This section documents installation instructions for all supported Windows platforms.
The agent must be installed or uninstalled by a user with Administrator permissions. Additionally, all files that are created by this Administrator must have NT Authority/SYSTEM change permissions. The agent will run as a service under the SYSTEM user account. This applies to all platforms in the Windows NT family. This includes Windows NT4.0, Windows 2000, and Windows 2003.
Note that by default, all NT Administrators are granted NT Authority/SYSTEM change permissions. If they have been modified, you must assign NT Authority/SYSTEM change permissions to the entire installation directory.
This section discusses information about the Windows NT 4.0 agent installation. Follow the steps here before installing the agent as described later in this chapter. This section is also applicable if you are using a newer version of Windows but have removed the WMI (Windows Management Instrumentation) from the server.
Note:
This installation section is only applicable if you are installing an agent on Windows NT 4.0, or if WMI has been removed from the Windows installation.After the agent installation is complete, you can add Change Permissions in one of the following two ways:
From the command prompt, execute the following command to set the permissions on the Configuration Change Console Agent Installation directory:
cacls c:\oracle\ConfigurationChangeConsoleAgent /T /E /G SYSTEM:C
From Windows Explorer, do the following:
Right-click on the Agent Installation directory.
From the Security tab, confirm that SYSTEM is included in the list. If it is not included, you must add it.
Windows Management Instrumentation (WMI) enhances your ability to monitor and control system information and allows you to manage remote servers from a central location. For more information on WMI, refer to the WMI White Paper from the Microsoft Website.
Agents installed on Windows NT 4.0 platforms require WMI version 1.5 to be installed on the system in order for the agent to collect the full range of data available. Windows 2000 typically comes prepackaged with WMI version 1.5. If WMI is already installed on the system you must verify that it is version 1.5. It is recommended that you upgrade an existing WMI installation by following the steps in the WMI Versions and Upgrades section of this document.
The NT 4.0 agent installer detects whether WMI is installed, and if you select to install WMI, the agent installer will proceed to install WMI version 1.5 on your system. As part of the WMI installation, you must reboot the system after the agent installation completes.
If you choose not to install or upgrade WMI to version 1.5, the installer provides you the option of using the agent without the features provided by WMI 1.5. The alternative to using WMI is the NT 4.0 Lite version which must be used when WMI does not exist on the system or version 1.5 is not available.
Note:
There is a risk of data loss if WMI becomes unavailable or is disconnected.The Configuration Change Console Agent works with WMI to collect the full set of data:
File creation, modification, renaming and deletions
File archiving
Process starts and stops
User logins and logoffs
System resource utilization by user, process, file and server
Current system resources and configurations
The NT 4.0 Lite version, installed without WMI, will limit the data set collected by the agent; only the following set of data will be displayed:
System configurations
Creating, modifying, renaming and deleting files
File archiving
Device names associated with the file changes
Note that the following data will not be collected:
Process starts and stops
User logins and logoffs
Performance data such as Memory usage, CPU usage, and Disk usage
Does not provide Access Control
The agent will not detect what version of WMI is installed on your system. If you have an older version of WMI, you must upgrade it before installing the agent.
Note:
Upgrading the WMI application may affect other applications on your system that are dependent or interface with the WMI application. Therefore, you should review the ramifications an upgrade to the WMI application may have on your IT infrastructure before proceeding.To check which version of WMI is installed on your system, follow these steps:
In Windows Explorer, go to C:\WINNT\system32\wbem\
Right-click on the WinMgmt.exe file and select Properties
From the Version tab, verify that the WMI file version indicates 1.5. If you have an older version of WMI, proceed to the next section for instructions on upgrading to WMI 1.5.
The following sections describe the installation procedure for Windows 2000 Agent.
Before installing the agent, verify that you have at least the following installed on the device where the agent will be installed:
Latest Service Pack
For Windows 2000 only, Patch Q828020
You can obtain the patch from Microsoft's website. The Service Pack and the Patch are required to successfully monitor and log login/logout events for users.
To install the Agent on a Windows-based platform, follow these steps:
From the Configuration Change Console Installation CD, run the agent-win.exe file. The installation screen appears. The first screen of the installer explains how to navigate through the installer screens.
Click Next.
Specify the directory where you would like to install the agent. The default directory, C:\oracle\ConfigurationChangeConsoleAgent is entered as the default path.
Click Next to install to the specified location.
A check happens to ensure the minimum version of WMI is installed. This may only be an issue if you are installing the agent on a Windows NT 4.0 server.
Note:
Upgrading the WMI application may affect other applications on your system that are dependent or interface with the WMI application. Therefore, you should review the ramifications an upgrade to the WMI application may have on your IT infrastructure before proceeding.The Configure Agent screen is displayed. Complete these steps:
Enter the Configuration Change Console server URL. The URL has the format t3s://hostname:port where hostname is the host the primary server is located at if using a non-clustered environment. If you are using a clustered environment, use t3s://hostname1:port1,hostname2:port2,hostname3:port3, for example, where you put host name and port for each Primary and Messaging Broker server. Click Next.
Select True or False depending on whether to automatically start the service after the install. If you select False, you must manually start the agent from the Windows Services control panel. The service name will be Oracle Configuration Change Console Agent.
Click Next
You will be asked for an administrator username (the default is administrator) and password for the Configuration Change Console Server. This is used to verify that the person installing the agent is authorized to do so. This username/password combination are only used at agent install time and the user can either be disabled or have the password changed after agent install without any issues.
The Summary screen will display. Verify that the install folder is correct, and click Install to proceed with the installation.
Click Done when the Installation Complete screen appears to exit the installer.
