Trellix Logon Collector 3.0 Administration Guide 8-23-2023

Trellix Logon Collector 3.
0
Administration Guide
Contents
Introduction to Trellix Logon Collector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Important terminologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Domain controllers and logon collection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Ports used by Trellix Logon Collector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Key considerations for installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Planning for installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
DNS resolution requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Install Trellix Logon Collector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Download the software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Install the software on Windows Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Uninstall the software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Access the Trellix Logon Collector web interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Install Logon Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Install a Logon Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Uninstall Logon Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Key considerations for an upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Upgrade the software from 2.2 to 3.0 using the installer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Upgrade the software from 3.0.2 to 3.0.10 using the installer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Upgrade the software from 3.0.10 to 3.0.11 using the installer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Identities collection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
About identities collection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Manage monitored domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Add a domain to monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Error Scenarios in LDAP connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
View monitored domain details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Add Logon Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Add Logon Collector certificate to a Logon Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Add a Logon Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Remove a Logon Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Edit username and password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Managing exchange servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Add an exchange server to a monitored domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Remove an exchange server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Manage Query Order. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Remove a monitored domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Server settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
About server settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Active Directory User login. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Email Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Identity replication certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Local Logon Monitor settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
TLC Advanced Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Configure Trellix Logon Collector using TLC Advanced Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
TLC Group / IP Ignore List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Ignore user IP addresses and user group names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
TLC Group Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Configure a group filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Send filtered groups to clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Configuring the IP address for Trellix Logon Collector server client communication. . . . . . . . . . . . . . . . . . . . . 43
Configure TLC Communication IP Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
TLC User Login Timeout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Configure TLC User Login Timeout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Printing and exporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Server certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
About Personal Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Logon Monitor configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Configuration tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Remote tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Use MMC to manage Logon Monitor certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Import or remove a server or client CA certificate for Logon Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Use NTLMv2 with Logon Monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
High Availability (Clustering). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Configuration basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Prerequisites for High Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
High Availability setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Configure High Availability in Public Key Infrastructure (PKI) setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Error scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Check the status of cluster formation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Configuration data replication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Logon events replication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Disable a cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Reconfigure a cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
On-demand group and user refresh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
On-demand group refresh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Options of group refresh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Option 1: Run. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Option 2: Edit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Tab 1: Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Tab 2: Actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Tab 3: Schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Tab 4: Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Option 3: View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
On-demand user refresh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Options of user refresh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Option 1: Run. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Option 2: Edit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Tab 1: Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Tab 2: Actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Tab 3: Schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Tab 4: Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Option 3: View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Server Task Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
User management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Manage users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Add or modify a user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Delete a user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Manage permission sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Create permission sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Delete permission sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Duplicate permission sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Manage contacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Add or modify a contact. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Delete a contact. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
About the Status page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
View who is logged on. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Export report of who is logged on. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

View the Audit Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Export the audit log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Manage audit log queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Create a query group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Delete a query group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Edit a query group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Create audit log queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Import audit log queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Query actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Define filter criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Define export criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
View dashboards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Integration with other Trellix products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Integration with Trellix Intrusion Prevention System Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
User groups for Sensor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Important terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Identity Acquisition Agent (IAA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Trellix Intrusion Prevention System Manager TLC Listener. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Integration requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
How Logon Collector - Trellix Intrusion Prevention System Manager integration works. . . . . . . . . . . . . . . . . . . 89
Configuration details for Logon Collector integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Configure integration at the admin domain level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Establishment of trust between Trellix IPS Manager and Logon Collector server. . . . . . . . . . . . . . . . . . . 91
Import the Manager certificate into Logon Collector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Import the Logon Collector certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Display of Logon Collector details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Display of Logon Collector details in Trellix IPS Manager reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Integration with Trellix Network Data Loss Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Integration requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Using Active Directory User elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
How Trellix Logon Collector works with Trellix DLP appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
How Trellix Logon Collector enables remote user identification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Authenticating a Trellix DLP appliance with Trellix Logon Collector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Scalability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Scalability details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Verify the domain credentials. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Connect to a domain controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Run a CPU performance query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Run a back log query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Run a forward log notification query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Create a non-administrator account to access the security event log on a domain controller. . . . . . . . . . . . . . . . . 102
Add different Kerberos encryption types across domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Logon Monitor logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Internal messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Messages generated due to Logon Collector communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Messages generated due to Logon Monitor communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Common Domain Controller errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Logon Collector logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Logon Collector Active Directory communication errors log records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Troubleshooting DNS problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Troubleshooting NSLookup failure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Configure Database Settings page to connect to the SQL server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Ports used by Trellix Logon Collector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
High memory usage of lsass.exe. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Saved group filter configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

1| Introduction to Trellix Logon Collector
Introduction to Trellix Logon Collector

Trellix Logon Collector is a software that monitors Active Directory domains and collects logon information. Trellix Logon
Collector (Trellix LC or, TLC) polls Microsoft Active Directory domain controllers for user logon events and sends this information
to security appliances to correlate network traffic with user behavior. Trellix Logon Collector is installed on separate Windows-
based servers to communicate with the Active Directory, and supports distributed deployment. TLC deployment does not require
any modification to the Active Directory or the Active Directory schema and requires no agents.
Logon Monitors can be used to poll nearby domain controllers and forward collected information to the Logon Collector,
shortening the distance domain controller communication must travel.
Important terminologies
A domain is a logical group of identified resources on a network, whether users, computers, or networked application services.
These resources are collected for the domain into a distributed directory, shared in a group of domain controllers. Members of
a domain only need to authenticate one time to the closest domain controller. All the other resources in the domain are made
accessible based on their privileges in the domain.
An identity is the set of characteristics that uniquely identifies a user. A user’s identity includes user name, authentication status,
group membership, primary group, and current IP address. The user or system primary group can be fetched and passed on to
clients.
Domain controllers and logon collection

Trellix Logon Collector and Logon Monitors interact with domain controllers and enable Trellix products Trellix Intrusion
Prevention System Manager to continuously gather identity information. This information is used to map network transactions
to actual identities.
Each time a user logs on to the network or requires access to any domain-controlled resource such as a printer, server, or file
share, the domain controller creates an event log entry in a special, protected log file called the Security Event Log. This log file is
available to remote systems such as the Logon Collector and the Logon Monitor by way of a Microsoft interface called Windows
Management Instrumentation (WMI).
To minimize the burden placed on a domain controller by Security Event Log queries (using WMI), the Logon Collector or Logon
Monitor contacts the domain controller on behalf of Trellix appliances that require the Security Event Log information. Each
domain controller only has to accommodate a single connection instead of multiple connections for each Trellix appliance.
Because the overhead of using WMI can be expensive, you can deploy Logon Monitors close to the domain controllers on
your network. Doing so routes the greatest amount of traffic, WMI communication between the domain controllers and Logon
Monitor, along a relatively short distance. The communication overhead between a Logon Monitor and a Logon Collector is low,
enabling you to optimize your deployment of logon collecting.
8 Trellix Logon Collector 3.0 Administration Guide

Deployment
The Trellix Logon Collector and Logon Monitor can connect to multiple domain controllers across multiple domains and forests.
Each Logon Collector can be contacted by multiple clients and can have multiple Logon Monitors. When deploying Logon
Collectors and Logon Monitors, consider the following:
• The network overhead of WMI communication can be expensive. WMI communication occurs between the domain
controller and the Logon Monitor. Trellix recommends that you use a single Logon Monitor for all your Trellix security
devices so that only one WMI session is needed on each domain controller.
• Trellix recommends that you place the Trellix Logon Collector or Logon Monitor on the same geographical location
as that of the domain controller. Communication between a Logon Monitor and the Logon Collector over a WAN link
is often faster than the communication between the domain controller and the Logon Collector over the same WAN
link. The faster the Logon Collector receives this information, the faster the client can associate an IP address with the
matching identity.
• Connect to domain controllers that add value to the monitoring strategy. The Logon Monitor should connect to the
domain controller from which the users to be monitored log on. For example, if you are monitoring in an area of the
network such as New York, and you never see users from San Francisco, then you might not need to monitor the users
that log on to a domain controller in San Francisco. Conversely, if the users in San Francisco use services in the New York
data center you are monitoring, then you will greatly benefit from watching the security event log of the San Francisco
domain controller and determining the identity of these users.
• Take advantage of the IT support infrastructure. If your infrastructure is administered by different groups of system
administrators that correspond to the already existent Windows architecture, you might want to work with them. The
Logon Collectors and Logon Monitors are installed as services on Windows Server 2012, Windows Server 2012 R2,
Windows Server 2016, or Windows Server 2019. The administration of these servers might already be part of a larger
system administration strategy, and you might want to abide by it.
• Depending on your security requirements, you might want to dedicate a separate server to run the Trellix Logon
Collector or a pair of servers in High Availability mode. If the server on which the Trellix LC is installed is compromised, it
might cause great loss of functionality to your security architecture.
• It is important to keep the server on which the Trellix Logon Collector or Logon Monitor is installed up to date by
applying the Microsoft security patches on a timely basis. It is equally important to follow the Microsoft security best
practices to harden this server.
• If possible, remote and local access to the Logon Collector or Logon Monitor server should be limited to its
administrators only.
• Follow the instructions from the section Use NTLMv2 with Logon Collectors to securely protect the credentials in the
server and to use only secure authentication protocols.
• It is possible to configure domain controllers to allow the Logon Monitor to access the Security Event Log without using
Administrator logon credentials. This is recommended. Refer to the section Create a non-administrator account to access
the security event log on a domain controller for more details.
Trellix Logon Collector 3.0 Administration Guide 9

Trellix Logon Collector deployment
Ports used by Trellix Logon Collector

These ports must be enabled in your network.
Trellix Logon Collector Port table
Port Type of port Used for
8443 Logon Collector HTTPS Web Server Secure port
8444 Logon Collector HTTPS Web Server

authorization port
61641 Logon Collector JMS Communication

between Logon
Collector and point
products
Communication among
Logon Collector cluster
members
61613 Logon Collector JMS (STOMP) Communication

between Logon
Collector and 2.0+

C client based point

products
50443 Local or Remote Logon TCP Communication

Monitor between Logon
Collector and Logon
Monitor
389 Domain Controller (AD) LDAP/Secure LDAP LDAP or Secure LDAP

query from Logon
Collector to Domain
Controller
Restriction:
Trellix Logon Collector does not function if you have enabled SSL port 636 on the Domain Controllers (Active Directory) and
have disabled non-SSL port 389. Trellix Logon Collector fails to connect to Domain Controller (Active Directory) on SSL port
636.
Note
The WMI communication happens between Logon Monitor and domain controller.

2| Installation
Installation
This section includes the installation process of Trellix Logon Collector and Logon Monitor.
Key considerations for installation

This section gives the details of the key considerations for installation.
When you install the Trellix Logon Collector for the first time, you might see a message that states, “The Windows registry entry
NtfsDisable8dot3NameCreation value will be changed to 0”.
Note
You will receive this message only if the Windows registry entry value has not been modified.
You can either proceed by making this change in the registry or you can proceed without the change.
Note
If you accept the change in the registry and proceed, you can have spaces in the installation location. If you do not accept the
change in the registry, you must ensure that the installation location path does not contain any folder with white spaces in its
name. You must also ensure that the folder name does not exceed 8 characters.
Prerequisites
Review the installation prerequisites for the Trellix Logon Collector and the Logon Monitor before installing the software.
Planning for installation
Before installation, ensure that you complete the following:
• You must be logged on to the server as a local computer administrator.

• Make sure your hardware meets or exceeds the minimum requirements.
• You do not need a special passphrase or license key to install the Trellix Logon Collector or Logon Monitor software. You
can install as many instances of the Logon Collector or Logon Monitor (each on its own server) as are needed to provide
adequate coverage for the domain controllers in your monitored domain.
• For Windows Server 2012 or Windows Server 2012 R2, enable .NET framework 3.5 to successfully install Trellix Logon
Collector 3.0.
Client Server compatibility
• Logon Collector 1.0 client supports Logon Collector 1.x and 2.x servers.
• Logon Collector client supports Logon Collector 2.x servers. The client does not support Logon Collector 1.x servers.

2| Installation
• Logon Collector 2.2 and 3.0 client supports Logon Collector 3.0 servers. 3.0 client does not support Logon Collector 1.x
and 2.x servers.
System requirements
Trellix Logon Collector and Logon Monitor run as Microsoft Windows services on a Windows Server, and require a system that
meets these minimum requirements:
Component Minimum requirement
Operating System Any one of the following Microsoft operating

systems:
• Windows Server 2012 and 2012 R2 (64-bit)

Standard Edition
• Windows Server 2016 (64-bit) Standard Edition
• Windows Server 2019 (64-bit) Standard Edition
Note: Windows Server 2008 and 2008 R2 are

not supported.
Operating System — Domain controllers Any one of the following Microsoft servers:
• Windows Server 2012 and 2012 R2 Standard

Edition
• Windows Server 2016 Standard Edition
• Windows Server 2019 Standard Edition
RAM (memory) 4 GB or higher
Disk space 20 GB free space
Processor Pentium IV 2 GHz or faster
Software framework Microsoft .NET framework 3.5
Note: Trellix highly recommends to enable

the .NET framework 3.5 to successfully install
Logon Collector3.0.

2| Installation
Component Minimum requirement
Browser
• Microsoft Internet Explorer 8.x and above
• Mozilla Firefox 25 and above
• Google Chrome 40 and above
Note: Trellix recommends to use the latest

browser versions.
Network connectivity From Logon Collector servers to the domain

controllers of the Microsoft Active Directory domain
that the Logon Collector or Logon Monitor is
monitoring
Resolution Display set to a resolution of 1024x768 or greater
Monitored Domains The domain user (entered while adding domain in

Logon Collector) must have access rights to the
security events logs on each domain controller
Domain controllers Domain controller's functional level should not

be higher than Logon Collector's Windows Server
version. Refer to the section Key considerations for
installation for more details.
Domain controllers must have port 389 enabled for
LDAP and Secure LDAP queries.
JRE Version 8u331 or later
Microsoft SQL Server Versions later than Microsoft SQL server 2008, or
SQL Server 2008 Express edition
Tip
Consider installing the Logon Monitor on a virtual machine as the Logon Monitor is a less demanding application, and does
not transmit as much information as the Logon Collector.

