in
Step 1.
6. Click Start, go to Administrative Tools → Services and restart the Logon Collector service.
7. Log in to the Logon Collector web interface and check whether the pre-configured domain details are reflecting
properly in the Menu → Reporting → Status page.
Important
If you have existing integration with other Trellix products like Trellix Intrusion Prevention System Manager, the
integration between Trellix Logon Collector and IPS Manager will not work after the upgrade. You need to re-import
the Logon Collector certificate in such cases. Refer to the section Integration with Trellix Intrusion Prevention System
Manager for more details.
Identities collection
This section gives the details of identities collection.
• Monitor a domain with a local Logon Monitor: Any Logon Collector installation contains the Logon Monitor. You must
add a domain that the Logon Collector collects information from.
• Monitor a domain with a remote Logon Monitor: You can add remote Logon Monitors to the Logon Collectors.
See the Deployment section for a discussion of when to use Logon Monitors to monitor a domain.
Identity Data Store (IDDS) is the in-memory database specific to Trellix Logon Collector. A size limit is set to the Trellix LC which
means the total number of the directory objects (users and groups) must always be less than 200000. Make sure that the domain
you are adding to the Trellix LC does not exceed this limit. Also, check the existing number of users and groups in IDDS before
adding a new domain. Exceeding the size limit will stop Trellix Logon Collector from monitoring all the domains and the clients
will lose connection with it.
The following sections gives you more information on managing the monitored domains.
Enter the credentials for the domains that are monitored directly by Trellix Logon Collector.
• Obtain management access to the client that polls a given domain for identities.
• Install and configure Trellix Logon Collector.
• Acquire the appropriate domain credentials from your Windows domain administrator.
The administrator account you intend to use to access the domain controller must be in the same domain from which
you want to obtain identities.
Note
If you want to use an account other than the administrator account, see the Create a non-administrator account section to
access the security event log on a domain controller section.
Task
1. Select Menu → Configuration → Monitored Domains.
2. Click New Domain. The Domain Name tab is displayed.
Parameter Description
Parameter Description
Note:
Connections are made to each domain controller belonging to that particular domain. If the connection is not successful
with any of the domain controllers, an error message with the details of the failure is displayed.
4. For each listed domain controller, specify a primary and, optionally, a backup logon monitor.
To add a backup logon monitor, click New Logon Monitorbutton in the Logon Monitors page.
a. Click the drop-down list under Primary and select a Logon Monitor.
b. [Optional] Click the drop-down list under Backup and select a Logon Monitor that operate in the event the
primary logon monitor is unavailable.
c. Click Next. The Query Order tab is displayed.
5. Click the up or down arrow buttons to move and arrange the domain controllers in the list. Only those domain
controllers for which the Logon Collector is chosen are displayed in this page. Specify the order in which LDAP queries
are made to the domain controllers for user and group information. In general, the closest domain controllers should
be placed at the top of the list to increase response times and reduce network bandwidth.
The Secure LDAP checkbox is displayed as selected, if you have already selected this option in the Domain Name tab.
Note
If the Secure LDAP checkbox is selected in the Domain Name tab while adding a domain, one of the Domain Controllers
in the Query Order tab will automatically have this option selected.
Example
Note
If a domain controller is disconnected, the LDAP query fails and the status button goes red. By default, Trellix Logon
Collector is configured to perform LDAP query every 12 hours. If the status shows red even after the network connection is
re-established, Trellix recommends removing the domain and adding it again.
When there is a change in domain controller's certificate, remove the domain and add it again from the Monitored Domains
page.
In Secure LDAP, TLS encryption is made using Start TLS command. The authentication during binding and unbinding of the LDAP
connection to the domain controller is done using Kerberos and not TLS. So, when the communication logs are viewed using a
packet analyzer tool, it can be observed that only the data packets are encrypted and not the binding and unbinding logs.
In the High Availability mode, when the primary Logon Collector server goes down, all configurations including the Secure LDAP
connection that is enabled are replicated from the primary Logon Collector server to the secondary Logon Collector server.
The domain controllers that are connected to the primary Logon Collector server switch over to the secondary Logon Collector
server when the primary Logon Collector server becomes unreachable. If the Secure LDAP communication is enabled in the
primary Logon Collector server, the connection remains enabled even after the switch-over.
Post the switch-over, the configuration changes can only be done in the active secondary Logon Collector server. When the
primary Logon Collector comes up again after a time, it receives the replicated configuration from the active secondary Logon
Collector server, including the Secure LDAP configuration.
When both the primary and the secondary Logon Collector server goes down, the server that comes up first becomes the active
Logon Collector server.
LDAP connection to the domain controller may get an error in certain scenarios . The following are some of the reasons that
could cause an error.
This section describes the details that can be viewed on the monitored domains .
Task
1. Select Menu → Configuration → Monitored Domains. The Monitored Domains page is displayed.
2. In the left panel, select the domain in the Domains list. The following details are displayed in the right panel.
Field Description
Field Description
Note
To search for a monitored domain, you can use the Filter list text field in the left panel and type the name of the
monitored domain.
This section describes how to add remote Logon Monitor to Trellix Logon Collector.
Before you can add any remote Logon Monitor to a monitored domain on Trellix Logon Collector, you must first provide the
Logon Collector certificate information to the Logon Monitor.
Task
1. Install the Logon Monitor and have the Trellix Logon Monitor Configuration application running.
2. Open a web browser on the computer on which you installed the Logon Monitor.
You will be trading information between the Logon Monitor and Trellix Logon Collector. Having a web browser open with
Trellix Logon Collector web interface makes this task easier to accomplish.
3. Log on to the Trellix Logon Collector web interface and select Menu → Configuration → Server Settings.
4. Click Identity Replication Certificate in the list of Setting Categories.
5. In the Trellix Logon Monitor Configuration application, click the Remote tab.
6. If necessary, click New to add a new certificate to the Logon Monitor.
7. Copy the value for Common Name (CN) on the Logon Collector to the Common Name field on the Logon Monitor.
8. In the Trellix Logon Collector web interface, scroll down until Logon Monitor Fingerprint field is visible.
9. Copy the value for Logon Monitor Fingerprint on the Logon Collector to the Certificate Hash field on the Logon Monitor.
10. Click OK.
11. Repeat these steps for any other Logon Collectors that the Logon Monitor will be communicating with.
With the Logon Collector certificate(s) on the Logon Monitor, you can add the Logon Monitor to any of the Logon
Collectors to collect logons for a monitored domain.
4. Type the host name or IP address for the remote Logon Monitor.
5. Type the port number, or accept the default value of 50443.
6. Click Next or OK depending on how you are adding the Logon Monitor.
A connection is attempted to the Logon Monitor.
• If the connection is successful, the certificate is displayed. To accept the certificate, click Save or OK depending on
how you are adding the Logon Monitor.
• If the connection is unsuccessful, an error message is displayed.
If you want to remove a remote Logon Monitor, you must ensure it is not monitoring any domain controllers.
Task
1. Select Menu → Configuration → Monitored Domains.
2. Select a domain and then click Manage Exchange Servers / Domain Controllers.
3. For each domain controller, ensure the Logon Monitor you want to delete is not listed as either the Primary or Backup
Logon Monitor.
If the Logon Monitor is listed, click the drop-down list and select a different Logon Monitor.
