DocumentationRelease Notes
Documentation

Set up the admin machine

Suggest Edits

This section assumes that the BeyondTrust Management Console and the following AD Bridge components are installed: Reporting Components, Database Update and Management Tools, Operations Dashboard.

Connect the management console to the database

To add the Enterprise Database Management plug-in and connect to the database server instance using a user account with valid access:

  1. In the console tree, right-click the Enterprise Database Management node, and then click Connect to database.

  2. Click Change. The AD Bridge Reporting Database Connection window appears.

    Reporting Database Connection dialog

  3. Select the name of your database server Server\Instance.

  4. Select your connection option. We recommend using Windows Authentication. If you select SQL Server Authentication, enter the credentials of your database account.

  5. (Optional). To Encrypt connection, select the box.

  6. (Optional). To Trust server certificate, select the box.

  7. (Optional). To Perform test read, select the box.

  8. Enter the Timeout value.

  9. Click Test Connection.

  10. With a successful connection, then click OK.

Configure agents to forward events to the Collector service

You can globally set the agents to forward events by configuring an AD Bridge Group Policy setting. Events are generated by various AD Bridge services, and, if configured, from various syslog messages.

Configure event forwarding with group policy

The Event Forwarder policy setting modifies the settings in the AD Bridge registry to forward events from agent computers to the BTCollector service that resides on a Windows computer.

To use this policy, you must first turn on event logging. For more information, see What are AD Bridge group policy settings?. Depending on your network configuration, you may also have to configure a policy setting to specify the service principal of the collector.

To configure event forwarding using policy settings:

  1. In the Group Policy Management Console, create a Group Policy Object (GPO) for an organizational unit, and then edit it in the Group Policy Management Editor.

  2. In the console tree, expand Computer Configuration > Policies > Unix and Linux Settings > BeyondTrust Settings > BeyondTrustAD Bridge Settings, and then click Event Forwarder.

    The console tree containing Event Forwarder in the Group Policy Management Console

  3. Double-click Event log collector, and then check the Define this policy setting box.

  4. Enter the host name of the computer running BTCollector. Example: w2k19-r2.example.com.

Configure syslog to cull events in AD Bridge

To collect sudo events and other system events that appear in syslog, you must configure syslog to write data to a location where the AD Bridgereapsysl service can find it and copy it to the local event log.

You can set an AD Bridge Group Policy setting to modify /etc/syslog.conf on target computers.

The reapsysl service creates three named pipes and picks up the syslog information written to them:

/var/lib/pbis/syslog-reaper/error
/var/lib/pbis/syslog-reaper/warning
/var/lib/pbis/syslog-reaper/information

To configure event forwarding using policy settings:

  1. In the Group Policy Management Console, create a Group Policy Object (GPO) for an organizational unit, and then edit the OU in the Group Policy Management Editor.

  2. In the console tree, expand Computer Configuration > Policies > Unix and Linux Settings > BeyondTrust Settings > Logging and Auditing Settings, and then click SysLog.

  3. Double-click SysLog, and then check the Define this policy setting box.

    Syslog Properties dialog

  4. At the bottom left, check the Enable AD Bridge Auditing box.

  5. Click OK.

Additionally, these settings can be changed on the agent machine. To configure syslog to write to the pipes, add the following lines to /etc/syslog.conf:

*.err /var/lib/pbis/syslog-reaper/error
*.warning /var/lib/pbis/syslog-reaper/warning
*.debug /var/lib/pbis/syslog-reaper/information

The last entry is not analogous to the first two. Some versions of syslog require a tab character rather than spaces to separate the two components of each line.

After you modify syslog.conf, you must restart the syslog service for the changes to take effect:

/etc/init.d/syslog restart

systemctl restart syslog

For more information, see the following:

  • What are AD Bridge group policy settings?
  • Your syslog documentation.

Recommended configuration settings

Outlined below are some recommended configurations for the collector service through the BeyondTrust Management Console. These settings can be adjusted to meet network requirements and the number of collectors and endpoints.

This section assumes the BeyondTrust Management Console and the following AD Bridge components are installed: Reporting Components, Database Update and Management Tools, and Operations Dashboard.

Configure performance settings on the Collector service

To change the parameters on the Collector service:

  1. In the console tree, expand Enterprise Database Management.

    Set collector parameters menu option in Enterprise Database Management

  2. Right-click Collector Status, and then select Set collector parameters. Alternatively, in the list of collectors, right-click the collector that you want to modify, and then select Set collector parameters.

    Collector Parameters dialog

  3. Set the following parameters (or use the default values):

  • Period (seconds): 15
  • Maximum events per period: 5000

Endpoint Parameters:

  • Period (seconds): 10
  • Maximum events per period: 1000
  • Events per batch: 250

For more info including detailed descriptions on the performance parameters, see Advanced command line configuration.

Updated about 1 month ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.