The agent should start automatically if you selected that option during installation. If you selected False in Step 3, or in the event that the agent does not start automatically, follow these steps:
Go to Start --> Control Panel --> Administrative Tools --> Services
Right-click on the Oracle Configuration Change Console Agent service and click Start
To stop the agent, right-click on the Oracle Configuration Change Console Agent service and click Stop.
The real time Windows agent modules rely on various capabilities of the operating system to collect all of the information on events. One part of this is to capture the user that made changes from the Windows Event Log. If you do not configure Windows to capture users that make changes, the agent will not capture this information, however it will still capture that a change happened and when it happened.
To configure the event log to work with real time monitoring, perform the following steps:
From the Explorer, select the directory that is being monitored, right-click and select Properties
Go to the Security tab
Click the Advanced button
Select the Auditing tab
Click the Add button. (In Microsoft XP, double click the Auditing Entries window)
Select the Name Everyone and click OK. You can also choose specific users if you are only monitoring for changes by specific users in Configuration Change Console rules. The rules will filter the results by user as well, so even if you enable audit for everyone, only users that you want to monitor changes of in Configuration Change Console will be captured
Select the following options (Successful and/or Failed) from the Access window:
Create Files/Write Data
Create Folders/Append Data
Delete Files Subfolders and Files
Delete
Click OK to exit out of the screen
Repeat steps 1 through 7 for all other monitored directories
Go Start --> Settings --> Control Panel --> Administrative Tools --> Local Security Policy --> Local Policies --> Audit Policy. Double-click, and turn on the following policies (Success and/or Failure):
Audit account logon events
Audit logon events
Audit object access
Close the Local Security Settings screen
Go to Start --> Settings --> Control Panel -->Administrative Tools --> Event Viewer
Select System Log, and click on Action from the menu bar and select Properties
From the System Log Properties panel, on the General tab, set the Maximum log size to at least 5120 KB (5 megabytes) and select Overwrite Events as Needed. Note that the log size depends on the number of events generated in the system during a one-minute reporting interval. The log size must be large enough to accommodate those events. If you extend the monitoring time for file events because you expect the change rate to be lower, you need to ensure that the audit log in Windows is large enough to capture the events.
Click Apply and OK to exit.
To verify that the device records login and logout events, follow these steps:
Log out of the device and then log back into the device.
Go to Start --> Settings --> Control Panel --> Administrative Tools --> Event Viewer
Select Security Log and go to View --> Filter. Select Security for the Event Source and Logon/Logoff for the Category fields
Click Ok
The Event Viewer should have the activity recorded as Event 528.
The following sections describe the installation procedure for Windows NT 4.0 Agent.
The following are system requirements for installing the agent on a Windows NT 4.0 platform:
NTFS file system. Windows NT proprietary file system that supports file-level security, compression and auditing.
Service Pack 4. This Service Pack can be downloaded from the Microsoft website.
WMI 1.5. If WMI is not installed on your system, you will need to assign the agent the NT Lite agent schedule template through the Compliance Solution user interface. See the Agent Administration section of the Compliance Solutions Users Guide for more information.
To install the agent on a Windows NT 4.0 based platform, follow the same instructions as installing an agent on Windows 2000 as described in Installing the Agent.
During installation, the installer will verify that WMI has been installed. If you do not have WMI installed, you will either need to install WMI 1.5 or greater or use a lite version of the Windows agent.
The agent should start automatically. If you selected "False" in Step 3 above, or in the event that the agent does not start automatically:
Go to Start --> Control Panel --> Administrative Tools --> Services
Right-click on the Oracle Configuration Change Console Agent service and click Start
To stop the agent, right-click on the Oracle Configuration Change Console Agent service and click Stop
The real time Windows agent modules rely on various capabilities of the operating system to collect all of the information on events. One part of this is to capture the user that made changes from the Windows Event Log. If you do not configure Windows to capture users that make changes, the agent will not capture this information, however it will still capture that a change happened and when it happened.
To configure the event log to work with real time monitoring, perform the following steps:
Go to Start --> Programs --> Administrative Tools --> User Manager for Domains
From the User Manager screen, click Policies from the menu bar and select Audit Policy. The next screen appears
From the Audit Policy screen, verify that the following options are selected:
Audit These Events
Login and Logoff
File and Object Access
From Explorer, select the directory that is being monitored, right-click and select Properties.
Go to the Security tab
Click Auditing
From the Directory Auditing screen, highlight Everyone and verify that Write and Delete are both selected under the Success column.
The agent keeps logs of all failures or other application specific events to the Application Log. To view the logs:
Go to Start --> Settings --> Control Panel--> Administrative Tools --> Event Viewer
Click Application Log to view the logs. The product logs are located in the agent installation directory under the logs directory. For example, c:\oracle\ConfigurationChangeConsoleAgent\logs. Here is a list of some of the most common logs that you may need to refer to resolve issues:
Probe.log -- General product log for warnings or critical messages
Probe-err.log -- Only the errors that have caused a problem on the agent
The agent must be uninstalled by a user with Administrator privileges.To manually uninstall the agent, go to Start --> Control Panel --> Add/Remove Programs and select Oracle Enterprise Manager Configuration Change Console Agent from the list to uninstall the agent.
If for some reason the authorization credentials that you supply at agent installation time are incorrect, you can manually force the authorization to run again. You may notice that authorization might have failed because the agent never registered with the server by looking at the Administration > Devices > Devices screen on the Server.
To force reauthorization, follow these steps:
Open a DOS window
Change your directory to {agent_install_dir}/bin
Run the script: resetauth.bat
Answer the prompts providing a user name and password for an administrator-role user in the Configuration Change Console Server
For security reasons, if authentication fails, no message is sent back to the agent indicating this failure.