4. Repeat steps 2 and 3 until you are sure the Logon Monitor you want to delete is not being used.
5. Select Menu → Configuration → Logon Monitors.
6. Select the Logon Monitor you want to delete, then click Delete Logon Monitor.
7. Click OK to confirm the deletion.
Sometimes, the password needs to be reset for some users in the domain controller. When it is reset, iyou should edit it in the
Trellix Logon Collector web interface. The following are the steps to edit the username or password.
Task
1. Select Menu → Configuration → Monitored Domains. The Monitored Domains page is displayed
2. Click Edit Username/Password.The following fields are displayed.
Field Description
User Name Displays the name of the user for the monitored
domain. Edit the username if required.
Field Description
Password Type the password for the user that is reset in the
domain controller.
Trellix Logon Collector can monitor exchange servers. It supports logon events for users logging in through Microsoft Outlook
thick client or Outlook Web Access (OWA) from web browsers running on Windows and MAC systems.
Note
You can add an exchange server and monitor logon events from Outlook users. View the Status page for the added exchange
servers.
Note
Task
1. Select Menu → Configuration → Monitored Domains. The Domains page is displayed.
2. Select a domain and click Manage Exchange Servers / Domain Controllers.
3. In the Exchange Servers area, click Add Exchange Server.
4. In Exchange Server, enter the fully qualified domain name (FQDN) of the exchange server.
Note
Trellix recommends adding an exchange server's IP address to the IP Ignore List. Navigate to Menu → Configuration →
Server Settings. Select TLC Group / IP Ignore List and enter the server IP address.
5. Under Logon Monitor, go to Primary drop-down list and select localhost if you want to use TLC server's local Logon
Monitor. Otherwise, select a remote Logon Monitor if the Logon Monitor is installed on a different system.
6. [Conditional] If you have more than one Logon Monitor, you can select a backup Logon Monitor from the Backup
drop-down list.
Note
You can select a local Logon Monitor as primary and a remote Logon Monitor as backup or vice versa. Alternatively, you
can select different remote Logon Monitors as primary and backup.
Note
TLC server uses the backup Logon Monitor if the primary Logon Monitor goes down.
7. Click Save.
8. Click Status → <domain name> → Controller Logon Collecting. Make sure the Message area's Status displays Collecting
logons from <exchange server>.
You can remove and stop monitoring logon events from an exchange server.
Task
1. Select Menu → Configuration → Monitored Domains.
2. Select a domain and click Manage Exchange Servers / Domain Controllers.
3. From the existing Exchange Servers, decide on the exchange server you want to delete and click Delete Exchange
Server.
You can set the order in which the LDAP queries are made.
Task
1. Select Menu → Configuration → Monitored Domains and click Manage Query Order. The Active Directory Query Order
page is displayed.
2. Click the up or down arrow buttons to move and arrange the domain controllers in the list. Only those domain
controllers for which Trellix Logon Collector is chosen will be displayed in this page. Specify the order in which LDAP
queries are made to the domain controllers for user and group information. In general, the closest domain controllers
should be placed at the top of the list in order to increase response time and reduce network bandwidth.
3. Select or unselect the Secure LDAP check-bo, to enable or disable Secure LDAP communication.
4. Click Save to save the changes
You can remove a monitored domain from Trellix Logon Collector whenever required.
Task
1. Select Menu → Configuration → Monitored Domains.
2. Click Remove Domain.
3. Click OK to confirm the removal of the monitored domain.
Server settings
This section gives the configuration details as well as the different features in the Server Settings window.
Task
1. Select Configuration → Server Settings.
2. Select a setting category and click Edit in the lower right corner of the window.
3. Edit the information and click Save.
Select this option to allow Active Directory users to log on to Trellix Logon Collector if they have at least one permission set.
Email Server
Option Definition
SMTP server port Port number of the SMTP server, usually port 125.
The identity replication certificate identifies Trellix Logon Collector to other entities with which it communicates and establishes
a trusted connection. For example:
Changing the certificate can lead to any one of the following problems:
Option Definition
Server Port The port for the local Logon Monitor service to listen
on. As long as another service is not listening on the
Option Definition
Option Definition
CPU Disconnect Threshold Specifies when the local Logon Monitor introduces
rate-limiting if services on a monitored domain
controller consume too much CPU too quickly. If the
CPU threshold is crossed, the local Logon Monitor
stops polling a domain for twenty minutes. After
the twenty minute window, which should give the
CPU time to handle its load, the local Logon Monitor
reconnects. If you find that the local Logon Monitor
frequently resorts to rate-limiting, try disabling the
Allow Backlog Queries option.
Allow Backlog Queries Specifies whether the local Logon Monitor checks
the domain controller security event logs for identity-
related events that may have occurred while it was
not connected. With this option enabled, the local
Logon Monitor can query back into the time it
was disconnected rather than simply resuming at
the time it reconnects. Note that backlog querying
cannot occur when the local Logon Monitor first
connects to the domain controller. The query is done
for the value of Maximum Backlog Records or until
the time of the last connection, whichever comes
first.
Backlog queries are likely to affect the performance
of heavily loaded or legacy computers and are not
recommended. If you find that the local Logon
Option Definition
This section describes the advanced configuration settings of Trellix Logon Collector (TLC) server. The Logon Collector
configuration file has the parameters to configure the TLC server.
You can use the TLC Advanced Settings option to configure these settings.
• Domain Controller Backoff Time — Trellix Logon Collector stops sending the WMI queries to the domain controller if
the CPU usage of the latter is beyond the configured CPU threshold. It waits for 20 minutes by default before sending the
WMI queries to that domain controller.
Caution
Setting too small value for controllerbackofftime is not recommended as it might increase the load on domain
controller. Trellix recommends a minimum value of 10 minutes.
• TLC V1 Compatibility — Logon Collector versions 1.0 and 1.0.1 do not propagate the user or group name changes in
the Active Directory to the clients. However, Logon Collector version 3.0 propagates the user and group name changes
information to the clients. By default, Logon Collector version 3.0 runs on the compatibility mode.
• Remove White Space from Unique Name — Logon Collector 1.x used an algorithm for generating
uniqueName for user and group objects that would remove the white spaces. As a result of this, the
algorithm responsible for the generation of unique names was not creating the uniqueName. Example:
Group 1 cn: ProductServices un: ProductServices@DistributionLists.scur.com Group 2 cn: Product Services un:
ProductServices@DistributionLists.scur.com
Note
The same "un" is generated for Group 1 and Group 2 even though their "cn"s are different.
Navigate to Server Settings → TLC Advanced Settings to configure advanced settings for Trellix Logon Collector. Alternatively,
you can configure these settings using the xml file.
Task
1. Select Menu → Configuration → Server Settings.
2. Select TLC Advanced Settings and click Edit. The Edit TLC Advanced Settings page is displayed.
3. [For Logon Collector setting] In the Domain Controller Backoff Time field, enter the time in minutes.
4. [For clients] Select or deselect the TLC V1 Compatibility checkbox. By default, this checkbox is selected.
5. [For clients] Select or deselect the Remove White Space from Unique Name checkbox. By default, this checkbox is
deselected.
Note
In Trellix Logon Collector,these user and user group names remain as-is.
6. Click Save.
7. Restart the TLC service.
Trellix Logon Collector gives you the option to ignore user IP addresses and user group names based on your monitoring needs.