2| Installation
Note
The Logon Monitor memory usage depends on the number of users and groups in its database.
DNS resolution requirements
Proper Domain Name System (DNS) resolution is a critical prerequisite for identities collection. The computers on which Trellix
Logon Collector or Logon Monitor are installed, and the client configured to collect identities must be configured to refer to a
DNS server that must be able to:
• Resolve any domain from which logons are collected.

• Provide forward resolution for all domain controllers from which logons are collected.
• Provide reverse resolution for all domain controllers from which logons are collected.
• Provide SRV records for one or more domain controllers in the domain from which logons are collected.
Note
When the DNS settings are changed, Logon Collector cancels its old DNS cache after 30 seconds, and then applies new DNS
settings. You should wait at least for 30 seconds to resolve the domain.
Install Trellix Logon Collector

Logon Monitor is installed locally on the same server when you install Trellix Logon Collector. This Logon Monitor is referenced
in the user interface as localhost.
Note
You can install Logon Monitor separately, if you need a remote Logon Monitor.
Note
If you are already running Trellix ePolicy Orchestrator - On-prem, the Logon Collector service will be incompatible with it.
Download the software
Download the bundled Trellix Logon Collector and Logon Monitor software from the Trellix website.
Task
1. Go to the Trellix Download Server (https://www.trellix.com/en-us/downloads/my-products.html).
2. Log on using your Grant Number and registered Email Address.
The Find Products page opens.
3. In the Category filter, select Utilities & Connectors.
4. Select the Trellix Logon Collector version required (for example, Trellix Logon Collector 3.0.11). The Available Downloads
page opens.

2| Installation
5. Download the zip file for the Logon Collector installation. Extract the files to your local directory.
6. Find the Logon Collector installation program and download it to your local directory.
The Logon Monitor is part of the Trellix Logon Collector bundle that you download.
Note
If you want to have a separate remote Logon Monitor installation, select the Trellix Logon Monitor folder and find the
installation program.
Install the software on Windows Server
The Trellix Logon Collector installation wizard will install the Logon Collector and the local Logon Monitor on any one of the
following Operating Systems:
• Windows Server 2012 (64-bit) Standard

• Windows Server 2012 R2 (64-bit) Standard
Note
The Logon Collector 3.0.10 installer or above does not contain the Microsoft SQL Server software. You should install the
Microsoft SQL Server software separately before installing the Logon Collector.
Note
You need to download and install JRE version 1.8.0_331 or later before installing Trellix Logon Collector 3.0.11.
At any point of the installation, click Back or Cancel to return to the previous step or cancel the installation, respectively.
Task
1. Navigate to the downloaded Logon Collector folder in your local directory.
2. Double-click Setup.exe.
The installation wizard for Trellix Logon Collector opens. If your system has less than 4 GB RAM, a memory error message
is displayed.
Click Yes to continue the installation with the current available memory.
Note
You can click No to cancel the installation and proceed with the same after a sufficient memory of minimum 4 GB RAM
is ensured.

2| Installation
A pop-up window might appear to enable the Windows 8.3 file naming convention. Click Yes to continue with the
installation.
Enabling this option generates a short name in the Windows 8.3 file naming convention for lengthy file names.
3. Click Next to continue.

The Licensing Agreement window opens. Read the license agreement, select the I accept the terms in the license
agreement option, and then click Next.
4. By default, the destination folder for the installation is set to C:\Program Files(x86)\Trellix\Trellix Logon Collector. Click
Change to select a new location.
Note
Trellix recommends that you to select an empty folder or follow the default installation location format.
Click Next to continue. The Global Administrator Information window is displayed.

5. Enter the Username and Password for the Trellix Logon Collector web interface administrator. Re-enter the password
for verification purpose.
Click Next. The HTTP Port Information window opens.
6. Leave the Logon Collector ports at their default values unless a default port is already in use.
Note
You will need the Web Server Secure port for opening the Logon Collector web interface.
7. Click Next.
The Database Information window opens.
8. Enter the Database Server details and select any of the following options in the Database Information window:
• Windows authentication: Select to enter the domain and logon credentials for the server that will house the Logon
Collector database. Provide the SQL server TCP port details.
Note
The default SQL server TCP port is 1433.
• SQL authentication: Select only when you have a separate Microsoft SQL Server installation prior to the Logon
Collector installation. In this case, enter the Microsoft SQL Server user name and password that was used during
Microsoft SQL Server installation.

2| Installation
9. Click Next.
The Ready to Install the Program window opens.
10. Click Install to proceed.
The Specify JRE Location window opens.
Note
For more instructions on how to install JRE, see KB90879.
11. Select the location of the JRE installation files.

12. Click Next.

2| Installation
The Installing Trellix Logon Collector window is displayed.

13. Click Finish to complete the installation.
Uninstall the software
Follow these steps to uninstall the Trellix Logon Collector.
Task
1. On the Windows server, from the Start menu, select Control Panel, and then click Uninstall a program under the
Programs category.
2. In the Programs and Features window, select Trellix Logon Collector, then click Uninstall, and follow the on-screen
instructions.
3. If you want to remove the Trellix Logon Collector database, leave the Remove the Trellix Logon Collector database
during uninstall checkbox selected and click Next to proceed.
Configuration information such as which domains are being monitored and which Logon Monitors are connected is not
saved. If you have numerous users configured for administering Trellix Logon Collector, you might want to preserve the
database.
4. The Database Information window opens. Enter the Database Server details and credentials as per the authentication
option chosen during the installation of the software and click Next to proceed.
5. In the Remove the Program window, click Remove to proceed with the uninstallation.
6. The Files in use window opens. Choose Automatically close and attempt to restart applications option and click OK.
Note
If you opt for Do not close applications (A reboot will be required.) option, you need to reboot the server machine later
for the changes to take effect.
7. Close the Programs and Features window.
Access the Trellix Logon Collector web interface

Use the Trellix Logon Collector web interface to monitor domains and Logon Monitors, generate reports, and perform
administrative tasks.
Task
1. Open a browser and enter the URL of the Trellix Logon Collector.
For example, if you accepted the default ports, you might enter https://127.0.0.1:8443/.
Note
The value "8443" in the URL might differ depending on the installation.

2| Installation
Note
If you are connecting to the web interface for the first time over an HTTPS connection, an invalid certificate warning will
appear. Click Continue to this website (or the equivalent) to continue.
The Log On window appears.

2. Enter the user name and password configured during installation, and click Log On.
The Main Status window of the web interface appears.
Install Logon Monitor

A local Logon Monitor is included in the Logon Collector installation. You do not need a special passphrase or license key to
install the Logon Monitor. You may install as many instances of the Logon Monitor (each on its own server) as are needed to
provide adequate coverage for the domain controllers in your monitored domain.
You should install a Logon Monitor as close as possible to the domain controllers with which it will communicate. This minimizes
the impact of the traffic resulting from the communication.
The Logon Monitor is part of the Trellix Logon Collector download bundle.
Prerequisites:
• Earlier versions of the Logon Collector or Logon Monitor must be uninstalled before installing this version of the
software.
• You must be logged on to the server as an administrator.
Install a Logon Monitor

Task
1. Using Windows Explorer, locate the Trellix Logon Monitor folder.
Note
Download the software from the location described in the section Download the software.
2. Double-click Setup.exe.
3. The installation wizard for Trellix Logon Monitor opens. Click Next to continue.
4. The License Agreement window opens. Read the license agreement, select the I accept the terms in the license
agreement option, and then click Next.
5. By default, the destination folder for the installation is set to C:\Program Files(x86)\Trellix\Trellix Logon Monitor\. You
may click Change to select a new location. Click Next to proceed.
6. On the Ready to install the Program window, click Install.
7. For a new installation of the Logon Monitor, click Generate Self Signed Certificate on the Configuration tab of the Trellix
Logon Monitor Configuration window.
The certificate is required to communicate with Trellix Logon Collector. If you are re-installing the Logon Monitor, the
previous installation’s certificate remains in the store, and you can continue to use it.

2| Installation
8. Complete the configuration changes, and click OK.

9. Click Finish upon the completion of the installation process.
Uninstall Logon Monitor
Follow the steps below to uninstall a Logon Monitor.
Caution
Ensure that the Logon Monitor you want to uninstall is not being used to watch any domain controllers for any Logon
Collector.
Task
1. Using Windows explorer, locate the Trellix Logon Monitor folder, and double-click setup.exe.
2. The InstallShield Wizard for the Trellix Logon Monitor opens. Click Next to proceed.
3. On the Program Maintenance window, select Remove and click Next.
4. On the Remove the Program window, click Remove to begin the removal process.
5. The Files in use window opens. Choose Automatically close and attempt to restart applications option and click OK.
Note
If you opt for Do not close applications (A reboot will be required.) option, you need to reboot the server machine later
for the changes to take effect.
6. Click Finish upon the completion of the uninstallation process.

If you plan to re-install the Logon Monitor, ensure that the previous installation’s certificate remains in the store and you
can continue to use it.

3| Upgrade
Upgrade
This section describes key considerations and step-by-step procedure for upgrading Trellix Logon Collector from older versions
to newer or latest version. .
Key considerations for an upgrade

be aware of these issues before upgrading.
• You cannot upgrade from Logon Collector 2.1 to Logon Collector 3.0 because Microsoft SQL Server 2008 Express Edition
supports only from Logon Collector 2.2 and later.
Note
If Logon Collector 2.1 is installed, you must uninstall Logon Collector 2.1 and Microsoft SQL Server 2005 Express
Edition before upgrading.
• You cannot upgrade from Logon Collector 3.0.2 to Logon Collector 3.0.9.
Note
If Logon Collector 3.0.2 is installed, you must uninstall Logon Collector 3.0.2 before upgrading to Logon Collector
3.0.9.
• The Logon Collector 3.0.10 is not compatible with Microsoft SQL Server 2008 Express edition version and the installer
does not contain Microsoft SQL Server. You have to install and configure a later version of Microsoft SQL Server
separately.
• The entire Logon Collector configuration along with the following information is retained on the Logon Collector server
when an upgrade is done:
Configured domains
Added certificates
Remote Logon Monitors
After an upgrade, the local Logon Monitor settings and configuration are reset to default values. Make sure to note these values
prior to an upgrade.
Note
As with any upgrade, Trellix strongly recommends that you always first try the upgrade in a test environment. Logon
Collector 3.0 does not support upgrades from ePO versions of Logon Collector 2.x.

3| Upgrade
Upgrade the software from 2.2 to 3.0 using the installer

Before you begin
• Note the local Logon Monitor settings and configuration values. After upgrade, these values are reset to default.
• These Microsoft operating systems are supported for an upgrade:
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Note
.NET framework 4.5 is installed as part of Windows Server 2012 and Windows Server 2012 R2. This version has
compatibility issues with SQL Server 2008 Express. We highly recommend enabling the .NET framework 3.5 to
successfully install Logon Collector 3.0.
Use the installer you downloaded to upgrade Trellix Logon Collector.
Task
1. Navigate to the folder on your local directory that contains the downloaded Logon Collector installer. Double-click
Setup.exe and start the Logon Collector 3.0 setup.
2. Read and accept the license, and proceed with the installation.
3. Confirm the destination folder. Click Next.
This password must be the same as in the previous (Logon Collector 2.2) installation.
4. Enter the user name and password for the Logon Collector administrator. Verify the password.
This must be the same as in the previous (Logon Collector 2.2) installation.
5. Confirm the port numbers.
Since you already have an existing database, the Microsoft SQL Server options are disabled.
6. Verify that the Database Server option in the Database Information window retains the same information as that in the
Logon Collector 2.2 installation.
Click Next. The Ready to Install the Program window opens.
7. Click Install to proceed.
The Specify JRE Location window opens.
Note
For instructions to install JRE, see KB90879.
8. Select the location of the JRE installation files.

9. Click Next to initiate the software upgrade process.
10. Once the upgrade is complete, click Finish.

3| Upgrade
Upgrade the software from 3.0.2 to 3.0.10 using the installer

Before you begin
Windows Server 2012 (64-bit) Standard
Windows Server 2012 R2 (64-bit) Standard
Note
Logon Collector 3.0.10 is not compatible with Microsoft SQL Server 2008 Express and its previous versions.
You should use Microsoft SQL Server version later than the 2008 Express edition. If you are upgrading from
earlier versions of Logon Collector to the 3.0.10 version, consider the following:
Take backup of the existing SQL Server database.

If your existing database is Microsoft SQL Server 2008 Express, upgrade to a newer version of SQL
Server.
Restore the SQL Server database from the backup.
Upgrade the Logon Collector.
Use the installer you downloaded to upgrade the Logon Collector software.
Task
1. Navigate to the C:\Program Files(x86)\McAfee\McAfee Logon Collector\Server\conf folder on your local system that
contains the Logon Collector 3.0.2 installation files and backup the following folder and files.
• mlc (folder)
• broker.ks (file)
• broker.ts (file)
• cluster.ts (file)
• mlc-config (file)
2. Uninstall the Logon Collector 3.0.2. For more information on un-installation, see Uninstall the software.
3. Install the Logon Collector 3.0.10. For more information on installation, see Install the software on Windows Server.
4. Stop the Tomcat service from the Windows Task Manager.
contains the Logon Collector 3.0.10 installation files. Replace the folder and files from the backup taken in Step 1.
6. Click Start, go to Administrative Tools → Services and restart the Logon Collector service.
7. Log in to the Logon Collector web interface and check whether the pre-configured domain details are reflecting
properly in the Menu → Reporting → Status page.

3| Upgrade
Upgrade the software from 3.0.10 to 3.0.11 using the installer

Before you begin
Windows Server 2012 R2 (64-bit) Standard
Note
Trellix Logon Collector version 3.0.11 is not compatible with Microsoft SQL Server 2008 Express and its
previous versions. You should use Microsoft SQL Server version later than the 2008 Express edition. If you are
upgrading from earlier versions of Logon Collector to the 3.0.11 version, consider the following:
Take backup of the existing SQL Server database.

If your existing database is Microsoft SQL Server 2008 Express, upgrade to a newer version of SQL
Server.
Restore the SQL Server database from the backup.
Upgrade the Logon Collector.
Use the installer you downloaded to upgrade the Logon Collector software.
Task
contains the Logon Collector 3.0.10 installation files and backup the following folder and files.
• mlc (folder)
• broker.ts (file)
• cluster.ts (file)
• mlc-config (file)
2. Uninstall the Logon Collector 3.0.10. For more information on un-installation, see Uninstall the software.
3. Install the Logon Collector 3.0.11. For more information on installation, see Install the software on Windows Server.
4. Stop the Tomcat service from the Windows Task Manager.
5. Navigate to the C:\Program Files(x86)\Trellix\Trellix Logon Collector\Server\conf folder on your local system that
contains the Trellix Logon Collector 3.0.11 installation files. Replace the folder and files from the backup taken in
Step 1.
6. Click Start, go to Administrative Tools → Services and restart the Logon Collector service.
7. Log in to the Logon Collector web interface and check whether the pre-configured domain details are reflecting
properly in the Menu → Reporting → Status page.

