7 Overview of Configuration Change Console Agent

This chapter provides an overview of the Configuration Change Console agent.


The Configuration Change Console captures a broad data set directly from the IT infrastructure to support troubleshooting, change management, and compliance.

All data collection is performed by the Configuration Change Console Agent. Agents are installed and run on each server in the IT infrastructure that will be monitored and managed by the Configuration Change Console. The agent works with the operating system and security capabilities of the server to collect required data. Once collected, data is sent to a dedicated Configuration Change Console server for analysis and processing.

The agent runs as a service on Windows servers, as a daemon process on all UNIX platforms.

Data Collection

The collected data includes the following:

  • OS Change Events. Changes to files, process starts and stops, and user logins and logoffs

  • Resource Utilization. System resource utilization by user, process, file and server

  • Archived Files. Copies of files as they change

  • Server Configuration. Current system resources and configuration

  • Database Activity. Changes to structure, content, or database user login/logout activity in a database for Oracle and Microsoft SQL databases

  • Windows Registry. Changes to registry keys or values

  • Active Directory/LDAP Server. Changes to objects in an LDAP-compliant server or Microsoft Active Directory

  • SNMP Traps. Collect configuration and alert data through SNMP trap mechanism. This capability can be used to monitor configuration changes of network hardware such as a firewall by configuring the firewall to send SNMP traps to Configuration Change Console when a configuration change occurs

OS Change Events

OS Change events detect modifications made by people and applications to the IT environment. By recording these often small changes to files, processes, and users, the Configuration Change Console is able to reconstruct sequences of activities that have been carried out. Detected change events include:

  • File Activity. Detects and records file create, delete, modify, and rename actions on content or attributes. It can also can detect reads of a file. For each file activity collected data points include complete file name, date/time of change, event type, and user id of the user account who performed the action. For most operating systems, additional configuration is required to capture user ID, as documented below.

  • Process Activity. Detects and records process start and stop events. For each process change event collected data points include process name, process ID, process user, event type, and date/time of event.

  • Operating System User Activity. Detects and records user logon/logoff events. On some operating systems it can also detect SU activity and will record the originating user as well as the user into whom is being su-ed. For each user change event collected data points include user ID (account ID), event type, connection type, source host, and data/time of event.

Resource Utilization

The following sections provides a list of resource utilizations:

  • Process Resource Utilization. Records the CPU and memory utilized by a process. Utilization data is collected every three seconds and then reported every five minutes. Data points include:

    • Process. Name, ID, parent process ID, creation date/time, end date/time, and process user.

    • CPU. Average, minimum, and maximum. CPU utilization during the five minute reporting interval; standard deviation of the average. CPU is recorded as or usage units and presented as percentages.

    • Memory. Average, minimum, and maximum memory utilization during the five minute reporting interval; standard deviation of the average.

  • User Resource Utilization. Records the CPU utilization of all processes having the selected user as the process user. Data points include user id, date/time of reporting interval, average CPU utilization during the reporting interval, total number of processes run during the reporting interval.

  • File Resource Utilization. Records the size of a file as it changes over time. Data points include file name, average size of file, maximum size of file, minimum size of file, and number of changes detected during the reporting interval (5 minutes) when the change was recorded. Data is collected every time a file change is detected.

  • Total CPU Utilization. Overall CPU utilization for a selected server. Calculated as the sum of the CPU used by each process running on that server during the reporting interval.

  • Total Memory. Overall memory utilization for a selected server. Data points include memory used and the swap/virtual memory used. Collected and reported every five minutes.

  • File System Utilization. Overall utilization of each file system. Data points include total available storage and the amount of storage currently being used. Collected and reported every five minutes.


Archiving captures and stores copies of a specified object as the contents of the object change. Up to five versions of each object are saved. Versions can be compared to identify the specific changes made to the contents. You can specify how many instances of each file to save through the server user interface.

Server Configuration

Server configuration is collected and updated every 15 minutes. Past configurations are not saved. Server Configuration data points include:

  • File Archiving: Saves a copy of a specified file each time the contents of the file are changed. Archiving may be enabled for up to 50 files per managed device.

  • Device Name. Detected from sever configuration.

  • Device OS. Detected from server configuration.

  • User Specified Identifiers. Asset tag, description and owning team are optional fields specified by the user at time of configuration. They are not automatically updated by server configuration.

  • CPU. Processor count. Model and clock speed of each processor.

  • Network configuration. Number of configured interfaces. IP address, MAC address, and manufacturer of each interface.

  • Storage. Capacity and current utilization.

  • Memory. Total available, used, free, swap free, and virtual.

  • Detected Users. List of all user accounts on the server and the date and time each account last logged in.

Additional Data Collection Requirements

All data collection requires installation of the appropriate Configuration Change Console agent on the monitored server. Most data sets are collected using only the Configuration Change Console agent and standard server and operating system interfaces.

Some data sets require additional settings or software for some operating systems. Additional data collection requirements are as follows:

  • Windows Logon/Logoff Events. Requires security auditing for logon/logoff events to be enabled.

  • Windows File Change User ID. Requires files system auditing to be enabled for the files systems/directories where it is necessary to report the user id associated with a file change. If auditing is not enabled file changes are detected but the user ID associated with the change is not available.

  • AIX File Change User ID. The user ID associated with a file change is not available on AIX systems due to limitations within the AIX operating system.

  • Linux File Change User ID. Requires installation of a kernel module provide by Oracle. Kernel module loads dynamically and does not require a recompilation of the OS. Without the kernel module, file changes are detected by polling and the user ID associated with the change is not available.

All data sets not listed here are collected by the standard Configuration Change Console agent.