In many organizations, there are Exchange Servers. When users log on to OWA, the domain controller gets the IP Address of the
Exchange Server. The system administrator can add the exchange server IP Address to the IP Ignore List.
Similarly, many systems are configured to perform some automated tasks. These systems continuously log on to domain
controller using bot user credentials. The system administrator can create a user group and add these bot users to the group.
This user group can be added to the Group Ignore List.
• Group Ignore List — If a user is member of a group and this user group name (or one of its parent group) is added to
Group Ignore List, all logon events from that user are ignored.
• IP Ignore List — If a user logs on from an IP Address and that IP Address is added to IP Ignore List, all logon events from
that IP Address are ignored.
You can select Server Settings → TLC Group / IP Ignore List to ignore user IP addresses and user group names.
Task
1. Select Menu → Configuration → Server Settings.
2. Select TLC Group / IP Ignore List and click Edit. The Edit TLC Group / IP Ignore List page is displayed.
3. In Group Ignore List, enter the user group names as comma-separated values.
4. In IP Ignore List, enter the user IP addresses as comma-separated values.
5. Click Save.
A group filter in Trellix Logon Collector enables you to filter user groups and send only relevant information to clients like Trellix
Intrusion Prevention System Manager.
The group filter feature optimizes data sent to clients from Trellix Logon Collector. On the other hand, the filtered user groups
minimize the volume of transactions in the network and enable clients to use less resources when caching the data from Trellix
LC.
The TLC Group Filter option is available under Menu → Configuration → Server Settings → Setting Categories.
You can create a group filter and send only relevant details to clients.
Note
If the client is in connected state before configuring a group filter, the client has already received all the user groups instead
of the filtered user groups.
Task
1. Go to Menu → Configuration → Server Settings → Setting Categories and click TLC Group Filter.
2. Click Edit. The Edit TLC Group Filter page is displayed.
3. Select the Enable Filter checkbox.
4. From Quick Find, select ALL DOMAINS or, select a specific domain. The Available Groups and details for a domain are
displayed.
Tip
5. Press the Ctrl key and select the user groups from the list. Click Add. The Added Groups are displayed.
Note
You can click Add all to select all user groups. If you then click Save, the group filter is disabled. This is because all user
groups are selected and no filter as such is created.
Note
If you wish to remove any user groups, click Remove to refine your filter.
6. Click Save. The group filter is configured and the TLC Group Filter page is displayed.
Results
You can now connect the client to Trellix Logon Collector so that it can receive only filtered user groups and details. Users who
are members of the selected user groups are sent to the client, and also the logon events are sent only for users of the selected
user groups.
Trellix Logon Collector can configure a group filter, save the filter settings, connect to the client, and send filtered user groups
and details.
These are the high-level steps to send filtered user groups to clients.
Task
1. Add a monitored domain — Populates Trellix Logon Collector’s database with all the user groups
2. Configure a group filter — Select from the available user groups and save the group filter settings
3. Connect to the client — Client receives the filtered user groups and information
Results
Users who are members of the selected user groups are sent to the client. The logon events are sent only for users of the
selected user groups.
Configuring the IP address for Trellix Logon Collector server client communication
When multiple IP addresses are present in the Trellix Logon Collector server, it listens on all the IP addresses.
During High Availability fail-over, when the primary server is inactive or is not reachable, the secondary server changes from
standby to active state. The latter continues to establish communication with the primary server. Once the primary server is
active, the secondary server changes its state to standby (or passive) and the primary server regains its active state.
When the primary server is unavailable, the Logon Collector clients have to retry all the IP addresses of the primary server
before switching over to the secondary server. This delays the fail-over process for the client.
To overcome this problem, Trellix Logon Collector allows you to selectively choose the IP addresses for communication. The
Logon Collector HTTPS port will continue to listen to all the IP addresses. The clients communication and High Availability
communication will happen through the selected IP address. When the primary server is not available, the Logon Collector
clients have to retry only the configured primary IP address before switching to the secondary server.
Task
1. Select Menu → Configuration → Server Settings.
2. Under Setting Categories, click TLC Communication IP Address.
3. Click Edit at the bottom right corner to select an IP address from the drop-down list.
4. Click Save.
Trellix Logon Collector provides an option to modify the duration of the logon event in the TLC server. By default, the logon
event is stored in the TLC server for 6 hours.
Task
1. Select Menu → Configuration → Server Settings.
2. Under Setting Categories, click TLC User Login Timeout.
3. Click Edit at the bottom right corner to modify the time. The logon event will be stored in the TLC server according to
the configured time.
4. Click Save.
Server certificate
In this section, you configure the certificate that the Logon Monitor uses to authenticate itself to Trellix Logon Collector.
Note
Ensure that you have a certificate for the Logon Monitor, whether it is a newly generated (by the Logon Monitor) self-signed
certificate or one generated by a Certificate Authority. The Logon Monitor will not function without a certificate. However, for
a local Logon Monitor, you do not need a self-signed certificate.
• Distinguished Name — The Distinguished Name contains the Common Name and other attributes that the Logon
Monitor needs to identify the certificate found in its store (see Store Name below) that should be used to authenticate to
the server. For example, string cn=dlc.centserv.org,o=centserv,c=us could be the Distinguished Name, comprised of the
certificate’s Common Name (cn), organization name (o) and country of origin (c). To use a self-signed certificate, you only
need to use the Common Name (prefixed with cn=) for identification.
• Store Name — The Store Name, or Certificate Store name, is where the Logon Monitor looks to find its certificates. The
default setting for the Store Name is TrellixLogonMonitor\MY. This uses the Store Type CERT_SYSTEM_STORE_SERVICES.
If the Logon Monitor is running in standalone mode, use the Store Name MY. This uses the Store Type
CERT_SYSTEM_STORE_CURRENT_USER.
• Generate Self-Signed Certificate — Only available when the Distinguished Name field is not blank, the Generate Self-
Signed Certificate button generates a self-signed certificate and places it in the certificate store identified by Store Name.
Note
For a separate installation of Logon Monitor, you must generate a certificate so that you can connect the Logon
Monitor to the Logon Collector.
• View Certificate — Only available when the Distinguished Name field is not blank, the View Certificate button displays
a Windows-standard certificate viewer displaying the certificate matching the Distinguished Name, if one is found in the
store.
You configure the Logon Monitor with an application named Logon Monitor Configuration on the Windows computer on which
you installed the Logon Monitor software. If you are not configuring the Logon Monitor as part of the installation, go to the Start
menu and select Trellix Logon Monitor Configuration (for example, by default in Start → Programs → Trellix Logon Monitor →
Logon Monitor Configuration) to display the Trellix Logon Monitor Configuration window.
Note
You do not have to restart the Logon Monitor service when you make configuration changes. Changes take effect after you
click OK. Logon Monitor configuration information is stored in the Windows Registry.
Configuration tab
The Configuration tab contains the settings for the Logon Monitor.
Configuration tab
Remote tab
The Remote tab contains the certificate common name and certificate hash of any Logon Collector to which this Logon Monitor
connects.
The Logon Monitor accepts any number of certificates in the Remote tab.
Remote tab
Logon Monitor uses the Microsoft Certificate store to manage the certificates it generates. After you install the Logon Monitor,
the easiest way to view the certificates is to use the Microsoft Management Console (MMC) to view the Certificate store for the
Logon Monitor service.