3| Upgrade
Important
If you have existing integration with other Trellix products like Trellix Intrusion Prevention System Manager, the
integration between Trellix Logon Collector and IPS Manager will not work after the upgrade. You need to re-import
the Logon Collector certificate in such cases. Refer to the section Integration with Trellix Intrusion Prevention System
Manager for more details.

4| Identities collection
Identities collection
This section gives the details of identities collection.
About identities collection

Identities can be collected in one of the following ways:
• Monitor a domain with a local Logon Monitor: Any Logon Collector installation contains the Logon Monitor. You must
add a domain that the Logon Collector collects information from.
• Monitor a domain with a remote Logon Monitor: You can add remote Logon Monitors to the Logon Collectors.
See the Deployment section for a discussion of when to use Logon Monitors to monitor a domain.
Manage monitored domains

You can manage the domains that are monitored in the Monitored Domains page. In this page you can perform the following
tasks:
• Add a new domain

• View the monitored domain details
• Edit username and password
• Manage Exchange Servers/Domain Controllers
• Manage Query Order
• Remove a monitored domain
Identity Data Store (IDDS) is the in-memory database specific to Trellix Logon Collector. A size limit is set to the Trellix LC which
means the total number of the directory objects (users and groups) must always be less than 200000. Make sure that the domain
you are adding to the Trellix LC does not exceed this limit. Also, check the existing number of users and groups in IDDS before
adding a new domain. Exceeding the size limit will stop Trellix Logon Collector from monitoring all the domains and the clients
will lose connection with it.
The following sections gives you more information on managing the monitored domains.
Add a domain to monitor

Before you begin
Enter the credentials for the domains that are monitored directly by Trellix Logon Collector.
• Obtain management access to the client that polls a given domain for identities.
• Install and configure Trellix Logon Collector.
• Acquire the appropriate domain credentials from your Windows domain administrator.
The administrator account you intend to use to access the domain controller must be in the same domain from which
you want to obtain identities.

Note
If you want to use an account other than the administrator account, see the Create a non-administrator account section to
access the security event log on a domain controller section.
Follow these steps to add a monitored domain:
Task
1. Select Menu → Configuration → Monitored Domains.
2. Click New Domain. The Domain Name tab is displayed.
Update the following fields:
Parameter Description
Domain Name Type the name of the domain in the Domain

Name field.
Secure LDAP Secure LDAP is a feature where the LDAP

connection gets encrypted by Transportation
Layer Security (TLS) for the protection of data
exchanges. Before enabling this feature, it is
required to verify that the Secure LDAP is
also enabled in the domain controller. Secure
LDAP communication between the Trellix Logon
Collector and the domain controller is enabled in
port 389. SSL connection is not enabled on port
636.
1. Select the checkbox Secure LDAP, if you
want to enable secure LDAP communication

between the Trellix Logon Collectorand

domain controller.
The domain certificate window is displayed
with the certificate details. The domain
certificate is issued by Certification Authority
(CA) that is setup in the domain controller.
Note:
The domain certificate displays the following

information:
• Subject - Specifies the Computer name of

the domain
• Issuer - Specifies the details of the issuer
• Issued On - Specifies the date of issue of
the certificate
• Expires On - Specifies the expiry date of
the certificate
• SHA 1 Fingerprint - Specifies the 40-digit
SHA1 hash value
• MD 5 Fingerprint - Specifies the 32-digit
MD5 hash value
2. Click OK to close the window.
Note: The Secure LDAP feature gets

enabled only when you click OK. It
remains disabled when you click Cancel.
User Name Type the name of the user of the monitored

domain. By default, only the admin user of
the domain can be added. To add non-admin
users, permissions should be set in the domain
controller.
Password Type the relevant password for the username.
3. Click Next. The Domain Controller tab is displayed.

Connections are made to each domain controller belonging to that particular domain. If the connection is not successful
with any of the domain controllers, an error message with the details of the failure is displayed.
4. For each listed domain controller, specify a primary and, optionally, a backup logon monitor.
To add a backup logon monitor, click New Logon Monitorbutton in the Logon Monitors page.
a. Click the drop-down list under Primary and select a Logon Monitor.
b. [Optional] Click the drop-down list under Backup and select a Logon Monitor that operate in the event the
primary logon monitor is unavailable.
c. Click Next. The Query Order tab is displayed.
5. Click the up or down arrow buttons to move and arrange the domain controllers in the list. Only those domain
controllers for which the Logon Collector is chosen are displayed in this page. Specify the order in which LDAP queries
are made to the domain controllers for user and group information. In general, the closest domain controllers should
be placed at the top of the list to increase response times and reduce network bandwidth.
The Secure LDAP checkbox is displayed as selected, if you have already selected this option in the Domain Name tab.
Note
If the Secure LDAP checkbox is selected in the Domain Name tab while adding a domain, one of the Domain Controllers
in the Query Order tab will automatically have this option selected.
6. Click Save to save the changes.
Example
Note
If a domain controller is disconnected, the LDAP query fails and the status button goes red. By default, Trellix Logon
Collector is configured to perform LDAP query every 12 hours. If the status shows red even after the network connection is
re-established, Trellix recommends removing the domain and adding it again.
When there is a change in domain controller's certificate, remove the domain and add it again from the Monitored Domains
page.
In Secure LDAP, TLS encryption is made using Start TLS command. The authentication during binding and unbinding of the LDAP
connection to the domain controller is done using Kerberos and not TLS. So, when the communication logs are viewed using a
packet analyzer tool, it can be observed that only the data packets are encrypted and not the binding and unbinding logs.

In the High Availability mode, when the primary Logon Collector server goes down, all configurations including the Secure LDAP
connection that is enabled are replicated from the primary Logon Collector server to the secondary Logon Collector server.
The domain controllers that are connected to the primary Logon Collector server switch over to the secondary Logon Collector
server when the primary Logon Collector server becomes unreachable. If the Secure LDAP communication is enabled in the
primary Logon Collector server, the connection remains enabled even after the switch-over.
Post the switch-over, the configuration changes can only be done in the active secondary Logon Collector server. When the
primary Logon Collector comes up again after a time, it receives the replicated configuration from the active secondary Logon
Collector server, including the Secure LDAP configuration.
When both the primary and the secondary Logon Collector server goes down, the server that comes up first becomes the active
Logon Collector server.
Error Scenarios in LDAP connections
LDAP connection to the domain controller may get an error in certain scenarios . The following are some of the reasons that
could cause an error.
• Time mis-match between Trellix Logon Collector and domain controller.

• The DNS information is incorrect.
• The username and password does not match.
• In a Secure LDAP scenario, you may experience connectivity issues to the domain controller when TLS is not enabled.
View monitored domain details
This section describes the details that can be viewed on the monitored domains .
Task
1. Select Menu → Configuration → Monitored Domains. The Monitored Domains page is displayed.
2. In the left panel, select the domain in the Domains list. The following details are displayed in the right panel.
Field Description
DomainName Displays the name of the domain that is

monitored.
User Name Displays the name of the user in the monitored

domain
Domain Controllers Displays the name of the domain controllers,

the configured logon monitor, and the LDAP
communication type (Secure or Non Secure).

Field Description
Exchange Servers Displays the exchange server IP address and the

configured logon monitor
Note
To search for a monitored domain, you can use the Filter list text field in the left panel and type the name of the
monitored domain.
Add Logon Monitor
This section describes how to add remote Logon Monitor to Trellix Logon Collector.
Add Logon Collector certificate to a Logon Monitor
Before you can add any remote Logon Monitor to a monitored domain on Trellix Logon Collector, you must first provide the
Logon Collector certificate information to the Logon Monitor.
Task
1. Install the Logon Monitor and have the Trellix Logon Monitor Configuration application running.
2. Open a web browser on the computer on which you installed the Logon Monitor.
You will be trading information between the Logon Monitor and Trellix Logon Collector. Having a web browser open with
Trellix Logon Collector web interface makes this task easier to accomplish.
3. Log on to the Trellix Logon Collector web interface and select Menu → Configuration → Server Settings.
4. Click Identity Replication Certificate in the list of Setting Categories.
5. In the Trellix Logon Monitor Configuration application, click the Remote tab.
6. If necessary, click New to add a new certificate to the Logon Monitor.
7. Copy the value for Common Name (CN) on the Logon Collector to the Common Name field on the Logon Monitor.
8. In the Trellix Logon Collector web interface, scroll down until Logon Monitor Fingerprint field is visible.
9. Copy the value for Logon Monitor Fingerprint on the Logon Collector to the Certificate Hash field on the Logon Monitor.
10. Click OK.
11. Repeat these steps for any other Logon Collectors that the Logon Monitor will be communicating with.
With the Logon Collector certificate(s) on the Logon Monitor, you can add the Logon Monitor to any of the Logon
Collectors to collect logons for a monitored domain.
Add a Logon Monitor

Task
1. Select Menu → Configuration → Logon Monitors.
2. Click New Logon Monitor.
3. Type a name for the remote Logon Monitor in the Logon Monitor Name field.
The name is an arbitrary label used within Trellix Logon Collector to identify the Logon Monitor.

4. Type the host name or IP address for the remote Logon Monitor.
5. Type the port number, or accept the default value of 50443.
6. Click Next or OK depending on how you are adding the Logon Monitor.
A connection is attempted to the Logon Monitor.
• If the connection is successful, the certificate is displayed. To accept the certificate, click Save or OK depending on
how you are adding the Logon Monitor.
• If the connection is unsuccessful, an error message is displayed.
Remove a Logon Monitor
If you want to remove a remote Logon Monitor, you must ensure it is not monitoring any domain controllers.
Follow these steps to remove a Logon Monitor.
Task
2. Select a domain and then click Manage Exchange Servers / Domain Controllers.
3. For each domain controller, ensure the Logon Monitor you want to delete is not listed as either the Primary or Backup
Logon Monitor.
If the Logon Monitor is listed, click the drop-down list and select a different Logon Monitor.
4. Repeat steps 2 and 3 until you are sure the Logon Monitor you want to delete is not being used.
5. Select Menu → Configuration → Logon Monitors.
6. Select the Logon Monitor you want to delete, then click Delete Logon Monitor.
7. Click OK to confirm the deletion.
Edit username and password
Sometimes, the password needs to be reset for some users in the domain controller. When it is reset, iyou should edit it in the
Trellix Logon Collector web interface. The following are the steps to edit the username or password.
Task
1. Select Menu → Configuration → Monitored Domains. The Monitored Domains page is displayed
2. Click Edit Username/Password.The following fields are displayed.
Field Description
Domain Name Displays the name of the domain that is

monitored. This field is not editable
User Name Displays the name of the user for the monitored
domain. Edit the username if required.

Field Description
Password Type the password for the user that is reset in the
domain controller.
3. Click Save to save the changes.
Managing exchange servers
Trellix Logon Collector can monitor exchange servers. It supports logon events for users logging in through Microsoft Outlook
thick client or Outlook Web Access (OWA) from web browsers running on Windows and MAC systems.
Note
POP3 and IMAP clients are not supported.
Add an exchange server to a monitored domain
You can add an exchange server and monitor logon events from Outlook users. View the Status page for the added exchange
servers.
Note
You can add an exchange server only to an existing monitored domain.
Task
1. Select Menu → Configuration → Monitored Domains. The Domains page is displayed.
2. Select a domain and click Manage Exchange Servers / Domain Controllers.
3. In the Exchange Servers area, click Add Exchange Server.
4. In Exchange Server, enter the fully qualified domain name (FQDN) of the exchange server.
Note
Trellix recommends adding an exchange server's IP address to the IP Ignore List. Navigate to Menu → Configuration →
Server Settings. Select TLC Group / IP Ignore List and enter the server IP address.
5. Under Logon Monitor, go to Primary drop-down list and select localhost if you want to use TLC server's local Logon
Monitor. Otherwise, select a remote Logon Monitor if the Logon Monitor is installed on a different system.
6. [Conditional] If you have more than one Logon Monitor, you can select a backup Logon Monitor from the Backup
drop-down list.

Note
You can select a local Logon Monitor as primary and a remote Logon Monitor as backup or vice versa. Alternatively, you
can select different remote Logon Monitors as primary and backup.
Note
TLC server uses the backup Logon Monitor if the primary Logon Monitor goes down.
7. Click Save.
8. Click Status → <domain name> → Controller Logon Collecting. Make sure the Message area's Status displays Collecting
logons from <exchange server>.
Remove an exchange server
You can remove and stop monitoring logon events from an exchange server.
Task
2. Select a domain and click Manage Exchange Servers / Domain Controllers.
3. From the existing Exchange Servers, decide on the exchange server you want to delete and click Delete Exchange
Server.
Manage Query Order
You can set the order in which the LDAP queries are made.
Task
1. Select Menu → Configuration → Monitored Domains and click Manage Query Order. The Active Directory Query Order
page is displayed.
2. Click the up or down arrow buttons to move and arrange the domain controllers in the list. Only those domain
controllers for which Trellix Logon Collector is chosen will be displayed in this page. Specify the order in which LDAP
queries are made to the domain controllers for user and group information. In general, the closest domain controllers
should be placed at the top of the list in order to increase response time and reduce network bandwidth.
3. Select or unselect the Secure LDAP check-bo, to enable or disable Secure LDAP communication.
4. Click Save to save the changes
Remove a monitored domain
You can remove a monitored domain from Trellix Logon Collector whenever required.
Task
2. Click Remove Domain.
3. Click OK to confirm the removal of the monitored domain.

5| Server settings
Server settings
This section gives the configuration details as well as the different features in the Server Settings window.
About server settings

Use the Server Settings window to configure a variety of settings. To edit a particular setting:
Task
1. Select Configuration → Server Settings.
2. Select a setting category and click Edit in the lower right corner of the window.
3. Edit the information and click Save.
Active Directory User login
Select this option to allow Active Directory users to log on to Trellix Logon Collector if they have at least one permission set.
Email Server
Specify the email (SMTP) server to be used for emailing reports.
Option Definition
SMTP server name Name of the SMTP server.
SMTP server port Port number of the SMTP server, usually port 125.
Authentication The method of authentication, if any, for the SMTP

server
Select Authenticate and specify the required
credentials if the specified SMTP server requires
authentication.
From address The email address to be included in the From field.
Identity replication certificate
The identity replication certificate identifies Trellix Logon Collector to other entities with which it communicates and establishes
a trusted connection. For example:

5| Server settings
• The Logon Monitor Fingerprint value is provided to a Logon Monitor.

