Auditing and Reporting
The following AD Bridge reporting components depend on the use of the database and the data collectors:
- Audit and Access Reporting
- Operations Dashboard
- Enterprise Database Management
Overview
The reporting system includes the following components. We recommend that you deploy each component to a dedicated server.
- Database server hosting SQL Server. The database server stores the AD Bridge event data and information about the Active Directory configuration related to AD Bridge.
- The Collector and Reaper data collection services make up the collection server. The collection server stores AD Bridge agent event data from multiple agents and periodically copies that data to the database server, BeyondInsight, or both.
- A Windows machine with AD Bridge and RSAT installed and joined to the domain. In this section, this machine is referred to as the Admin machine.
- AD Bridge group policies must be configured to allow event forwarding from AD Bridge agents to the database server through the collection server.
- User access must include a user who can create a SQL Server database.
- The reporting environment contains the AD Bridge agents which generate events that are forwarded to a collection server, and the LDBUpdate utility, which updates the database server with information on cells, computers, etc.
To communicate with SQL Server, AD Bridge currently only supports .NET Framework Data Provider for SQL Server (SqlClient) in the System.Data.SqlClient namespace. OLE DB and ODBC are not supported.
Note
For more information, see .NET Framework Data Providers.
The AD Bridge reporting landscape
The diagram outlines the flow between the agent machine, collection server, database server and the admin machine for the BeyondTrust Management Console.
System requirements for AD Bridge
The following are the requirements for the reporting system.
Database server
- Install SQL Server 2012 or higher.
- SQL Server must be a member of the domain.
- Windows Authentication must be enabled.
This section assumes you are a database administrator who knows how to set up and administer SQL Server, including configuring the database to comply with your IT security policy.
Note
For more information, see the following:
- Install AD Bridge
- For a complete list of prerequisites for Microsoft SQL Server 2012 or higher, Hardware and Software Requirements for Installing SQL Server .
Collection server
- .NET Framework version 4.5.
- Collection server must be a member of the domain.
- Microsoft Windows Server 2012 R2 or higher to act as a server for the event collection server.
- We recommend that you use a separate collection server, and calculate the number of computers using this formula: Total Collectors = ((number of AD Bridge Agents) / 400) + 1. The requirements might vary with the size of your network.
| Item | Requirement |
|---|---|
| Memory | 8GB |
| Disk space | 10GB free disk space (for local event storage before copying to the central database). The size you require might vary depending on the number of events, the number of systems, and other factors. |
| Processor | 2GHz dual core |
| Network | 1Gb Ethernet (minimum to database server) |
Admin machine
When you install AD Bridge, you must install the BeyondTrust Management Console and the reporting components:
- Reporting Components
- Database Update and Management Tools
- Operations Dashboard
- Microsoft Report Viewer 2015 (ReportViewer.exe)
Note
For more information, see the following:
- Install AD Bridge
- To download the Report Viewer, Microsoft® Report Viewer 2015 Runtime.
Plan SQL server database security
Although the SQL Server database will contain no user passwords or other highly confidential information, it will contain a list of user accounts, information about resources the users can access, and other information that could be used for nefarious purposes. In considering the security of the database, you should ask yourself several questions:
- Who will be allowed to write to the database?
- Who will be allowed to read from the database?
- What accounts will be used to access the database?
Data is written to the database in several cases:
- When a collection server copies events to the database
- When the LDBUpdate utility writes information from Active Directory to the database
- When administrators perform maintenance operations on the database (for example, creating or restoring event archives)
Active directory groups and SQL server roles
The following table provides general guidelines on securing reporting components using Active Directory groups.
Note
Create the groups in the table prior to creating the database. The supplied reporting database creation script relies on the existence of the groups to create the corresponding SQL Server roles and set database object permissions.
| Active Directory Group | Description |
|---|---|
| ADB_DB_Administrators | Contains accounts that are required to configure and maintain the reporting database. We recommend that a minimum number of AD Bridge administrators tasked with maintaining the reporting infrastructure be included here. This group can access all Reporting and Auditing nodes in the BeyondTrust Management Console. |
| ADB_Collectors | Contains the service accounts used to run the collector services. The collection server must be part of this group. This group can access the Enterprise Database Management node. |
| ADBDB_Archive Administrators | Contains the service accounts used for automated archiving. This group can access the Archive Status. |
| ADB_Report_Viewers | Contains accounts that need to view the Operations Dashboard. This group can access the Operations Dashboard. |
| ADB_LDBUpdate | Contains the service accounts that need to run the LDBUpdate utility to import Active Directory information into the database. This group can access all Reporting and Auditing nodes in the BeyondTrust Management Console. |
Updated about 1 month ago