To use MMC:
Task
1. Start MMC (Start → Run → MMC).
2. Navigate to File → Add/Remove Snap-in to display the Add/Remove Snap-in window.
3. Click Add to display the Add Standalone Snap-in window.
4. Select Certificates and then click Add to display the Certificates snap-in window.
5. Select Service account on the Certificates snap-in window, and then click Next.
6. Select Local Computer, and then click Next.
7. Select Trellix Logon Collector from the list of services and then click Finish.
8. Click Close on the Add Standalone Snap-in window.
9. Click OK on the Add/Remove Snap-in window to close the same.
MMC displays the certificate information for the Logon Monitor.
10. Right-click a certificate or a store to import certificate lists in the display.
See the Microsoft documentation on the Certificate snap-in for MMC for information on importing a certificate as a Certificate
Authority (CA) for Logon Monitor.
Note
This is only useful when the Logon Monitor is using Certificate Checking.
Trellix recommends that you use Kerberos as the authentication type. If you want to use NTLM, you should use NTLMv2 as
described in this section. The default authentication method in Windows environments, LM hash, generates a weak response
that can be used by an attacker to perform an off-line, brute-force attack in order to guess the actual password.
Read this section to learn how to use the NTLMv2 authentication method for a more secure connection between a Logon
Monitor and a domain controller.
Trellix recommends that you use the NTLMv2 authentication method on Windows 2012 and Windows 2012 R2 servers when you
are running a Logon Monitor. This enables the Logon Monitor to use NTLMv2 to authenticate to the domain controllers. This can
only be accomplished by modifying the Registry; no changes are required on the domain controllers.
Caution
This procedure requires modifying the Windows Server Registry. Improper editing of the Registry could leave your system
completely unusable or in an unstable state. Make a backup of your Registry before leave your system completely unusable
or in an unstable state. Make a backup of your Registry before proceeding. For more information, see Microsoft support
article 322756 (http://support.microsoft.com/kb/322756/). If the Windows Server offers other services and there are clients
that do not support NTLMv2 (for example, Windows 95 or Windows 98), this change prevents these old clients from using the
server.
Task
1. Log on to the Windows Server where the Logon Monitor runs.
2. Start the Registry editor (Start → Run → regedit).
3. Navigate to the key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
4. Right-click the value LmCompatibilityLevel.
5. Click Modify.
6. Type the number 5 (only use NTLMv2 authentication and negotiate NTLMv2 session security if the server supports it)
and click OK.
7. Restart the Windows Server.
8. Ensure the IAM status on the Logon Collector is UP after 10 minutes.
Note
The terms High Availability and cluster are used interchangeably throughout the chapter.
Overview
The high availability feature enables Trellix Logon Collector to exist in the form of primary server and secondary server. In this
scenario, when the primary server is inactive or is not reachable, the secondary server changes from standby to active mode. The
latter keeps polling the primary server to check if it is available again. Once the primary server is active, the secondary server
changes to the standby state. The clients that were connected to the primary server, switch over to the secondary server when
the primary server becomes unreachable. When the primary server becomes active again, the clients switch back to the primary
server.
• Standalone
• Cluster
Trellix Logon Collector can exist in the following states:
• Active
• Standby
Configuration basics
This section gives the details about the configuration basics of the High Availability feature.
Listed below are the prerequisites for the High Availability feature:
To configure a cluster:
Task
1. Install Trellix Logon Collector on different servers (Windows Server 2012, Windows Server 2012 R2, Windows Server
2016, or Windows Server 2019).
2. On the server that you intend to select as primary, select Menu → Configuration → Cluster Configuration.
4. Select the Enable clustering box, and select Primary. Click Save.
5. On the server that you intend to select as secondary, select Menu → Configuration → Cluster Configuration to open the
Cluster Configuration window.
6. In the Edit Cluster Configuration window, select the Enable Clustering box and select Secondary. Enter the following
details:
7. Click Yes to display the HTTPS port certificate of the primary server.
Note
This message gives the information about the configuration settings after a cluster formation is complete.
Note
8. In the Primary TLC Certificate window, click Accept Certificate and Enable Clustering.
This initiates the certificate exchange between the primary and secondary servers, and enables the trust establishment.
The Cluster Configuration window opens.
9. The Cluster Configuration window shows the following details:
You can also configure the High Availability feature in Public Key Infrastructure (PKI) setup. The steps to configure the cluster in
this scenario remains the same as described earlier.
The following steps are the pre-requisites for high availability in Public Key Infrastructure (PKI) setup:
1. Select Menu → Configuration → Trusted CAs and add the CA root certificate on both the High Availability peers.
2. Select Menu → Configuration → Server Settings → Identity Replication Certificate to replace the Identity Replication
certificate with the CA-signed certificate for the respective servers.
Note
The CA root certificate and the CA-signed certificate should be added for the clients.
Error scenarios
An error message will be displayed for any one of the following scenarios:
• The certificate used by the primary server is self-signed, while the certificate used by the secondary server is signed by
CA.
• The certificate used by the secondary server is self-signed, while the certificate used by the primary server is signed by
CA.
• The certificates used by the primary and secondary servers are signed by two different CAs. In this case, the cluster
configuration is successful, but the status will be displayed in red.
Error message
Important:
The overall {IAM} status is GREEN since the {LAM} component status is GREEN.
Status window
The passive secondary server does not allow you to make configuration changes; an error message will be displayed if
you do so. The configuration changes can only be done on the active secondary server.
• Replication from the primary to the secondary server: Once the cluster is configured, the configurations are replicated
from the primary to the secondary server.
• Replication from the active secondary server to the primary server: When the primary server goes down and comes
up after a period of time, it receives the configuration details from the active secondary server.
• When the secondary server runs in standby mode, the {LAM} status is RED in the Status window. This is a normal
behavior because the Logon Collector stops {LAM} when it runs in standby mode.
Note
Trellix Logon Collector should not be deployed on a DHCP machine: The peer TLC servers should communicate with each
other during a cluster formation. But, this may not be possible if the Trellix Logon Collector is deployed on a DHCP machine.
Trellix products connected to the TLC server on a given IP address will also be disconnected when there is a change in the IP
address due to DHCP configuration. Trellix, therefore, recommends that you avoid the deployment of the Logon Collector on
a DHCP system.
The logon events on the active TLC server are replicated to the standby TLC server.
When the primary server goes down and comes up again after a period of time, it receives the replication data (logon events,
users, groups) from the active secondary server.
Attention
When both primary and secondary servers are down, you must bring up first the server that has the latest configuration
followed by the other server. If you fail to do so, the data replicated across the servers might not be the latest.
Limitations
The following list shows the limitations of the High Availability feature:
• The split network scenario is not supported. It is important to ensure that the communications between primary and
secondary are never interrupted. For example, if the network connectivity between the primary and the secondary
server is down, the secondary server assumes that the primary server is not responding, waits for 5 seconds, and
becomes active. When the communication is re-established, the primary server always overrides the configuration of the
secondary server.
• The high availability feature works in the PKI setup, but the primary and secondary certificates must be signed by the
same signer. Certificate Revocation List (CRL) is not supported.
• Other Trellix LC products using the Logon Collector 1.0 client library will not be benefitted with this feature; but they can
continue to work in this scenario.