• The Base 64 value is provided to clients. .
You can generate a new self-signed certificate or use a provided certificate and private key by browsing to their locations. You
must also provide a passphrase, if there is one, when you use a provided certificate.
Changing the certificate can lead to any one of the following problems:
• Existing client may not be able to reconnect.

• The High Availability cluster might break.
Local Logon Monitor settings
Configure the local Logon Monitor settings.
Option Definition
Distinguished Name Contains the Common Name and other attributes

that the local Logon Monitor needs to identify the
certificate found in its store (see Store Name below)
to be used to authenticate to the Trellix Logon
Collector server.
For example, cn=dlc.centserv.org,o=centserv,c=us
could be the Distinguished Name, comprised of the
certificate’s Common Name (cn), organization name
(o) and country of origin (c). To use a self-signed
certificate, you only need to use the Common Name
(prefixed with cn=) for identification.
Store Name The Store Name, or Certificate Store name, is

where the local Logon Monitor looks to find its
certificates. The default setting for the Store Name
is TrellixLogonMonitor\MY. This uses the Store Type
CERT_SYSTEM_STORE_SERVICES.
Store Type Certificate stores are organized by type. The default

type (CERT_SYSTEM_STORE_SERVICES) should suffice
in most instances.
Server Port The port for the local Logon Monitor service to listen
on. As long as another service is not listening on the

5| Server settings
Option Definition
specified port, use your choice of port. The default is

port 50443. Valid port numbers are 1-65535.
Certificate Checking Specifies the type of check to perform on any

Accepted Remote Certificates.
• Certificate Hash — [Recommended] Verifies that

the hash configured for the given common name
matches the hash stored.
• Certificate Store — The Certificate Store check
is where the certificate must be signed by a
certificate authority found in the Certificate Store.
• Certified Not Required — It does not check any
certificate. This option does not provide secure
communications to access Trellix Logon Collector.
Trellix recommends using Certificate Hash as the

most secure method.
Connection Type Specifies whether the Logon Collector connection

is encrypted or not. This setting is intended for
troubleshooting only. This setting must be set to
the default value (Encrypted TLS), or Trellix Logon
Collector may not function correctly.
Debug Level The amount of information written to the log file.

The level of detail increases with the debug level.
The default value is zero (0), with no extra log detail
recorded.
File Location Where the log file is stored in the system. By

default, the installation location for Trellix Logon
Collector is C:\Program Files (x86)\Trellix\Trellix
Logon Collector\Login Collector.
File Size The maximum size, in kilobytes, to which the

log file may grow before rotating. The system
keeps up to five log files in the selected
location. LoginMonitor.log is the most recent file,

5| Server settings
Option Definition
followed chronologically by LoginMonitor.log.1 to

LoginMonitor.log.4.
Authentication Type The type of authentication for the connection

between the local Logon Monitor service and
any domain controllers. Kerberos and NTLM
authentication are supported, with Kerberos as the
default.
CPU Disconnect Threshold Specifies when the local Logon Monitor introduces
rate-limiting if services on a monitored domain
controller consume too much CPU too quickly. If the
CPU threshold is crossed, the local Logon Monitor
stops polling a domain for twenty minutes. After
the twenty minute window, which should give the
CPU time to handle its load, the local Logon Monitor
reconnects. If you find that the local Logon Monitor
frequently resorts to rate-limiting, try disabling the
Allow Backlog Queries option.
Maximum Backlog Records Maximum number of records for which a backlog

query will run.
Allow Backlog Queries Specifies whether the local Logon Monitor checks
the domain controller security event logs for identity-
related events that may have occurred while it was
not connected. With this option enabled, the local
Logon Monitor can query back into the time it
was disconnected rather than simply resuming at
the time it reconnects. Note that backlog querying
cannot occur when the local Logon Monitor first
connects to the domain controller. The query is done
for the value of Maximum Backlog Records or until
the time of the last connection, whichever comes
first.
Backlog queries are likely to affect the performance
of heavily loaded or legacy computers and are not
recommended. If you find that the local Logon

5| Server settings
Option Definition
Monitor is frequently resorting to rate-limiting, try

disabling this feature.
Accepted Remote Certificates Certificates from remote Logon Collectors accepted

by this Logon Collector. Certificates must pass the
criteria defined in Certificate Checking.
TLC Advanced Settings
This section describes the advanced configuration settings of Trellix Logon Collector (TLC) server. The Logon Collector
configuration file has the parameters to configure the TLC server.
You can use the TLC Advanced Settings option to configure these settings.
• Domain Controller Backoff Time — Trellix Logon Collector stops sending the WMI queries to the domain controller if
the CPU usage of the latter is beyond the configured CPU threshold. It waits for 20 minutes by default before sending the
WMI queries to that domain controller.
Caution
Setting too small value for controllerbackofftime is not recommended as it might increase the load on domain
controller. Trellix recommends a minimum value of 10 minutes.
• TLC V1 Compatibility — Logon Collector versions 1.0 and 1.0.1 do not propagate the user or group name changes in
the Active Directory to the clients. However, Logon Collector version 3.0 propagates the user and group name changes
information to the clients. By default, Logon Collector version 3.0 runs on the compatibility mode.
• Remove White Space from Unique Name — Logon Collector 1.x used an algorithm for generating
uniqueName for user and group objects that would remove the white spaces. As a result of this, the
algorithm responsible for the generation of unique names was not creating the uniqueName. Example:
Group 1 cn: ProductServices un: ProductServices@DistributionLists.scur.com Group 2 cn: Product Services un:
ProductServices@DistributionLists.scur.com
Note
The same "un" is generated for Group 1 and Group 2 even though their "cn"s are different.
Configure Trellix Logon Collector using TLC Advanced Settings
Navigate to Server Settings → TLC Advanced Settings to configure advanced settings for Trellix Logon Collector. Alternatively,
you can configure these settings using the xml file.

5| Server settings
Task
1. Select Menu → Configuration → Server Settings.
2. Select TLC Advanced Settings and click Edit. The Edit TLC Advanced Settings page is displayed.
3. [For Logon Collector setting] In the Domain Controller Backoff Time field, enter the time in minutes.
4. [For clients] Select or deselect the TLC V1 Compatibility checkbox. By default, this checkbox is selected.
5. [For clients] Select or deselect the Remove White Space from Unique Name checkbox. By default, this checkbox is
deselected.
Note
In Trellix Logon Collector,these user and user group names remain as-is.
6. Click Save.
7. Restart the TLC service.
TLC Group / IP Ignore List
Trellix Logon Collector gives you the option to ignore user IP addresses and user group names based on your monitoring needs.
In many organizations, there are Exchange Servers. When users log on to OWA, the domain controller gets the IP Address of the
Exchange Server. The system administrator can add the exchange server IP Address to the IP Ignore List.
Similarly, many systems are configured to perform some automated tasks. These systems continuously log on to domain
controller using bot user credentials. The system administrator can create a user group and add these bot users to the group.
This user group can be added to the Group Ignore List.
• Group Ignore List — If a user is member of a group and this user group name (or one of its parent group) is added to
Group Ignore List, all logon events from that user are ignored.
• IP Ignore List — If a user logs on from an IP Address and that IP Address is added to IP Ignore List, all logon events from
that IP Address are ignored.
Ignore user IP addresses and user group names
You can select Server Settings → TLC Group / IP Ignore List to ignore user IP addresses and user group names.
Task
2. Select TLC Group / IP Ignore List and click Edit. The Edit TLC Group / IP Ignore List page is displayed.
3. In Group Ignore List, enter the user group names as comma-separated values.
4. In IP Ignore List, enter the user IP addresses as comma-separated values.
5. Click Save.

5| Server settings
TLC Group Filter
A group filter in Trellix Logon Collector enables you to filter user groups and send only relevant information to clients like Trellix
Intrusion Prevention System Manager.
The group filter feature optimizes data sent to clients from Trellix Logon Collector. On the other hand, the filtered user groups
minimize the volume of transactions in the network and enable clients to use less resources when caching the data from Trellix
LC.
The TLC Group Filter option is available under Menu → Configuration → Server Settings → Setting Categories.
Considerations for High Availability mode

Make sure to take care of these points when Trellix Logon Collector is in High Availability mode:
• The group filter settings can be configured on primary server only.

• Group filter configuration is replicated from primary to secondary server.
• When the secondary server is in standby mode, it is not possible to make group filter changes.
• If the primary goes down, you can make group filter changes from the secondary server.
Configure a group filter
You can create a group filter and send only relevant details to clients.
Before you begin

If the client is connected, disconnect the client from Trellix Logon Collector server prior to configuring the group filter.
Note
If the client is in connected state before configuring a group filter, the client has already received all the user groups instead
of the filtered user groups.
For option definitions, press F1 or click Help in the interface.
Task
1. Go to Menu → Configuration → Server Settings → Setting Categories and click TLC Group Filter.
2. Click Edit. The Edit TLC Group Filter page is displayed.
3. Select the Enable Filter checkbox.
4. From Quick Find, select ALL DOMAINS or, select a specific domain. The Available Groups and details for a domain are
displayed.
Tip
You can also enter a search keyword and click Apply.

5| Server settings
5. Press the Ctrl key and select the user groups from the list. Click Add. The Added Groups are displayed.
Note
You can click Add all to select all user groups. If you then click Save, the group filter is disabled. This is because all user
groups are selected and no filter as such is created.
Note
If you wish to remove any user groups, click Remove to refine your filter.
6. Click Save. The group filter is configured and the TLC Group Filter page is displayed.
Results
You can now connect the client to Trellix Logon Collector so that it can receive only filtered user groups and details. Users who
are members of the selected user groups are sent to the client, and also the logon events are sent only for users of the selected
user groups.
Send filtered groups to clients
Trellix Logon Collector can configure a group filter, save the filter settings, connect to the client, and send filtered user groups
and details.
These are the high-level steps to send filtered user groups to clients.
Task
1. Add a monitored domain — Populates Trellix Logon Collector’s database with all the user groups
2. Configure a group filter — Select from the available user groups and save the group filter settings
3. Connect to the client — Client receives the filtered user groups and information
Results
Users who are members of the selected user groups are sent to the client. The logon events are sent only for users of the
selected user groups.
Configuring the IP address for Trellix Logon Collector server client communication
When multiple IP addresses are present in the Trellix Logon Collector server, it listens on all the IP addresses.
During High Availability fail-over, when the primary server is inactive or is not reachable, the secondary server changes from
standby to active state. The latter continues to establish communication with the primary server. Once the primary server is
active, the secondary server changes its state to standby (or passive) and the primary server regains its active state.
When the primary server is unavailable, the Logon Collector clients have to retry all the IP addresses of the primary server
before switching over to the secondary server. This delays the fail-over process for the client.

5| Server settings
To overcome this problem, Trellix Logon Collector allows you to selectively choose the IP addresses for communication. The
Logon Collector HTTPS port will continue to listen to all the IP addresses. The clients communication and High Availability
communication will happen through the selected IP address. When the primary server is not available, the Logon Collector
clients have to retry only the configured primary IP address before switching to the secondary server.
Configure TLC Communication IP Address
To configure TLC Communication IP Address:
Task
2. Under Setting Categories, click TLC Communication IP Address.
3. Click Edit at the bottom right corner to select an IP address from the drop-down list.
Edit TLC Communication IP Address
4. Click Save.
TLC User Login Timeout
Trellix Logon Collector provides an option to modify the duration of the logon event in the TLC server. By default, the logon
event is stored in the TLC server for 6 hours.
Configure TLC User Login Timeout
Perform the following steps to configure TLC User Login Timeout:
Task
2. Under Setting Categories, click TLC User Login Timeout.

5| Server settings
TLC User Login Timeout
3. Click Edit at the bottom right corner to modify the time. The logon event will be stored in the TLC server according to
the configured time.
Edit TLC User Login Timeout
4. Click Save.
Printing and exporting
Configure the settings for exported documents.

5| Server settings
Printing and Exporting option
Server certificate
In this section, you configure the certificate that the Logon Monitor uses to authenticate itself to Trellix Logon Collector.
Note
Ensure that you have a certificate for the Logon Monitor, whether it is a newly generated (by the Logon Monitor) self-signed
certificate or one generated by a Certificate Authority. The Logon Monitor will not function without a certificate. However, for
a local Logon Monitor, you do not need a self-signed certificate.
• Distinguished Name — The Distinguished Name contains the Common Name and other attributes that the Logon
Monitor needs to identify the certificate found in its store (see Store Name below) that should be used to authenticate to
the server. For example, string cn=dlc.centserv.org,o=centserv,c=us could be the Distinguished Name, comprised of the
certificate’s Common Name (cn), organization name (o) and country of origin (c). To use a self-signed certificate, you only
need to use the Common Name (prefixed with cn=) for identification.
• Store Name — The Store Name, or Certificate Store name, is where the Logon Monitor looks to find its certificates. The
default setting for the Store Name is TrellixLogonMonitor\MY. This uses the Store Type CERT_SYSTEM_STORE_SERVICES.
If the Logon Monitor is running in standalone mode, use the Store Name MY. This uses the Store Type
CERT_SYSTEM_STORE_CURRENT_USER.
• Generate Self-Signed Certificate — Only available when the Distinguished Name field is not blank, the Generate Self-
Signed Certificate button generates a self-signed certificate and places it in the certificate store identified by Store Name.

5| Server settings
Note
For a separate installation of Logon Monitor, you must generate a certificate so that you can connect the Logon
Monitor to the Logon Collector.
• View Certificate — Only available when the Distinguished Name field is not blank, the View Certificate button displays
a Windows-standard certificate viewer displaying the certificate matching the Distinguished Name, if one is found in the
store.
About Personal Settings

Use the Personal Settings window in Menu → Configuration → Personal Settings to edit the password for whomever is
currently logged on and the period in minutes for non-Dashboard tables to refresh if they are set to auto-refresh.
Logon Monitor configuration

The Logon Monitor runs as a Windows service and starts automatically after every power cycle. This section describes
configuring the Logon Monitor software.
You configure the Logon Monitor with an application named Logon Monitor Configuration on the Windows computer on which
you installed the Logon Monitor software. If you are not configuring the Logon Monitor as part of the installation, go to the Start
menu and select Trellix Logon Monitor Configuration (for example, by default in Start → Programs → Trellix Logon Monitor →
Logon Monitor Configuration) to display the Trellix Logon Monitor Configuration window.
Note
You do not have to restart the Logon Monitor service when you make configuration changes. Changes take effect after you
click OK. Logon Monitor configuration information is stored in the Windows Registry.
Configuration tab
The Configuration tab contains the settings for the Logon Monitor.

