I'm curious as to what kind of information can't be collected if a server/workstation doesn't have the agent installed. Are there any other features lost if the agent isn't present?
Hi, Quang.Agents are used to monitor events that are logged by the computers on which they are installed. Local events such as logons and logoffs, as well as certain change management events like software installs and changes to local policy are the types of events collected by LEM Agents. Once in place, the LEM Agent is also used for active response on that computer. These responses are fully configurable and can range from logging off a user to shutting down the computer or even disconnecting its networking.That's not to say, however, that the LEM Agent is the only way to collect useful data. Other types of traffic that are logged remotely, like web traffic, for example, can be monitored without a LEM Agent, but they require a tool on the LEM Manager to normalize the traffic from elsewhere on your network (firewall, proxy, etc.). The most important thing to remember is that the LEM product is log collection tool first and foremost.In addition to "losing" local events that would be collected by a LEM Agent if it were installed, you also lose its powerful USB Defender capabilities. USB Defender allows you to monitor and respond to USB mass storage devices that are attached to any servers or workstations that have a LEM Agent installed. This could range from simply monitoring device activity on your endpoints to detaching offending devices based on specific types of activity – an unauthorized user attaching a device to a critical server, or any device copying files from a predefined group of sensitive folders, for example.Thanks for your interest. Let us know if you have any other questions. You can also check out KB3207 on our Knowledge Base for more detailed information.Phil MorinInformation Developer
Phil,
Thanks much for your prompt and helpful response and the reference to the KB article. After looking over the article, I do have a few other questions:
Thanks for your time answering these questions.
I appears that the agent is required for event log collection on domain controllers. Is this accurate? I ask because I'm aware of other products that don't have this requirement just for event log collection.
That's correct. The benefit of the LEM Agent in this regard is that it collects, normalizes, and sends these log events in real time. That means your monitoring and its related active responses occur at network speeds. This also has a positive effect on bandwidth usage, given that events are sent as they come in rather than being sent in batches.
With the agent deployed on laptops, there will obviously be periods where the agent can't report in because the laptop has been removed from the network. Is it fair to assume that reporting on these events will pickup from where it left off once communications with the laptop is re-established?
That is correct. You will also see alerts both when the LEM Agent goes offline and comes back online. These are particularly useful for monitoring critical agents like domain controllers - not laptops, but they could go down for several other reasons.
Since Active Reponse is dependent on the agent, is it fair to assume that a copy of the Active Reponse definition/policy is cached locally in cases where, again, laptops have been removed from the network? That is, is Active Response still viable with a system on the go?
Not quite. Most of the Active Responses depend on connectivity with the LEM Manager. The one exception is the Detach USB Device action, which can be executed using the USB Defender Local Policy tool. You can read more about that one here: KB2689.
I noticed that one of the possible Active Responses is disabling local accounts. Can Active Response be executed at will on a designated laptop (connected to the network with an agent) or does it have to be defined within a rule to function?
Most Active Responses (including this one) are available on an ad hoc basis using the Respond menu, which appears throughout the LEM Console. You can use these responses in conjunction with a real time alert to expedite the process (i.e. take values from an alert to help fill out the form), or you can simply type in the values you need. Of course, rules can also be used to take action as you implied in your question.
Does the agent have to be updated with each patch or revision of LEM? If so, will the older agents continue to function while the newer agents are deployed?
Not all releases come with an update to the LEM Agent software. That said, we recommend updating your LEM Agents whenever an update is available - you can even automate the process from the LEM Manager. In addition to improving the LEM Agent software itself, LEM Agent updates will often include updates to their respective tools, which directly affects their ability to normalize the log data they're collecting.
Thanks again.
Phil
To expand on your last point, you mention that deployment of the agents can be handled from the LEM Manager. Is this only for updating agents or can the LEM Manager be used for initial deployment as well?
In looking over the LEM installation guide, I see the documented steps for single (local) installations and the Remote Agent installer. However, I see no mention of using LEM Manager for deployment. Is this a new feature?
Also, the system requirements for the agent do not list Windows 7 or Windows Server 2008 R2 as supported platforms. Does the agent now support both these platforms in both 32-bit and 64-bit?
Finally, going back to the agent deployment, can it leverage or even better, integrate with Active Directory to find the list of systems for deployment?
Phil, thanks again for your time answering these questions. It's appreciated.