Disable a cluster
To disable a cluster:
Task
1. On the secondary server, select Menu → Configuration → Cluster Configuration.
2. Deselect Enable clustering, and click Save.
The Disable Cluster Task window opens. Click Yes to continue.
Note
When the cluster is disabled, the secondary server removes all configurations including logon monitors and domains,
and functions as a standalone server.
The primary server will retain the configurations and will continue to monitor the configured domains as a standalone
server.
Reconfigure a cluster
The cluster can be reconfigured if the role of the servers needs to be reversed (for example, if you want the secondary server to
behave as the primary server and vice versa).
You can refresh the new user information anytime. This enables the Trellix Logon Collector (TLC) server to synchronize its
user/group data with the domain controller.
If the administrator adds a user to an Active Directory group in order to grant access to a resource, the administrator may use
on-demand group refresh to update the Logon Collector and allow user access to the resource, without having to wait until the
group refresh happens in background.
Tip
Trellix recommends you to avoid running the group and user refresh tasks at the same time. Run the group refresh task
approximately 20 minutes before the user refresh task to allow the group refresh task to be completed.
Note
Other options displayed in the Server Tasks user interface that are not explained in this chapter are not related to the Logon
Collector.
This section gives the details of the various options of group refresh.
Option 1: Run
Use this option to manually refresh the group information in the Logon Collector database (IDDS) by retrieving the latest group
information from the domain controller datastore.
Task
1. Go to Menu → Automation → Server Tasks. .
2. Click the Run option of TLC Refresh Groups.
The Server Task Log page opens. This page gives the results of group refresh action. By default, the records are sorted by
time, with the latest record on top.
Option 2: Edit
Select Menu → Automation → Server Tasks. Select TLC Refresh Groups and click Edit.
Note
Each of the tab discussed below has a Save and a Cancel button. Clicking Save saves the changes made and closes the Server
Task Builder window. Clicking Cancel ends the operation without saving the changes. If you want to continue modifying the
scheduler settings for the server task, do not click Save until you have completed configuring the fields available on each tab
in the Server Task Builder window.
Tab 1: Description
Task
1. In the Server Task Builder window, the following fields are displayed under the Description tab:
Parameter Description
2. Edit the fields as per your requirement. Click Next to go to the Actions tab.
Tab 2: Actions
Task
1. Under the Actions field, the TLC Group Sync option is selected by default.
Actions tab
2. Click Next to open the Schedule tab; click Back to go back to the previous tab.
Tab 3: Schedule
The Schedule tab enables you to change the scheduler settings for the task.
Task
1. On the Schedule tab, enter the following details:
Parameter Description
• Hourly
• Daily
• Weekly
• Monthly
• Yearly
• Advanced
Parameter Description
Start Date Select the date from when you want to start the
task.
End Date Select the date by when you want to stop the task.
Schedule
Click to add a new scheduled time. Click
to remove an existing scheduled time.
Schedule tab
Tip
Trellix recommends that you set the schedule time such that the TLC Group Refresh task starts at least 20 minutes
before the TLC User Refresh task.
2. Click Next to open the Summary tab, click Back to go back to the previous tab.
Tab 4: Summary
Parameter Description
Schedule The details about start date, end date, time frame,
and next runtime of the scheduled task
Summary tab
Option 3: View
Use this option to view the settings for the refresh groups.
Select Menu → Automation → Server Tasks. Select TLC Refresh Groups and click View.
The Server Tasks Details page opens. It displays details of the group refresh action.
This section gives the details of the various options of user refresh.
Option 1: Run
Before you begin
Use this option to manually refresh the user information in the Logon Collector database (IDDS) by retrieving the latest user
information from the domain controller datastore.
Task
1. Go to Menu → Automation → Server Tasks. Click the Run option of TLC Refresh Users.
The Server Task Log page opens. This page gives the results of user refresh action. By default, the records are sorted on
time, with the latest record on top.
Option 2: Edit
Navigate to Menu → Automation → Server Tasks. Select TLC Refresh Users and click Edit.
Note
Each of the tab discussed below has a Save and a Cancel button. Clicking Save saves the changes made and closes the Server
Task Builder window. Clicking Cancel ends the operation without saving the changes. If you want to continue modifying the
scheduler settings for the server task, do not click Save until you have completed configuring the fields available on each tab
in the Server Task Builder window.
Tab 1: Description
Task
1. In the Server Task Builder window, the following fields are displayed under the Description tab:
Note
2. Edit the fields as per your requirement. Click Next to go to the Actions tab.
Tab 2: Actions
Task
1. Under Actions field, TLC User Sync option is selected by default.
Actions tab
2. Click Next to open the Schedule tab; click Back to go back to the previous tab.
Tab 3: Schedule
The Schedule tab enables you to change the scheduler settings for the task.
Task
1. On the Schedule tab, enter the following details:
• Schedule Type — Select any one of the following schedule types from the drop-down list:
Hourly
Daily
Weekly
Monthly
Yearly
Advanced
Note
Trellix recommends that you select the Daily option for Schedule Type.
• Start Date — Select the date from when you want to start the task.
• End Date — Select the date by when you want to stop the task.
Note
Trellix recommends that you select the No End Date option so that no end date is configured for the task.
• Schedule — Click to add the new scheduled time. Click to remove existing scheduled time.
At — Select the At option from the drop-down list to run the task at a specific time.
Between — Select the Between option from the drop-down list to run multiple tasks in a specific range of
time.
Schedule tab
Tip
Trellix recommends that you set the schedule time such that the TLC Group Refresh task starts at least 20 minutes
before the TLC User Refresh task.
2. Click Next to open the Summary tab, click Back to go back to the previous tab.
Tab 4: Summary
Summary tab
Option 3: View
Use this option to view the settings for the refresh users.
Go to Menu → Automation → Server Tasks. Select TLC Refresh Users and click View.
The Server Tasks Details window opens. It displays the details of the user refresh action.
Click Edit to make changes in the scheduler settings of the server task, or click Close to exit the Server Task Details window.
User management
This section gives the details of user management for administrative access to the Trellix Logon Collector itself. To add users to
the Active Directory, use the normal Active Directory configuration mechanisms in Windows.
Manage users
You can add users to Trellix Logon Collector and specify what access they have to the system.
Task
1. Navigate to Menu → User Management → Users.
2. Click New User to add, or select Actions → Edit to modify.
3. Define the user.
a. Type a name for the user, or change the existing one.
b. Specify whether the user is able to log on or not.
You cannot disable the logon status of the last remaining global administrator.
c. Select an authentication type.
If you are modifying a user, first click Change Authentication or Credentials.
• For Trellix Logon Collector authentication, type a password and confirm it.
• For Windows authentication, type the user name and domain.
• For Certificate Based Authentication, provide the Personal certificate subject DN in the given field and upload
the required certificate file.
d. [Optional] Provide other details for the user: Full name, Email address, Phone number, and Notes.
e. Assign a permission set.
Delete a user
To delete a user:
Task
1. Navigate to Menu → User Management → Users.
2. Select a user or users by selecting the checkbox next to the contact name.
3. Select Actions → Delete.
Permission sets grant permissions only — no permission set ever removes a permission.