5| Server settings
Configuration tab
Remote tab
The Remote tab contains the certificate common name and certificate hash of any Logon Collector to which this Logon Monitor
connects.
The Logon Monitor accepts any number of certificates in the Remote tab.
Remote tab

5| Server settings
Use MMC to manage Logon Monitor certificates
Logon Monitor uses the Microsoft Certificate store to manage the certificates it generates. After you install the Logon Monitor,
the easiest way to view the certificates is to use the Microsoft Management Console (MMC) to view the Certificate store for the
Logon Monitor service.
To use MMC:
Task
1. Start MMC (Start → Run → MMC).
2. Navigate to File → Add/Remove Snap-in to display the Add/Remove Snap-in window.
3. Click Add to display the Add Standalone Snap-in window.
4. Select Certificates and then click Add to display the Certificates snap-in window.
5. Select Service account on the Certificates snap-in window, and then click Next.
6. Select Local Computer, and then click Next.
7. Select Trellix Logon Collector from the list of services and then click Finish.
8. Click Close on the Add Standalone Snap-in window.
9. Click OK on the Add/Remove Snap-in window to close the same.
MMC displays the certificate information for the Logon Monitor.
10. Right-click a certificate or a store to import certificate lists in the display.
Import or remove a server or client CA certificate for Logon Monitor
See the Microsoft documentation on the Certificate snap-in for MMC for information on importing a certificate as a Certificate
Authority (CA) for Logon Monitor.
Note
This is only useful when the Logon Monitor is using Certificate Checking.
Use NTLMv2 with Logon Monitors
Trellix recommends that you use Kerberos as the authentication type. If you want to use NTLM, you should use NTLMv2 as
described in this section. The default authentication method in Windows environments, LM hash, generates a weak response
that can be used by an attacker to perform an off-line, brute-force attack in order to guess the actual password.
Read this section to learn how to use the NTLMv2 authentication method for a more secure connection between a Logon
Monitor and a domain controller.
Trellix recommends that you use the NTLMv2 authentication method on Windows 2012 and Windows 2012 R2 servers when you
are running a Logon Monitor. This enables the Logon Monitor to use NTLMv2 to authenticate to the domain controllers. This can
only be accomplished by modifying the Registry; no changes are required on the domain controllers.

5| Server settings
Caution
This procedure requires modifying the Windows Server Registry. Improper editing of the Registry could leave your system
completely unusable or in an unstable state. Make a backup of your Registry before leave your system completely unusable
or in an unstable state. Make a backup of your Registry before proceeding. For more information, see Microsoft support
article 322756 (http://support.microsoft.com/kb/322756/). If the Windows Server offers other services and there are clients
that do not support NTLMv2 (for example, Windows 95 or Windows 98), this change prevents these old clients from using the
server.
To force the use of NTLMv2:
Task
1. Log on to the Windows Server where the Logon Monitor runs.
2. Start the Registry editor (Start → Run → regedit).
3. Navigate to the key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
4. Right-click the value LmCompatibilityLevel.
5. Click Modify.
6. Type the number 5 (only use NTLMv2 authentication and negotiate NTLMv2 session security if the server supports it)
and click OK.
7. Restart the Windows Server.
8. Ensure the IAM status on the Logon Collector is UP after 10 minutes.

6| High Availability (Clustering)
High Availability (Clustering)

This chapter discusses about the High Availability (HA) feature.
Note
The terms High Availability and cluster are used interchangeably throughout the chapter.
Overview
The high availability feature enables Trellix Logon Collector to exist in the form of primary server and secondary server. In this
scenario, when the primary server is inactive or is not reachable, the secondary server changes from standby to active mode. The
latter keeps polling the primary server to check if it is available again. Once the primary server is active, the secondary server
changes to the standby state. The clients that were connected to the primary server, switch over to the secondary server when
the primary server becomes unreachable. When the primary server becomes active again, the clients switch back to the primary
server.
Trellix Logon Collector can exist in the following modes:
• Standalone
• Cluster
Trellix Logon Collector can exist in the following states:
• Active
• Standby
Configuration basics
This section gives the details about the configuration basics of the High Availability feature.
Prerequisites for High Availability
Listed below are the prerequisites for the High Availability feature:
• Two TLC servers (primary and secondary server) must be available.

• The domain controller(s) to be monitored must always be reachable from both the TLC servers.
• Both the primary and secondary servers must communicate with each other.
• Both the primary and secondary servers should either have the self-signed certificate or the certificate signed by
common CA.
High Availability setup
To configure a cluster:

Task
1. Install Trellix Logon Collector on different servers (Windows Server 2012, Windows Server 2012 R2, Windows Server
2016, or Windows Server 2019).
2. On the server that you intend to select as primary, select Menu → Configuration → Cluster Configuration.
Cluster Configuration option
The Cluster Configuration window opens.

3. Click Edit. The Edit Cluster Configuration window opens.
Cluster Configuration window
4. Select the Enable clustering box, and select Primary. Click Save.

Edit Cluster Configuration window for primary server configuration
5. On the server that you intend to select as secondary, select Menu → Configuration → Cluster Configuration to open the
Cluster Configuration window.
6. In the Edit Cluster Configuration window, select the Enable Clustering box and select Secondary. Enter the following
details:
• Primary Server (<IP Address>:<Https port>)

• Admin username for primary server
• Admin password for primary server
Edit Cluster Configuration window for secondary server configuration
Click Next. The Enable Cluster Task window opens.

7. Click Yes to display the HTTPS port certificate of the primary server.
Note
The cluster will be formed only if you accept the certificate.
This message gives the information about the configuration settings after a cluster formation is complete.
Enable Cluster Task window
Note
Click No if you do not want to overwrite the configuration settings.
8. In the Primary TLC Certificate window, click Accept Certificate and Enable Clustering.
This initiates the certificate exchange between the primary and secondary servers, and enables the trust establishment.
The Cluster Configuration window opens.
9. The Cluster Configuration window shows the following details:
• TLC Cluster Configuration Enabled: The status of cluster configuration

• Status — The status of the server
• Primary Server IP address — The IP address of the primary server
• Https port number of primary server — The https port number used by the peer server during cluster creation
• JMS port number of primary server — The Java Messaging Services (JMS) port number used by the peer server and
clients for transferring data

Cluster Configuration window after cluster formation
Configure High Availability in Public Key Infrastructure (PKI) setup
You can also configure the High Availability feature in Public Key Infrastructure (PKI) setup. The steps to configure the cluster in
this scenario remains the same as described earlier.
Pre-requisites for High Availability in Public Key Infrastructure (PKI) setup
The following steps are the pre-requisites for high availability in Public Key Infrastructure (PKI) setup:
1. Select Menu → Configuration → Trusted CAs and add the CA root certificate on both the High Availability peers.
2. Select Menu → Configuration → Server Settings → Identity Replication Certificate to replace the Identity Replication
certificate with the CA-signed certificate for the respective servers.
Note
The CA root certificate and the CA-signed certificate should be added for the clients.
Error scenarios
An error message will be displayed for any one of the following scenarios:
• The certificate used by the primary server is self-signed, while the certificate used by the secondary server is signed by
CA.
• The certificate used by the secondary server is self-signed, while the certificate used by the primary server is signed by
CA.
• The certificates used by the primary and secondary servers are signed by two different CAs. In this case, the cluster
configuration is successful, but the status will be displayed in red.
The following figure shows the error message.

Error message
Check the status of cluster formation
This section discusses how to check the status of cluster formation.
1. Select Menu → Reporting → Status to verify the cluster formation status.

2. In the Status window, click Cluster Manager to view the message from the cluster member.
Status message of cluster formation in the primary server

Status message of cluster formation in the secondary server
Important:
The overall {IAM} status is GREEN since the {LAM} component status is GREEN.
Status window
Configuration data replication

• When a cluster is created, the primary server overrides the existing configuration of the secondary server.

• The secondary server exists in any one of the following states:

Active — When the secondary server is disconnected from the primary server, it is known as the active
secondary server.
Standby — When the secondary server is connected with the primary server, it is known as the standby
secondary server.
The passive secondary server does not allow you to make configuration changes; an error message will be displayed if
you do so. The configuration changes can only be done on the active secondary server.
• Replication from the primary to the secondary server: Once the cluster is configured, the configurations are replicated
from the primary to the secondary server.
• Replication from the active secondary server to the primary server: When the primary server goes down and comes
up after a period of time, it receives the configuration details from the active secondary server.
• When the secondary server runs in standby mode, the {LAM} status is RED in the Status window. This is a normal
behavior because the Logon Collector stops {LAM} when it runs in standby mode.
Note
Trellix Logon Collector should not be deployed on a DHCP machine: The peer TLC servers should communicate with each
other during a cluster formation. But, this may not be possible if the Trellix Logon Collector is deployed on a DHCP machine.
Trellix products connected to the TLC server on a given IP address will also be disconnected when there is a change in the IP
address due to DHCP configuration. Trellix, therefore, recommends that you avoid the deployment of the Logon Collector on
a DHCP system.
Logon events replication

Replication from the primary to the secondary server
The logon events on the active TLC server are replicated to the standby TLC server.
Replication from the active secondary server to the primary server
When the primary server goes down and comes up again after a period of time, it receives the replication data (logon events,
users, groups) from the active secondary server.
Attention
When both primary and secondary servers are down, you must bring up first the server that has the latest configuration
followed by the other server. If you fail to do so, the data replicated across the servers might not be the latest.
Limitations
The following list shows the limitations of the High Availability feature:

• The split network scenario is not supported. It is important to ensure that the communications between primary and
secondary are never interrupted. For example, if the network connectivity between the primary and the secondary
server is down, the secondary server assumes that the primary server is not responding, waits for 5 seconds, and
becomes active. When the communication is re-established, the primary server always overrides the configuration of the
secondary server.
• The high availability feature works in the PKI setup, but the primary and secondary certificates must be signed by the
same signer. Certificate Revocation List (CRL) is not supported.
• Other Trellix LC products using the Logon Collector 1.0 client library will not be benefitted with this feature; but they can
continue to work in this scenario.
Disable a cluster
To disable a cluster:
Task
1. On the secondary server, select Menu → Configuration → Cluster Configuration.
2. Deselect Enable clustering, and click Save.
The Disable Cluster Task window opens. Click Yes to continue.
Disable Cluster Task window for secondary server
3. Go to the Cluster Configuration window of the primary server.

4. Deselect the Enable clustering checkbox and click Save.
The Disable Cluster Task window opens. Click Yes to continue.

Disable Cluster Task window for primary server
Note
When the cluster is disabled, the secondary server removes all configurations including logon monitors and domains,
and functions as a standalone server.
The primary server will retain the configurations and will continue to monitor the configured domains as a standalone
server.
Reconfigure a cluster
The cluster can be reconfigured if the role of the servers needs to be reversed (for example, if you want the secondary server to
behave as the primary server and vice versa).
Follow the steps below to reconfigure a cluster:
1. Disable the cluster.

2. Enable the cluster with new primary and secondary server configurations.

7| On-demand group and user refresh
On-demand group and user refresh

This chapter gives the details of on-demand group and user refresh.
You can refresh the new user information anytime. This enables the Trellix Logon Collector (TLC) server to synchronize its
user/group data with the domain controller.
If the administrator adds a user to an Active Directory group in order to grant access to a resource, the administrator may use
on-demand group refresh to update the Logon Collector and allow user access to the resource, without having to wait until the
group refresh happens in background.
Tip
Trellix recommends you to avoid running the group and user refresh tasks at the same time. Run the group refresh task
approximately 20 minutes before the user refresh task to allow the group refresh task to be completed.
Note
Other options displayed in the Server Tasks user interface that are not explained in this chapter are not related to the Logon
Collector.
On-demand group refresh

Go to Menu → Automation → Server Tasks to configure TLC Refresh Groups server task.

TLC Refresh Groups option
Options of group refresh
This section gives the details of the various options of group refresh.
Option 1: Run
Use this option to manually refresh the group information in the Logon Collector database (IDDS) by retrieving the latest group
information from the domain controller datastore.
To manually refresh the group information:
Task
1. Go to Menu → Automation → Server Tasks. .
2. Click the Run option of TLC Refresh Groups.
The Server Task Log page opens. This page gives the results of group refresh action. By default, the records are sorted by
time, with the latest record on top.

Results of group refresh action
3. Click any TLC Refresh Groups record to view the details.
Server Task Log Information window
Option 2: Edit
Use this option to change the scheduler settings for a task.
Select Menu → Automation → Server Tasks. Select TLC Refresh Groups and click Edit.

Note
Each of the tab discussed below has a Save and a Cancel button. Clicking Save saves the changes made and closes the Server
Task Builder window. Clicking Cancel ends the operation without saving the changes. If you want to continue modifying the
scheduler settings for the server task, do not click Save until you have completed configuring the fields available on each tab
in the Server Task Builder window.
Tab 1: Description
Task
1. In the Server Task Builder window, the following fields are displayed under the Description tab:
Name TLC Refresh Groups
Notes Refresh all groups for all directories
Schedule status The schedule of the task:

Enabled — to enable an automatic refresh
Disabled — to disable an automatic refresh
Note: Trellix does not recommend using

the Disabled option.
Server Task Builder window
2. Edit the fields as per your requirement. Click Next to go to the Actions tab.

Tab 2: Actions
This tab shows the actions performed by Trellix Logon Collector.
Task
1. Under the Actions field, the TLC Group Sync option is selected by default.
Actions tab
2. Click Next to open the Schedule tab; click Back to go back to the previous tab.
Tab 3: Schedule
The Schedule tab enables you to change the scheduler settings for the task.
Task
1. On the Schedule tab, enter the following details:
Schedule Type Select any one of the following schedule types

from the drop-down list:
• Hourly
• Daily
• Weekly
• Monthly
• Yearly
• Advanced
Note: Trellix recommends that you to

select the Daily option for Schedule Type.

Start Date Select the date from when you want to start the
task.
End Date Select the date by when you want to stop the task.
Note: Trellix recommends you to select the

No End Date option so that no end date is
configured for the task.
Schedule
Click to add a new scheduled time. Click
to remove an existing scheduled time.
• At — Select the At option from the drop-down

list to run the task at a specific time.
• Between — Select the Between option from the
drop-down list to run multiple tasks in a specific
range of time.
Schedule tab

Tip
Trellix recommends that you set the schedule time such that the TLC Group Refresh task starts at least 20 minutes
before the TLC User Refresh task.
2. Click Next to open the Summary tab, click Back to go back to the previous tab.
Tab 4: Summary
Go to the Summary tab to view the following details:
Name The name of the task
Notes Any notes related to the task
Task Owner The owner of the task
Schedule Status The status of the scheduled task
Schedule The details about start date, end date, time frame,
and next runtime of the scheduled task
Actions The actions of the scheduled task such as TLC Group

Sync

Summary tab
Click Save to confirm the changes made; click Cancel to abort.
Option 3: View
Use this option to view the settings for the refresh groups.
Select Menu → Automation → Server Tasks. Select TLC Refresh Groups and click View.
The Server Tasks Details page opens. It displays details of the group refresh action.

Server Task Details page
On-demand user refresh

Go to Menu → Automation → Server Tasks to configure TLC Refresh Users server task.
TLC Refresh Users option

Options of user refresh
This section gives the details of the various options of user refresh.
Option 1: Run
Before you begin
Use this option to manually refresh the user information in the Logon Collector database (IDDS) by retrieving the latest user
information from the domain controller datastore.
To manually refresh the user information:
Task
1. Go to Menu → Automation → Server Tasks. Click the Run option of TLC Refresh Users.
The Server Task Log page opens. This page gives the results of user refresh action. By default, the records are sorted on
time, with the latest record on top.
Results of user refresh action
2. Click the TLC Refresh Users record to view the details.

Server Task Log Information window
Option 2: Edit
Use this option to change the scheduler settings for a task.
Navigate to Menu → Automation → Server Tasks. Select TLC Refresh Users and click Edit.
Note
Each of the tab discussed below has a Save and a Cancel button. Clicking Save saves the changes made and closes the Server
Task Builder window. Clicking Cancel ends the operation without saving the changes. If you want to continue modifying the
scheduler settings for the server task, do not click Save until you have completed configuring the fields available on each tab
in the Server Task Builder window.
Tab 1: Description
Task
1. In the Server Task Builder window, the following fields are displayed under the Description tab:
• Name — TLC Refresh Users

• Notes — Refresh all users for all directories
• Schedule status — The schedule of the task
Enabled — To enable an automatic refresh
Disabled — To disable an automatic refresh

Note
Trellix recommends that you avoid using the Disabled action.
Server Task Builder page
2. Edit the fields as per your requirement. Click Next to go to the Actions tab.
Tab 2: Actions
This tab shows the actions performed by Trellix Logon Collector.
Task
1. Under Actions field, TLC User Sync option is selected by default.
Actions tab
2. Click Next to open the Schedule tab; click Back to go back to the previous tab.
Tab 3: Schedule
The Schedule tab enables you to change the scheduler settings for the task.

Task
1. On the Schedule tab, enter the following details:
• Schedule Type — Select any one of the following schedule types from the drop-down list:
Hourly
Daily
Weekly
Monthly
Yearly
Advanced
Note
Trellix recommends that you select the Daily option for Schedule Type.
• Start Date — Select the date from when you want to start the task.
• End Date — Select the date by when you want to stop the task.
Note
Trellix recommends that you select the No End Date option so that no end date is configured for the task.
• Schedule — Click to add the new scheduled time. Click to remove existing scheduled time.
At — Select the At option from the drop-down list to run the task at a specific time.
Between — Select the Between option from the drop-down list to run multiple tasks in a specific range of
time.

Schedule tab
Tip
Trellix recommends that you set the schedule time such that the TLC Group Refresh task starts at least 20 minutes
before the TLC User Refresh task.
2. Click Next to open the Summary tab, click Back to go back to the previous tab.
Tab 4: Summary
Go to the Summary tab to view the following details:
• Name — The name of the task

• Notes — Any notes related to the task
• Task Owner — The owner of the task
• Schedule Status — The status of the scheduled task
• Schedule — The details about start date, end date, time frame, and next run time of the scheduled task
• Actions — The actions of the scheduled task such as TLC User Sync

Summary tab
Click Save to confirm the changes made; click Cancel to abort.
Option 3: View
Use this option to view the settings for the refresh users.
Go to Menu → Automation → Server Tasks. Select TLC Refresh Users and click View.
The Server Tasks Details window opens. It displays the details of the user refresh action.

Server Task Details window
Click Edit to make changes in the scheduler settings of the server task, or click Close to exit the Server Task Details window.
Server Task Log

Navigate to Menu → Automation → Server Task Log to view the group refresh and user refresh results of earlier executions.
Server Task Log page

8| User management
User management
This section gives the details of user management for administrative access to the Trellix Logon Collector itself. To add users to
the Active Directory, use the normal Active Directory configuration mechanisms in Windows.
Manage users
You can add users to Trellix Logon Collector and specify what access they have to the system.
Add or modify a user
To add or modify a user:
Task
1. Navigate to Menu → User Management → Users.
2. Click New User to add, or select Actions → Edit to modify.
3. Define the user.
a. Type a name for the user, or change the existing one.
b. Specify whether the user is able to log on or not.
You cannot disable the logon status of the last remaining global administrator.
c. Select an authentication type.
If you are modifying a user, first click Change Authentication or Credentials.
• For Trellix Logon Collector authentication, type a password and confirm it.
• For Windows authentication, type the user name and domain.
• For Certificate Based Authentication, provide the Personal certificate subject DN in the given field and upload
the required certificate file.
d. [Optional] Provide other details for the user: Full name, Email address, Phone number, and Notes.
e. Assign a permission set.
• Select Global administrator to provide complete access to Trellix Logon Collector.

• Select a specific permission set or sets by clicking them.
4. Click Save.
Delete a user
To delete a user:
Task
1. Navigate to Menu → User Management → Users.
2. Select a user or users by selecting the checkbox next to the contact name.
3. Select Actions → Delete.

8| User management
Manage permission sets

A permission set is a group of permissions, divided into sections that can be granted to any user by assigning it to a user’s
account. One or more permission sets can be assigned to any user that is not a global administrator. Global administrators have
all permissions to all features.
Permission sets grant permissions only — no permission set ever removes a permission.
Create permission sets
Use this task to create a permission set.
Task
1. Go to Menu → User Management → Permission Sets, then click New Permission Set.
2. Type a name for the permission set and select the users to which the set is assigned.
3. Click Save.
4. Select the new permission set from the Permission Sets list.
Its details appear to the right.
5. Click Edit next to any section from which you want to grant permissions.
6. On the Edit Permission Set window that appears, select the appropriate options, then click Save.
7. Repeat for all desired sections of the permission set.
Delete permission sets
Use this task to delete a permission set. If the permission set has users assigned to it, those users will lose the permissions
granted to them.
Note
You must be a global administrator to perform this task.
Task
1. Go to Menu → User Management → Permission Sets, then select the permission set that you want to delete in the
Permission Sets list.
2. Click Actions → Delete.
The Action: Delete pane opens asking whether you want to delete the permission set.
3. Click OK to confirm the deletion of the permission set, or Cancel to abort.
Duplicate permission sets
Use this task to duplicate a permission set. Duplicating a permission set creates an in-memory copy of the selected permission
that can be modified and saved with another name.

8| User management
Note
You must be a global administrator to perform this task.
Task
1. Navigate to Menu → User Management → Permission Sets, then select the permission set that you want to edit in the
Permission Sets list.
2. Click Actions → Duplicate, type a New name in the Action: Duplicate pane, then click OK.
3. Select the new duplicate in the Permission Sets list.
4. Click Edit next to any section for which you want to grant permissions.
5. On the Edit Permission Set window that appears, select the appropriate options, then click Save.
6. Repeat for all sections of the permission set for which you want to grant permissions.
Manage contacts
To make selecting recipients for reports and data easier, Trellix Logon Collector provides a Contacts feature where you can
define names and email address for contacts.
Add or modify a contact
To add or modify a contact:
Task
1. Go to Menu → User Management → Contacts.
2. Click New Contact to add, or, select an existing contact and click Actions → Edit to modify.
3. Type a name for the user, or change the existing one.
The contact must include a name, and you can select either a first name or last name only, or both.
4. Type an email address, or change an existing one.
5. Click Save.
Delete a contact
To delete a contact:
Task
1. Go to Menu → User Management → Contacts.
2. Select a user or users by clicking the checkbox(es) next to the contact name(s).
3. Click Actions → Delete.

9| Reporting
Reporting
This section gives the details about the status of the product to verify that components are running as expected.
About the Status page

Use the Menu → Reporting → Status page to verify that components are running as expected. A round status indicator is located
beside each component. Components and statuses are described in the following table. For all systems, a green status indicator
indicates that the system is operating correctly.
System components
The system Yellow status Green status Red status

component Reports on indicates indicates indicates
ID Manager overall system one or more of Working fine One or more

{iam} status. the component of the following
statuses are components are
yellow. red:
• Login
Acquisition
Manager
• Id Replication
Manager
• Login State
Manager
• Id Data Store
Check specific
components to
identify the cause
of the component
failure. Check
specific
components to
identify the cause
of the component
failure.
Login Acquisition current state one or more Working fine All domains are
Manager of queries domains are red.
{lam} yellow or red.

9| Reporting

to domain
controllers.
ID Replication status of Not applicable Working fine An exception has

Manager the Identity occurred.
{irm} Replication to the A brief message
clients. describing the
exception is
provided.
Check the Logon
Collector logs to
further identify
the cause of
failure.
Login State whether the Login Not applicable Working fine Initiation failed.
Manager State Manager Check the Logon
{lsm} initialized Collector logs to
correctly. identify the cause
of failure.
ID Data Store statistics on Not applicable Working fine Initiation failed.

{idds} the number of Check the Logon
objected stored. Collector logs to
identify the cause
of failure.
ID Resolution whether queries there are more Working fine No red status.
{pnd} for user than 1000 logons
information from in the pending
Active Directory queue waiting for
have been user information
serviced after a to be resolved.
logon is detected.
Logon Flow how many logons no logons have Working fine No logons have
{logons} have been been detected in been detected in
the last hour. the last twelve
hours.

9| Reporting

detected within
last minute.
Cluster Manager the health of Not applicable that the cluster The
{cluster} cluster and manager is communication
the messages working fine. between the
being exchanged cluster members
between the is down or one
cluster members. of the cluster
members is not
available.
View who is logged on

Trellix Logon Collector provides a report of the IP addresses that a user is using.
To view who is currently logged on and to what IP address:
Task
1. Go to Menu → Reporting → Logon Report.
2. [Optional] To search on a particular IP address or user name, type the value into the Quick find field, then click Apply.
3. [Optional] Configure the display of columns:
a. Select Actions → Choose Columns.
b. Align the columns by clicking a left or right arrow to move the column.
c. Remove a column by clicking the X button.
Reset your changes by clicking Use Default.
Export report of who is logged on

Before you begin
You can save reports of who is logged on and email them.

To email a report of who is logged on:
Task
1. Select Menu → Reporting → Logon Report.
2. Specify the contents of the report by applying filters as desired.
3. Select Actions → Export Table.

9| Reporting
View the Audit Log

Before you begin
Trellix Logon Collector provides an audit log report that lists the changes made to the server configuration.
To view the audit log:
Task
1. Go to Menu → User Management → Audit Log.
2. [Optional] Define an advanced filter.
3. [Optional] Select a pre-defined filter from the drop-down list.
4. [Optional] Click an audit log entry to see the information for a single row displayed as rows instead of columns.
5. [Optional] Configure the display of columns:
a. Select Actions → Choose Columns.
b. Align the columns by clicking a left or right arrow to move the column.
c. Remove a column by clicking the X button.
Reset your changes by clicking Use Default.
Export the audit log
You can save specific views of the audit log and email them.
To email an audit log:
Task
1. Select Menu → User Management → Audit Log.
2. Specify the contents by applying filters as desired.
3. Select Actions → Export Table.
Manage audit log queries

Audit log queries enable you to retrieve specific views of the audit log instead of the more simple view available. Queries against
the audit logs are grouped into private and shared groups.
Create a query group

Task
1. Select Menu → Reporting → Queries & Reports.
2. Select Group Actions → New Group.
3. Type a name to identify the group.
4. Specify the group’s visibility.
• Private (Private Groups) — appears in Private Groups.

• Public (Shared Groups) — appears in Shared Groups.
• Shared by permission set (Shared Groups) — appears in Shared Groups but accessible only to those that are
assigned the selected permission sets.

9| Reporting
Delete a query group

Task
1. Click a group name.
2. Select Group Actions → Delete Group.
3. Click OK to confirm the deletion.
Edit a query group

Task
1. Click a group name.
2. Select Group Actions → Edit Group.
3. Change the name of the group, and optionally the group’s visibility.
4. Click Save.
Create audit log queries
To create an audit log query:
Task
1. Select Menu → Reporting → Queries & Reports.
2. Click New Query, then click Next to begin the Query Wizard.
3. Define the chart type.
a. Select the type of chart by clicking it.
b. Configure the chart.
The available options differ depending on the type of chart you select.
c. Click Next to proceed in the query wizard.
4. Configure the display of columns.
a. Align the columns by clicking a left or right arrow to move the column.
b. Remove a column by clicking the X button.
c. Click Next to proceed in the query wizard.
5. [Optional] Configure filters.
6. Click Run.
The query is run and the results are displayed.
7. [Optional] Click Edit Query to adjust criteria.
8. When you are satisfied with the report, click Save.
9. Finish configuring the query:
a. Type a name to identify the query.
b. [Optional] Type notes to describe the query.
c. Assign the query to a query group.
Define a new group or select from the list of existing groups.
10. Click Save.
The query appears on the main Queries window. You may need to clear the Quick find text box.

9| Reporting
Import audit log queries

Before you begin
You can save your audit log queries outside Trellix Logon Collector as files, and then import them into it.
To import a query as a file:
Task
1. Navigate to Menu → Reporting → Queries & Reports.
2. Click Import Queries.
The Import Queries page is displayed.
3. Browse and choose the file that contains your audit log query.
4. Assign the query to a query group.
Define a new group or select from the list of existing groups.
5. Click Save.
The query appears on the main Queries window. You may need to clear the Quick find text box.
Query actions
To apply Actions to queries:
Task
1. Select the checkbox next to the desired query, or click the Queries checkbox at the top to apply an action to all queries.
2. Select an action from the list.
Select this action To do this
Delete Delete the selected queries.
Duplicate For single queries only, create a duplicate of the

selected query.
In the Duplicate window, type a new name for
the query, and assign the query copy to a query
group.
Edit For single queries only, enables you to alter the

properties that affect the results for the selected
query.
Export Data Export the results of the selected queries as an

email attachment.
Export Query Definition For single queries only, export the query definition
as an XML file.