Task
1. Go to Menu → User Management → Permission Sets, then click New Permission Set.
2. Type a name for the permission set and select the users to which the set is assigned.
3. Click Save.
4. Select the new permission set from the Permission Sets list.
Its details appear to the right.
5. Click Edit next to any section from which you want to grant permissions.
6. On the Edit Permission Set window that appears, select the appropriate options, then click Save.
7. Repeat for all desired sections of the permission set.
Use this task to delete a permission set. If the permission set has users assigned to it, those users will lose the permissions
granted to them.
Note
Task
1. Go to Menu → User Management → Permission Sets, then select the permission set that you want to delete in the
Permission Sets list.
Its details appear to the right.
2. Click Actions → Delete.
The Action: Delete pane opens asking whether you want to delete the permission set.
3. Click OK to confirm the deletion of the permission set, or Cancel to abort.
Use this task to duplicate a permission set. Duplicating a permission set creates an in-memory copy of the selected permission
that can be modified and saved with another name.
Note
Task
1. Navigate to Menu → User Management → Permission Sets, then select the permission set that you want to edit in the
Permission Sets list.
Its details appear to the right.
2. Click Actions → Duplicate, type a New name in the Action: Duplicate pane, then click OK.
3. Select the new duplicate in the Permission Sets list.
Its details appear to the right.
4. Click Edit next to any section for which you want to grant permissions.
5. On the Edit Permission Set window that appears, select the appropriate options, then click Save.
6. Repeat for all sections of the permission set for which you want to grant permissions.
Manage contacts
To make selecting recipients for reports and data easier, Trellix Logon Collector provides a Contacts feature where you can
define names and email address for contacts.
Task
1. Go to Menu → User Management → Contacts.
2. Click New Contact to add, or, select an existing contact and click Actions → Edit to modify.
3. Type a name for the user, or change the existing one.
The contact must include a name, and you can select either a first name or last name only, or both.
4. Type an email address, or change an existing one.
5. Click Save.
Delete a contact
To delete a contact:
Task
1. Go to Menu → User Management → Contacts.
2. Select a user or users by clicking the checkbox(es) next to the contact name(s).
3. Click Actions → Delete.
Reporting
This section gives the details about the status of the product to verify that components are running as expected.
System components
• Login
Acquisition
Manager
• Id Replication
Manager
• Login State
Manager
• Id Data Store
Check specific
components to
identify the cause
of the component
failure. Check
specific
components to
identify the cause
of the component
failure.
Login Acquisition current state one or more Working fine All domains are
Manager of queries domains are red.
{lam} yellow or red.
to domain
controllers.
Login State whether the Login Not applicable Working fine Initiation failed.
Manager State Manager Check the Logon
{lsm} initialized Collector logs to
correctly. identify the cause
of failure.
ID Resolution whether queries there are more Working fine No red status.
{pnd} for user than 1000 logons
information from in the pending
Active Directory queue waiting for
have been user information
serviced after a to be resolved.
logon is detected.
Logon Flow how many logons no logons have Working fine No logons have
{logons} have been been detected in been detected in
the last hour. the last twelve
hours.
detected within
last minute.
Cluster Manager the health of Not applicable that the cluster The
{cluster} cluster and manager is communication
the messages working fine. between the
being exchanged cluster members
between the is down or one
cluster members. of the cluster
members is not
available.
Task
1. Go to Menu → Reporting → Logon Report.
2. [Optional] To search on a particular IP address or user name, type the value into the Quick find field, then click Apply.
3. [Optional] Configure the display of columns:
a. Select Actions → Choose Columns.
b. Align the columns by clicking a left or right arrow to move the column.
c. Remove a column by clicking the X button.
Reset your changes by clicking Use Default.
Task
1. Select Menu → Reporting → Logon Report.
2. Specify the contents of the report by applying filters as desired.
3. Select Actions → Export Table.
Task
1. Go to Menu → User Management → Audit Log.
2. [Optional] Define an advanced filter.
3. [Optional] Select a pre-defined filter from the drop-down list.
4. [Optional] Click an audit log entry to see the information for a single row displayed as rows instead of columns.
5. [Optional] Configure the display of columns:
a. Select Actions → Choose Columns.
b. Align the columns by clicking a left or right arrow to move the column.
c. Remove a column by clicking the X button.
Reset your changes by clicking Use Default.
You can save specific views of the audit log and email them.
Task
1. Select Menu → User Management → Audit Log.
2. Specify the contents by applying filters as desired.
3. Select Actions → Export Table.
Task
1. Select Menu → Reporting → Queries & Reports.
2. Click New Query, then click Next to begin the Query Wizard.
3. Define the chart type.
a. Select the type of chart by clicking it.
b. Configure the chart.
The available options differ depending on the type of chart you select.
c. Click Next to proceed in the query wizard.
4. Configure the display of columns.
a. Align the columns by clicking a left or right arrow to move the column.
b. Remove a column by clicking the X button.
c. Click Next to proceed in the query wizard.
5. [Optional] Configure filters.
6. Click Run.
The query is run and the results are displayed.
7. [Optional] Click Edit Query to adjust criteria.
8. When you are satisfied with the report, click Save.
9. Finish configuring the query:
a. Type a name to identify the query.
b. [Optional] Type notes to describe the query.
c. Assign the query to a query group.
Define a new group or select from the list of existing groups.
10. Click Save.
The query appears on the main Queries window. You may need to clear the Quick find text box.
Task
1. Navigate to Menu → Reporting → Queries & Reports.
2. Click Import Queries.
The Import Queries page is displayed.
3. Browse and choose the file that contains your audit log query.
4. Assign the query to a query group.
Define a new group or select from the list of existing groups.
5. Click Save.
The query appears on the main Queries window. You may need to clear the Quick find text box.
Query actions
Task
1. Select the checkbox next to the desired query, or click the Queries checkbox at the top to apply an action to all queries.
2. Select an action from the list.
Export Query Definition For single queries only, export the query definition
as an XML file.
View Query SQL For single queries only, view the selected query as
a SQL statement.
Task
1. Click the right arrow in the Available Properties column to activate that property.
2. [Optional] Click the plus sign at the end of the Property row to create an additional comparison item.
3. By default, an additional item is evaluated with an “OR” operator. Click and in the and/or box to change this.
4. [Optional] Click the left arrow next to the Property to remove it from consideration.
5. Click OK, or Update Filter depending on how you arrived at the filter criteria.
Task
1. Select an export action:
For PDF, also specify a page size, page orientation, optionally select to show filter criteria, and optionally specify cover page
text.
Note
View dashboards
The Dashboards user interface option is not applicable for Logon Collector 2.1.
Note
Every client (product) connecting to Trellix Logon Collector must have different certificates with unique Common Name. This
ensures that more than two clients can seamlessly connect to the Logon Collector.
Together with Trellix IPS Sensor and IPS Manager, Trellix Intrusion Prevention System provides comprehensive network
intrusion detection and can block, or prevent, attacks in real time, making it truly an intrusion prevention system (IPS). It is
built for the accurate detection and prevention of intrusions, denial of service (DoS) attacks, distributed denial of service (DDoS)
attacks, and network misuse.
The Manager can display a variety of information about the hosts inside and outside a network.
Trellix Logon Collector integrates with the Manager to display user names of the hosts in your IPS and NTBA deployments.
Logon Collector provides an out-of-band method to obtain user names from the Active Directories.
Benefits
This integration helps to provide information about source and destination users.
These are the number of user groups supported for different Sensor models.
Important terms
This section describes the important terms associated with this integration.
Identity Acquisition Agent (IAA) is deployed on the Trellix Intrusion Prevention System side and is used as an interface to listen
to the message service where the updates are published by the Logon Collector server.
Trellix Intrusion Prevention System Manager TLC Listener is the registered listener that regularly receives new updates from the
Trellix Logon Collector through IAA.
Integration requirements
How Logon Collector - Trellix Intrusion Prevention System Manager integration works
Logon Monitors of the Logon Collector can be used to poll nearby domain controllers and forward collected information on to
the Logon Collector, shortening the distance domain controller communication must travel.
Identity Acquisition Agent (IAA) is deployed on the Trellix IPS Manager side and is used as an interface to listen to the message
service where the updates are published by the Logon Collector server. IAA listens to the Logon Collector Active Message Queue
(MQ) service and regularly receives new updates from the Logon Collector server.
A listener for receiving the updates is registered with the IAA. The registered listener regularly receives new updates from the
Logon Collector through IAA.
All IP to user bindings data are loaded into a newly created Trellix IPS Manager cache for the first time. The cache is
subsequently updated with the differences on subsequent updates. As all the other components of the Trellix IPS Manager
can query the Manager cache, it is not required to communicate with the Logon Collector server each time an update happens.
Note
The Trellix IPS Manager and Logon Collector can co-exist in the same server. However, Trellix does not recommend this
co-existence as it can hamper the performance depending on the flow of traffic.
Note
You do not need a special passphrase or license key to install the Logon Collector software.
This section gives the configuration details for the integration between the Manager and Logon Collector server.
You can enable the integration between the Manager and the Logon Collector server at the admin domain level.
Task
1. Navigate to Manager → <Admin Domain Name> → Integration → MLC.
The Enable page is displayed.
2. To enable the MLC integration, select the Enable MLC Integration? checkbox.
3. Enter the Server Name or IP Address and Server Port details.
4. To complete the integration, you have to synchronize the certificates between the MLC console and the Manager. Click
the Export to file link to export the Manager certificate to MLC.
5. To import the MLC certificate, select Upload MLC Certificate, import the certificate from the location by clicking Choose
File.
6. Click Save.
To test the connection, click Test Connection.
Establishment of trust between Trellix IPS Manager and Logon Collector server
Trellix Logon Collector communicates with the Manager through a two-way SSL authentication. This requires the exchange of
certificate between the Manager and the TLC server.
Export the Manager certificate, save the file to your local directory, and import the file to Logon Collector. Refer to the Trellix
Intrusion Prevention System Product Guide for exporting the Manager certificate.
Task
1. In the Logon Collector console, select Menu → Configuration → Trusted CAs.
2. Click New Authority to open the New Trusted Authority window.
3. Select Import From File, then click Browse to add the exported file saved in your local directory.
You can also use the Copy/Paste Certificate option.
4. Click Save.
By default, Trellix Logon Collector is pre-installed with a self-signed certificate. If you have a different certificate signed by a CA,
you can import this certificate and replace the existing Logon Collector certificate.
Task
1. In the Logon Collector console, go to Menu → Configuration → Server Settings.
2. In the Settings Categories section, click Identity Replication Certificate.
3. Upload the Logon Collector certificate.
a. Copy the certificate from the Logon Collector console and paste it in a newly created file in your local directory.
b. Under Import Certificate section, click Upload MLC Certificate in the New MLC Certificate option.
c. Select Upload MLC Certificate, then click Browse to add the Logon Collector certificate from your local directory.
What to do next
Note
If the existing Logon Collector certificate is changed, the clients connecting to it, such asTrellix IPS Manager, need to import
the new Logon Collector certificate.
Note
If you have upgraded the Logon Collector 3.0.10 server to Logon Collector 3.0.11 server, the existing integration between
Trellix Logon Collector and IPS Manager will not work. You need to re-import the Logon Collector certificate in such cases.
You can view user information received from the Trellix Logon Collector server in Attack Log. Refer to the Trellix Intrusion
Prevention System Product Guide for details.
Manager reports display the user information received for Logon Collector. Refer to the Trellix Intrusion Prevention System
Product Guide for more details.
Integration requirements
All Active Directory elements are treated as word queries, and can be directed to specific LDAP servers.
When these elements are used in a query, columns supporting the parameter are configured in the search window and on the
dashboard.
Note
Parameters available
• User Name — user's name, alias, department, location
• User Groups — user's group
• User City — user's city
• User Country — user's country
• User Organization — user's company or organization
Trellix Logon Collector communicates Windows user logon events to Trellix DLP appliances. Trellix DLP appliances can map an
IP address to a Windows user name if no other authentication information is available.
When a user logs on to the network, the domain controller creates an event in the security event log. This is a special, protected
log file that can be accessed using the Windows Management Interface (WMI). Trellix Logon Collector uses this interface to
receive log-on events and stores a mapping of the user’s device IP to the user data. When Trellix LC integrates with Trellix DLP
appliances, the appliances synchronize the client IP and the user's SID from Trellix LC on to a local cache available on each
appliance
Logon Collector is used by Trellix DLP Prevent and Trellix DLP Monitor to identify remote users when they make web requests.
When TLC is enabled, Trellix DLP appliances can map an IP address to a Windows user name if no other authentication
information is available. With TLC, remote users are identified through Security Identifiers (SIDs) instead of IP addresses, host
names, or other user parameters that are subject to change.
To start using Trellix Logon Collector with Trellix DLP appliance, you must add a TLC certificate to an appliance and then add a
Trellix DLP appliance certificate to Trellix Logon Collector.
Note
The certificate used between Trellix Logon Collector and Trellix DLP appliances must be valid, or you can't add a Logon
Collector server to the appliance. Refer to the section Authenticating Trellix DLP and Trellix Logon Collector for more
information.
Perform the following steps to connect any Trellix DLP appliance to Trellix Logon Collector so that certificates can be exchanged,
authenticating each to the other.
Task
1. To download the certificate from the Trellix DLP appliance, go to https://<APPLIANCE>:10443/certificates, then select
[Hostname.domain.crt].
2. In Trellix Logon Collector, select Menu → Trusted CAs → New Authority → Choose File, select the certificate you
downloaded, and click Save.
3. In Trellix ePO - On-prem, open the Policy Catalog
4. Select the DLP Appliance Management product, choose the Users and groups category, and open the policy that you
want to edit
5. Add the TLC server details to the Trellix DLP appliance.
a. In the Trellix Logon Collector section, select Identify users making web requests.
b. Click + to open the Add dialog box.
c. Type an IPv4 address or host name of the TLC server you want to connect to.
d. Edit the Trellix Logon Collector port if required.
6. Get the certificate text from Trellix Logon Collector.
a. In Trellix Logon Collector, select Menu → Server Settings.
b. Click Identity Replication Certificate.
c. Select the certificate text in the Base 64 field and copy it to the clipboard or into a file.
7. Return to the Add dialog box and select either Import from file or Paste from clipboard to add the certificate text.
8. Click OK to complete the Trellix Logon Collector authentication.
[Optional] Add more TLC servers.
The Trellix Logon Collector server is added to the list of servers.