9| Reporting
Select this action To do this
In the Opening query window, specify whether to

open the file with an XML application, or save the
file.
Note: The file is saved according to the

path defined for your web browser.
Import Query Import a query stored as a file.
Move to Different Group Move the selected queries to a different group.
New Query Create a new query.
Run Execute the query and view the results.
View Query SQL For single queries only, view the selected query as
a SQL statement.
Define filter criteria

Filter criteria are available when you select:
• The Boolean Pie Chart type

• Next after step 3 of the Query Wizard
• Advanced Filter for Audit Log
Available properties are Action, Completion Time, Details, Priority, Start Time, Success, and User Name.
To manage criteria for the filter:
Task
1. Click the right arrow in the Available Properties column to activate that property.
2. [Optional] Click the plus sign at the end of the Property row to create an additional comparison item.
3. By default, an additional item is evaluated with an “OR” operator. Click and in the and/or box to change this.
4. [Optional] Click the left arrow next to the Property to remove it from consideration.
5. Click OK, or Update Filter depending on how you arrived at the filter criteria.

9| Reporting
Define export criteria

When you choose to export data or a table, you must define the format of the exported file.
Task
1. Select an export action:
• For a query, select Export Data.

• For a Logged On report, or Audit Log, select Export Table.
2. Review the information to be exported.
• For queries, the names of the queries are listed.

• For a Logged On report, a unique identifier and the number of data items are displayed.
3. [Optional] Select Zip the output files to compress the report.
4. Select a file format from CSV, XML, HTML, and PDF.
For PDF, also specify a page size, page orientation, optionally select to show filter criteria, and optionally specify cover page
text.
5. Configure the email.
Note
You must already have a configured email server.
a. Specify recipients by typing them, or by selecting them from a dialog box.

b. Type a subject line.
c. Add text for the body of the email message.
6. Click Export.
View dashboards
The Dashboards user interface option is not applicable for Logon Collector 2.1.

10| Integration with other Trellix products
Integration with other Trellix products

This chapter discusses about the integration of Trellix Logon Collector with other Trellix products.
Note
Every client (product) connecting to Trellix Logon Collector must have different certificates with unique Common Name. This
ensures that more than two clients can seamlessly connect to the Logon Collector.
Integration with Trellix Intrusion Prevention System Manager

Trellix Intrusion Prevention System Manager is a browser-based user interface used to view, configure, and manage Trellix
Intrusion Prevention System Sensor appliance deployments.
Together with Trellix IPS Sensor and IPS Manager, Trellix Intrusion Prevention System provides comprehensive network
intrusion detection and can block, or prevent, attacks in real time, making it truly an intrusion prevention system (IPS). It is
built for the accurate detection and prevention of intrusions, denial of service (DoS) attacks, distributed denial of service (DDoS)
attacks, and network misuse.
The Manager can display a variety of information about the hosts inside and outside a network.
Trellix Logon Collector integrates with the Manager to display user names of the hosts in your IPS and NTBA deployments.
Logon Collector provides an out-of-band method to obtain user names from the Active Directories.
Benefits
This integration helps to provide information about source and destination users.
User groups for Sensor
These are the number of user groups supported for different Sensor models.
Sensor model Supported user groups
8.0 Sensors 8.1 and above Sensors
M-series up to 2,000 up to 10,000
NS-series up to 2,000 up to 10,000

Sensor model Supported user groups
8.0 Sensors 8.1 and above Sensors
Note: Version 8.0 is

not applicable to NS7x00,
NS5x00, and NS3x00 Sensors.
Virtual IPS up to 2,000 Not Applicable
Important terms
This section describes the important terms associated with this integration.
Identity Acquisition Agent (IAA)
Identity Acquisition Agent (IAA) is deployed on the Trellix Intrusion Prevention System side and is used as an interface to listen
to the message service where the updates are published by the Logon Collector server.
Trellix Intrusion Prevention System Manager TLC Listener
Trellix Intrusion Prevention System Manager TLC Listener is the registered listener that regularly receives new updates from the
Trellix Logon Collector through IAA.
Integration requirements
The following list gives the details of the integration requirements:
• Logon Collector version — 3.0.11

• IPS Manager version — 10.1.7.65 and above
How Logon Collector - Trellix Intrusion Prevention System Manager integration works
Logon Monitors of the Logon Collector can be used to poll nearby domain controllers and forward collected information on to
the Logon Collector, shortening the distance domain controller communication must travel.
Identity Acquisition Agent (IAA) is deployed on the Trellix IPS Manager side and is used as an interface to listen to the message
service where the updates are published by the Logon Collector server. IAA listens to the Logon Collector Active Message Queue
(MQ) service and regularly receives new updates from the Logon Collector server.
A listener for receiving the updates is registered with the IAA. The registered listener regularly receives new updates from the
Logon Collector through IAA.

All IP to user bindings data are loaded into a newly created Trellix IPS Manager cache for the first time. The cache is
subsequently updated with the differences on subsequent updates. As all the other components of the Trellix IPS Manager
can query the Manager cache, it is not required to communicate with the Logon Collector server each time an update happens.
Note
The Trellix IPS Manager and Logon Collector can co-exist in the same server. However, Trellix does not recommend this
co-existence as it can hamper the performance depending on the flow of traffic.
Note
You do not need a special passphrase or license key to install the Logon Collector software.
Configuration details for Logon Collector integration
This section gives the configuration details for the integration between the Manager and Logon Collector server.
Configure integration at the admin domain level
You can enable the integration between the Manager and the Logon Collector server at the admin domain level.
Task
1. Navigate to Manager → <Admin Domain Name> → Integration → MLC.
The Enable page is displayed.
2. To enable the MLC integration, select the Enable MLC Integration? checkbox.
3. Enter the Server Name or IP Address and Server Port details.

Enable Logon Collector
4. To complete the integration, you have to synchronize the certificates between the MLC console and the Manager. Click
the Export to file link to export the Manager certificate to MLC.
5. To import the MLC certificate, select Upload MLC Certificate, import the certificate from the location by clicking Choose
File.
6. Click Save.
To test the connection, click Test Connection.
Establishment of trust between Trellix IPS Manager and Logon Collector server
Trellix Logon Collector communicates with the Manager through a two-way SSL authentication. This requires the exchange of
certificate between the Manager and the TLC server.
Import the Manager certificate into Logon Collector
Export the Manager certificate, save the file to your local directory, and import the file to Logon Collector. Refer to the Trellix
Intrusion Prevention System Product Guide for exporting the Manager certificate.
Task
1. In the Logon Collector console, select Menu → Configuration → Trusted CAs.
2. Click New Authority to open the New Trusted Authority window.
3. Select Import From File, then click Browse to add the exported file saved in your local directory.
You can also use the Copy/Paste Certificate option.
4. Click Save.

Import the Logon Collector certificate
By default, Trellix Logon Collector is pre-installed with a self-signed certificate. If you have a different certificate signed by a CA,
you can import this certificate and replace the existing Logon Collector certificate.
Task
1. In the Logon Collector console, go to Menu → Configuration → Server Settings.
2. In the Settings Categories section, click Identity Replication Certificate.
3. Upload the Logon Collector certificate.
a. Copy the certificate from the Logon Collector console and paste it in a newly created file in your local directory.
b. Under Import Certificate section, click Upload MLC Certificate in the New MLC Certificate option.
c. Select Upload MLC Certificate, then click Browse to add the Logon Collector certificate from your local directory.
What to do next
Note
If the existing Logon Collector certificate is changed, the clients connecting to it, such asTrellix IPS Manager, need to import
the new Logon Collector certificate.
Note
If you have upgraded the Logon Collector 3.0.10 server to Logon Collector 3.0.11 server, the existing integration between
Trellix Logon Collector and IPS Manager will not work. You need to re-import the Logon Collector certificate in such cases.
Display of Logon Collector details
You can view user information received from the Trellix Logon Collector server in Attack Log. Refer to the Trellix Intrusion
Prevention System Product Guide for details.
Display of Logon Collector details in Trellix IPS Manager reports
Manager reports display the user information received for Logon Collector. Refer to the Trellix Intrusion Prevention System
Product Guide for more details.
Integration with Trellix Network Data Loss Prevention

Trellix Network Data Loss Prevention (Trellix Network DLP) is delivered through the low-maintenance appliance for streamlined
deployment, management, updates, and reports. It provides complete data security, data protection outside network, and easy
deployment and management.
Integration requirements
The following list gives the details of the integration requirements:

• Logon Collector version — 3.0.11

• Trellix Network DLP version — 11.10.202 and above
Using Active Directory User elements
All Active Directory elements are treated as word queries, and can be directed to specific LDAP servers.
When these elements are used in a query, columns supporting the parameter are configured in the search window and on the
dashboard.
Note
Each of the user elements retrieves the attributes listed.
Parameters available
• User Name — user's name, alias, department, location
• User Groups — user's group
• User City — user's city
• User Country — user's country
• User Organization — user's company or organization
How Trellix Logon Collector works with Trellix DLP appliance
Trellix Logon Collector communicates Windows user logon events to Trellix DLP appliances. Trellix DLP appliances can map an
IP address to a Windows user name if no other authentication information is available.
When a user logs on to the network, the domain controller creates an event in the security event log. This is a special, protected
log file that can be accessed using the Windows Management Interface (WMI). Trellix Logon Collector uses this interface to
receive log-on events and stores a mapping of the user’s device IP to the user data. When Trellix LC integrates with Trellix DLP
appliances, the appliances synchronize the client IP and the user's SID from Trellix LC on to a local cache available on each
appliance
How Trellix Logon Collector enables remote user identification
Logon Collector is used by Trellix DLP Prevent and Trellix DLP Monitor to identify remote users when they make web requests.
When TLC is enabled, Trellix DLP appliances can map an IP address to a Windows user name if no other authentication
information is available. With TLC, remote users are identified through Security Identifiers (SIDs) instead of IP addresses, host
names, or other user parameters that are subject to change.
To start using Trellix Logon Collector with Trellix DLP appliance, you must add a TLC certificate to an appliance and then add a
Trellix DLP appliance certificate to Trellix Logon Collector.

Note
The certificate used between Trellix Logon Collector and Trellix DLP appliances must be valid, or you can't add a Logon
Collector server to the appliance. Refer to the section Authenticating Trellix DLP and Trellix Logon Collector for more
information.
Authenticating a Trellix DLP appliance with Trellix Logon Collector
Perform the following steps to connect any Trellix DLP appliance to Trellix Logon Collector so that certificates can be exchanged,
authenticating each to the other.
Task
1. To download the certificate from the Trellix DLP appliance, go to https://<APPLIANCE>:10443/certificates, then select
[Hostname.domain.crt].
2. In Trellix Logon Collector, select Menu → Trusted CAs → New Authority → Choose File, select the certificate you
downloaded, and click Save.
3. In Trellix ePO - On-prem, open the Policy Catalog
4. Select the DLP Appliance Management product, choose the Users and groups category, and open the policy that you
want to edit
5. Add the TLC server details to the Trellix DLP appliance.
a. In the Trellix Logon Collector section, select Identify users making web requests.
b. Click + to open the Add dialog box.
c. Type an IPv4 address or host name of the TLC server you want to connect to.
d. Edit the Trellix Logon Collector port if required.
6. Get the certificate text from Trellix Logon Collector.
a. In Trellix Logon Collector, select Menu → Server Settings.
b. Click Identity Replication Certificate.
c. Select the certificate text in the Base 64 field and copy it to the clipboard or into a file.
7. Return to the Add dialog box and select either Import from file or Paste from clipboard to add the certificate text.
8. Click OK to complete the Trellix Logon Collector authentication.
[Optional] Add more TLC servers.
The Trellix Logon Collector server is added to the list of servers.
Results
The connection between Trellix DLP appliance and Trellix Logon Collector is now complete.

11| Scalability
Scalability
This chapter describes the details of the performance limits supported by Trellix Logon Collector.
Scalability details
Listed below are the performance limits for the Logon Collector:
Fields Numbers
Users up to 200,000
Groups up to 35,000
Note: The total objects(users and groups)

should not exceed more than 200000
Logon rate up to 1200 logon events per minute
Clients up to 150

12| Troubleshooting
Troubleshooting
This chapter gives the information that may assist you with solving a problem.
Verify the domain credentials

This section describes how to verify that the credentials you specify for a domain are correct and have sufficient privileges to
connect to a domain controller using Trellix Logon Collector. The domain controllers you access must be logging security events.
Test your credentials by using the wbemtest.exe tool to connect to a domain controller and run several queries.
If you are unable to specify credentials for an administrator account, you can use a non-administrator account on the domain
controller.
Note
The administrator account that you intend to use to access the domain controller MUST be in the same domain from which
you want to obtain identities.
Successful execution of the queries verifies that the credentials, which you specified have sufficient privileges for accessing the
following on the domain controller:
• security event log

• CPU performance
• WMI connection
• DCOM connection
Connect to a domain controller
Follow the steps below to use the wbemtest.exe tool to connect to a domain controller. These instructions only work if the Logon
Collector is run on a remote computer and will not work if it is run on local domain controller.
Task
1. Open a command prompt and navigate to \Windows\System32\WBEM.
2. Run wbemtest.exe: C:\Windows\System32\WBEM> wbemtest
The Windows Management Instrumentation Tester window appears.

12| Troubleshooting
Windows Management Instrumentation Tester window
3. Click Connect to display the Connect window.
Connect window
4. Specify the following information:

12| Troubleshooting
Option Definition
unlabeled connection \\<dc_name>\root\cimv2
User The user name to authenticate to the domain

controller.
password The associated password.
Authority Leave this field blank.
Locale Leave this field blank.
Impersonation level Select Impersonate.
How to interpret empty password Select NULL.
level Select Packet privacy.
5. Click Connect to proceed.
If the message Access Denied appears, you may have mis-typed the credentials, or the user account does not have the
necessary privileges. Try re-typing the credentials, and verify the user account is properly set up. If you are not using an
administrator account, you can use a non-administrator account on the domain controller.
The Windows Management Instrumentation Tester window changes to display IWbemServices and Method Invocation
Options.

12| Troubleshooting
Windows Management Instrumentation Tester window
Successfully authenticating to the domain controller and viewing the above window means the Logon Collector has access
to WMI and DCOM connections.
6. Run each of the following queries:
• CPU performance query Success with this query means the Logon Collector has access to CPU performance on the
domain controller.
• back log query Success with this query means the Logon Collector has access to the security event log.
• forward log notification query Success with this query means the Logon Collector has access to the security event
log.
Note
You must successfully execute the CPU performance query and either one of the log queries to verify that you have the
correct credentials and therefore, sufficient access privileges.
Run a CPU performance query
Follow these instructions to run a CPU performance query.
Task
1. Connect to a domain controller.
2. Click Query.
3. Type the following query:
SELECT * FROM Win32_PerfRawData_PerfOS_Processor WHERE Name="_Total"
4. Click Apply to view the query results.

12| Troubleshooting
Query Result window
5. Click Close when the query functionality is proven successful by displaying the contents of the screen shot above.
6. Run the other queries if you have not already done so.
Run a back log query
Follow these instructions to run a back log query.
Task
2. Click Query.
SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND (EventIdentifier = 672 OR EventIdentifier = 673 OR EventIdentifier =
680 OR EventIdentifier = 4768 OR EventIdentifier = 4769 OR EventIdentifier = 4776) AND TimeWritten > 'yyyymmdd'
where yyyymmdd is yesterday’s date.

12| Troubleshooting
Back log query
4. Click Apply to view the query results.
Back log query results
5. Click Close when the query functionality is proven successful by displaying the contents of the screen shot above.
You do not have to wait for all results to return.
Run a forward log notification query
Follow these instructions to run a forward log notification query.
Task
2. Click Notification Query.

12| Troubleshooting
SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.Logfile = 'Security'
AND (TargetInstance.EventIdentifier = 672 OR TargetInstance.EventIdentifier = 673 OR TargetInstance.EventIdentifier = 680 OR
TargetInstance.EventIdentifier = 4768 OR TargetInstance.EventIdentifier = 4769 OR TargetInstance.EventIdentifier = 4776)
4. Click Apply.
Forward log notification query results
Results are shown as they are logged.

5. Click Close.
The operation does not complete until you click Close.
Create a non-administrator account to access the security event log

on a domain controller
Trellix Logon Collector supports domains running Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, or
Windows Server 2019.
Perform the steps detailed in the KB article KB84544 to create a non-admin account on Windows 2012, 2012 R2, 2016, or 2019
servers to access the domain controller security event logs.
Add different Kerberos encryption types across domains

The following tasks must be performed to add different Kerberos encryption types across various domains.
1. Install the Trellix Logon Collector.

2. Click Start, go to Administrative Tools → Services and stop services for Logon Collector.

12| Troubleshooting
3. Browse to C:\Program Files (x86)\Trellix\Trellix Logon Collector\Server\conf.

4. Add the required encryption types, separated by white space at the end of the file (catalina.properties), preceded by
com.securify.ldap.kerberos.enctype=. For example, if domain 1 has a Kerberos encryption as rc4-hmac, and domain 2 has
a Kerberos encryption as aes256-cts-hmac-sha1-96, then add the two encryption types, separated by white space, at the
end of catalina.properties file as follows: com.securify.ldap.kerberos.enctype=rc4-hmac aes256-cts-hmac-sha1-96
5. Save the file.
6. Start the services for Logon Collector.
Logon Monitor logs

The basic format of the log messages for the Logon Monitor is as follows:
YYYY-MM-DD'T'HH:mm:ss'Z' <LEVEL>: <Msg>
Note
Time is in UTC (hence represented as Z in the basic format).
The example of basic log messages format for Logon Monitor is
2010-11-09T21:23:09Z INFO: DlcServiceMain Service Started.
The following list shows the three types of messages that you can receive:
• Internal messages
• Messages due to Logon Collector communication
• Messages due to Logon Monitor communication
Internal messages
The internal messages have no qualifier.
Examples of internal messages are as follows:
• 2010-11-09T21:23:09Z INFO: DlcServiceMain Service Started

• 2010-11-09T21:23:09Z INFO: Socket Listening on 50443
Messages generated due to Logon Collector communication
The messages generated due to Logon Collector communication only occur at level 2 debug or higher.
The format of the messages generated due to Logon Collector communication is as follows:
Format — <Data> <Level>: [CLI:<TLC IP Address>:<Port>] <Message>
Examples:

12| Troubleshooting
2010-12-03T16:46:24Z DEBUG: [CLI:127.0.0.1:10248] Connection accepted
2010-12-03T16:46:24Z DEBUG: [CLI:127.0.0.1:10248] Command HELLO
2010-12-03T16:46:24Z DEBUG: [CLI:127.0.0.1:10248] Command CONNECT
The following sample message can be used to understand the different parts of a message:
STATS RP:0 LR:2010-12-03T16:46:12Z LV:0 PB:0 CB:0 LW:4 BW:243, where
• RP stands for the number of records sent

• LR stands for the last time record sent
• LV stands for number 0-5 which indicates slow communications
Note
Any number larger than 3 indicates that the link might be very slow.
• PB and CB are combined to calculate the number of bytes that are pending to be written
• LW stands for the number of lines written
• BW stands for the number of bytes written (can be used to calculate bandwidth)
Messages generated due to Logon Monitor communication
The messages generated due to Logon Monitor communication occur at all levels.
Note
The messages generated due to Logon Monitor communication mostly occur at the info level.
The format of the messages generated due to Logon Monitor communication is as follows:
Format — <Data> <Level>: [DC:<DC Name>] <Message>
Examples:
2010-12-03T16:46:24Z INFO: [DC:d2-dc-01.domain2.cai.local] Wmi Connected
2010-12-03T16:46:24Z INFO: [DC:d2-dc-01.domain2.cai.local] DcConnection::run Backlog query disabled by client request
Example of an error message:
The following error message will appear in Logon Collector Status window: Access Denied (Password Change) ERROR:
[DC:nsbu-01.domain3.cai.local] Wmi [0x80070005 - Access is denied.] ConnectServer
Example of an error code:

12| Troubleshooting
0x80070005 — this is Microsoft error. For more information, refer to microsoft.com.
Common Domain Controller errors
The following table shows the common Domain Controller errors:
Error Description
0x80070005 Access Denied.

This error can be displayed due to password issues.
0x8004106C Quota Violation: Patch mismatch between DC and

TLC
To overcome this problem, ensure that all patches
are applied.
0x800706BA The RPC server is unavailable.

This error can be displayed due to one of the
following reasons:
• password problem
• access control
• patch mismatch
• if the system is down
• if WMI is turned off on the system
0x80010002 Call was canceled by the message filter (same as

0x800706BA).
0x80090327 An unknown error occurred while processing the

certificate.
To overcome this problem, check the certificate of
the remote Logon Monitor.
Note
For more information, refer to https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-error-constants?

redirectedfrom=MSDN.

12| Troubleshooting
Logon Collector logs

Trellix Logon Collector has the following log files available at <TLC_INSTALL_FOLDER>/server/logs for troubleshooting:
• jakarta_service_20100930.log
• jakarta_service_20100930.log
• localhost_access_log.2010-10-12.txt
• localhost_access_log.2010-10-12.txt
• orion.log
• orion.log1
• stderr.log
Note
Of the available logs, orion.log and orion.log1 are the most important.
orion.log is a rotating log. It has a size limit and also a limit on the total number of log files. For example, if you are using
orion.log and you reach the maximum size limit, you can move to orion.log1.
Log format — YYYY-MM-DD HH:mm:ss,mmm <LEVEL> [<Thread>] Message
Note
While troubleshooting, search for the word 'Exception' in the orion log file.
Logon Collector Active Directory communication errors log records
Check for ‘GSS initiate failed’ or LoginException in the Logon Collector Active Directory communication errors log records. These
error messages indicate that Trellix Logon Collector is unable to access Active Directory.
The most common problems are as follows:
• Wrong password:
LoginException: Pre-authentication information was invalid (24)
• DNS problem:
No valid credentials are provided (mechanism level: server not found in Kerberos database (7))
Troubleshooting DNS problems
To troubleshoot DNS problems:
• Verify that the SRV records exist for the domain to be monitored
Run the following command from the TLC server command line and verify the output against the expected
output as shown below:

12| Troubleshooting
C:\>nslookup -query=SRV _kerberos._tcp.domain1.cai.local

Server: net-apps.cai.local
Address: 172.25.59.11
Non-authoritative answer:
_kerberos._tcp.domain1.cai.local SRV service location:
priority = 0
weight = 100
port = 88
svr hostname = dc-01.domain1.cai.local
_kerberos._tcp.domain1.cai.local SRV service location:
priority = 0
weight = 100
port = 88
svr hostname = dc-02.domain1.cai.local
domain1.cai.local nameserver = dc-02.domain1.cai.local
domain1.cai.local nameserver = dc-01.domain1.cai.local
dc-01.domain1.cai.local internet address = 172.25.59.80
dc-02.domain1.cai.local internet address = 172.25.59.81
• Verify that both forward DNS and reverse DNS work for the domain to be monitored
Run the following command from the TLC server command line and verify the output against the expected
output as shown below:
C:\>nslookup dc-01.domain1.cai.local
Address: 172.25.59.11
Non-authoritative answer:
Name: dc-01.domain1.cai.local
Address: 172.25.59.80
C:\>nslookup 172.25.59.80
Address: 172.25.59.11
Name: dc-01.domain1.cai.local
Address: 172.25.59.80
Troubleshooting NSLookup failure
When NSLookup fails, consider the following to troubleshoot:
• Check if it is pointing at the wrong DNS server:

Make sure that you are using the production DNS server.
Check if the setup is correct. Make sure that you point the TLC server DNS entries to the domain controllers.
• Check if there are any entries in C:\Windows\System32\drivers\etc\hosts:

Check for the entries equivalent to UNIX’s /etc/hosts.
Check this file for entries that “Mask” the DNS entries. The recommendation is to have only comments (‘#’) in this
file.
• If you are using production environments, the DNS will not be a problem as Windows relies on proper DNS setup.
• Check if you are using reverse DNS. Make sure that you have added entries in DNS for reverse DNS.

12| Troubleshooting
Configure Database Settings page to connect to the SQL server

TLC server uses Microsoft SQL server database to store the Logon Collector user credentials. This helps in authenticating the
users when they log onto the Logon Collector admin user interface.
If the SQL server credential changes, the TLC server cannot connect to the SQL server. As a result, users will not be able to log on
to the Logon Collector admin user interface.
Follow the steps below to overcome this problem.
1. Log on to the TLC server.

2. Open https://localhost:8443/core/config in your browser.
3. Reset the password in the Database Settings page.
Database Settings page
Ports used by Trellix Logon Collector

Ensure that the following ports are enabled on Firewall for Trellix Logon Collector to function.
61641 JMS port Used for client and High

Availability communication
61613 Stomp port Used for C client communication

12| Troubleshooting
389 LDAP port Used for the communication

between the Logon Collector and
domain controller
50443 Used for communication

between the Logon Collector and
Logon Monitor
Note
The WMI communication happens between Logon Monitor and domain controller.
High memory usage of lsass.exe

lsass.exe caches data to improve the LDAP query performance. It is normal for this process to have huge memory (multiple GBs)
usage on a domain controller when the domain has a large amount of data.
Saved group filter configuration

The group filter configuration is stored locally on the system in the C: directory. This includes files that capture group filter status
and configuration.
The group filter status details are stored in mlc-config.xml available at C:\Program Files(x86)\Trellix\Trellix Logon
Collector\Server\conf. This file can be modified only after stopping the TLC server.
The file has an entry in the form:
<config name="enableFilter" value="Y"

type="common" />
If the filter is enabled, value is Y and if disabled, value is N.
The group filter configuration is stored in a groupfilter file available at C:\Program Files(x86)\Trellix\Trellix Logon
Collector\Server\conf\mlc\. This file is non-editable.
Remember:
If you try to modify the groupfilter file, the file might get corrupt.

COPYRIGHT
Copyright © 2023 Musarubra US LLC.
Trellix and FireEye are the trademarks or registered trademarks of Musarubra US LLC, FireEye Security Holdings US LLC and their affiliates in the
US and /or other countries. McAfee is the trademark or registered trademark of McAfee LLC or its subsidiaries in the US and /or other countries.
Skyhigh Security is the trademark of Skyhigh Security LLC and its affiliates in the US and other countries. Other names and brands are the
property of these companies or may be claimed as the property of others.

Trellix Logon Collector 3.0 Administration Guide 8-23-2023

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Trellix Logon Collector 3.0 Administration Guide 8-23-2023

Uploaded by

Copyright:

Available Formats

Trellix Logon Collector 3.

Introduction to Trellix Logon Collector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Domain controllers and logon collection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Ports used by Trellix Logon Collector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Key considerations for installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Planning for installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

DNS resolution requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Install Trellix Logon Collector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Download the software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Install the software on Windows Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Uninstall the software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Access the Trellix Logon Collector web interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Install Logon Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Install a Logon Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Uninstall Logon Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Key considerations for an upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Upgrade the software from 2.2 to 3.0 using the installer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Upgrade the software from 3.0.2 to 3.0.10 using the installer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Upgrade the software from 3.0.10 to 3.0.11 using the installer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

About identities collection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Manage monitored domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Add a domain to monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Error Scenarios in LDAP connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

View monitored domain details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Add Logon Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Add Logon Collector certificate to a Logon Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Add a Logon Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Remove a Logon Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Edit username and password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Managing exchange servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Add an exchange server to a monitored domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Remove an exchange server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Manage Query Order. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Remove a monitored domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

About server settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Active Directory User login. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Identity replication certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Local Logon Monitor settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

TLC Advanced Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Configure Trellix Logon Collector using TLC Advanced Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

TLC Group / IP Ignore List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Ignore user IP addresses and user group names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

TLC Group Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Configure a group filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Send filtered groups to clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

TLC User Login Timeout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Configure TLC User Login Timeout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Printing and exporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

About Personal Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Logon Monitor configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Use MMC to manage Logon Monitor certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Import or remove a server or client CA certificate for Logon Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Use NTLMv2 with Logon Monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

High Availability (Clustering). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Prerequisites for High Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

High Availability setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Configure High Availability in Public Key Infrastructure (PKI) setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Check the status of cluster formation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Configuration data replication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Logon events replication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

On-demand group and user refresh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

On-demand group refresh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Options of group refresh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

On-demand user refresh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69