Results
The connection between Trellix DLP appliance and Trellix Logon Collector is now complete.
Scalability
This chapter describes the details of the performance limits supported by Trellix Logon Collector.
Scalability details
Listed below are the performance limits for the Logon Collector:
Fields Numbers
Users up to 200,000
Groups up to 35,000
Clients up to 150
Troubleshooting
This chapter gives the information that may assist you with solving a problem.
Test your credentials by using the wbemtest.exe tool to connect to a domain controller and run several queries.
If you are unable to specify credentials for an administrator account, you can use a non-administrator account on the domain
controller.
Note
The administrator account that you intend to use to access the domain controller MUST be in the same domain from which
you want to obtain identities.
Successful execution of the queries verifies that the credentials, which you specified have sufficient privileges for accessing the
following on the domain controller:
Follow the steps below to use the wbemtest.exe tool to connect to a domain controller. These instructions only work if the Logon
Collector is run on a remote computer and will not work if it is run on local domain controller.
Task
1. Open a command prompt and navigate to \Windows\System32\WBEM.
2. Run wbemtest.exe: C:\Windows\System32\WBEM> wbemtest
The Windows Management Instrumentation Tester window appears.
Connect window
Option Definition
If the message Access Denied appears, you may have mis-typed the credentials, or the user account does not have the
necessary privileges. Try re-typing the credentials, and verify the user account is properly set up. If you are not using an
administrator account, you can use a non-administrator account on the domain controller.
The Windows Management Instrumentation Tester window changes to display IWbemServices and Method Invocation
Options.
Successfully authenticating to the domain controller and viewing the above window means the Logon Collector has access
to WMI and DCOM connections.
• CPU performance query Success with this query means the Logon Collector has access to CPU performance on the
domain controller.
• back log query Success with this query means the Logon Collector has access to the security event log.
• forward log notification query Success with this query means the Logon Collector has access to the security event
log.
Note
You must successfully execute the CPU performance query and either one of the log queries to verify that you have the
correct credentials and therefore, sufficient access privileges.
Task
1. Connect to a domain controller.
2. Click Query.
3. Type the following query:
SELECT * FROM Win32_PerfRawData_PerfOS_Processor WHERE Name="_Total"
4. Click Apply to view the query results.
5. Click Close when the query functionality is proven successful by displaying the contents of the screen shot above.
6. Run the other queries if you have not already done so.
Task
1. Connect to a domain controller.
2. Click Query.
3. Type the following query:
SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND (EventIdentifier = 672 OR EventIdentifier = 673 OR EventIdentifier =
680 OR EventIdentifier = 4768 OR EventIdentifier = 4769 OR EventIdentifier = 4776) AND TimeWritten > 'yyyymmdd'
5. Click Close when the query functionality is proven successful by displaying the contents of the screen shot above.
You do not have to wait for all results to return.
6. Run the other queries if you have not already done so.
Task
1. Connect to a domain controller.
2. Click Notification Query.
3. Type the following query:
SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.Logfile = 'Security'
AND (TargetInstance.EventIdentifier = 672 OR TargetInstance.EventIdentifier = 673 OR TargetInstance.EventIdentifier = 680 OR
TargetInstance.EventIdentifier = 4768 OR TargetInstance.EventIdentifier = 4769 OR TargetInstance.EventIdentifier = 4776)
4. Click Apply.
Perform the steps detailed in the KB article KB84544 to create a non-admin account on Windows 2012, 2012 R2, 2016, or 2019
servers to access the domain controller security event logs.
Note
The following list shows the three types of messages that you can receive:
• Internal messages
• Messages due to Logon Collector communication
• Messages due to Logon Monitor communication
Internal messages
The messages generated due to Logon Collector communication only occur at level 2 debug or higher.
The format of the messages generated due to Logon Collector communication is as follows:
Examples:
The following sample message can be used to understand the different parts of a message:
Note
Any number larger than 3 indicates that the link might be very slow.
• PB and CB are combined to calculate the number of bytes that are pending to be written
• LW stands for the number of lines written
• BW stands for the number of bytes written (can be used to calculate bandwidth)
The messages generated due to Logon Monitor communication occur at all levels.
Note
The messages generated due to Logon Monitor communication mostly occur at the info level.
The format of the messages generated due to Logon Monitor communication is as follows:
Examples:
The following error message will appear in Logon Collector Status window: Access Denied (Password Change) ERROR:
[DC:nsbu-01.domain3.cai.local] Wmi [0x80070005 - Access is denied.] ConnectServer
Error Description
• password problem
• access control
• patch mismatch
• if the system is down
• if WMI is turned off on the system
Note
• jakarta_service_20100930.log
• jakarta_service_20100930.log
• localhost_access_log.2010-10-12.txt
• localhost_access_log.2010-10-12.txt
• orion.log
• orion.log1
• stderr.log
Note
Of the available logs, orion.log and orion.log1 are the most important.
orion.log is a rotating log. It has a size limit and also a limit on the total number of log files. For example, if you are using
orion.log and you reach the maximum size limit, you can move to orion.log1.
Note
While troubleshooting, search for the word 'Exception' in the orion log file.
Check for ‘GSS initiate failed’ or LoginException in the Logon Collector Active Directory communication errors log records. These
error messages indicate that Trellix Logon Collector is unable to access Active Directory.
• Wrong password:
LoginException: Pre-authentication information was invalid (24)
• DNS problem:
No valid credentials are provided (mechanism level: server not found in Kerberos database (7))
• Verify that the SRV records exist for the domain to be monitored
Run the following command from the TLC server command line and verify the output against the expected
output as shown below:
• Verify that both forward DNS and reverse DNS work for the domain to be monitored
Run the following command from the TLC server command line and verify the output against the expected
output as shown below:
C:\>nslookup dc-01.domain1.cai.local
Server: net-apps.cai.local
Address: 172.25.59.11
Non-authoritative answer:
Name: dc-01.domain1.cai.local
Address: 172.25.59.80
C:\>nslookup 172.25.59.80
Server: net-apps.cai.local
Address: 172.25.59.11
Name: dc-01.domain1.cai.local
Address: 172.25.59.80
• If you are using production environments, the DNS will not be a problem as Windows relies on proper DNS setup.
• Check if you are using reverse DNS. Make sure that you have added entries in DNS for reverse DNS.
If the SQL server credential changes, the TLC server cannot connect to the SQL server. As a result, users will not be able to log on
to the Logon Collector admin user interface.
Note
The WMI communication happens between Logon Monitor and domain controller.
The group filter status details are stored in mlc-config.xml available at C:\Program Files(x86)\Trellix\Trellix Logon
Collector\Server\conf. This file can be modified only after stopping the TLC server.
The group filter configuration is stored in a groupfilter file available at C:\Program Files(x86)\Trellix\Trellix Logon
Collector\Server\conf\mlc\. This file is non-editable.
Remember:
If you try to modify the groupfilter file, the file might get corrupt.
Trellix and FireEye are the trademarks or registered trademarks of Musarubra US LLC, FireEye Security Holdings US LLC and their affiliates in the
US and /or other countries. McAfee is the trademark or registered trademark of McAfee LLC or its subsidiaries in the US and /or other countries.
Skyhigh Security is the trademark of Skyhigh Security LLC and its affiliates in the US and other countries. Other names and brands are the
property of these companies or may be claimed as the property of others.