Monitor events with the Operations Dashboard

The AD Bridge Operations Dashboard is a management plug-in for the BeyondTrust Management Console. The dashboard runs on a Windows administrative workstation connected to the AD Bridge Reporting Database and an Active Directory domain controller.

The dashboard retrieves information from the AD Bridge database to display authentication transactions, authorization requests, network events, and other security events on Linux and Unix computers.

Monitoring events such as failed logon attempts and failed sudo attempts can help prevent unauthorized access to commands, applications, and sensitive resources.

The following are some of the events the dashboard can display. You can also create and monitor custom events.

• All Success Audit Events
• All System Log Error Events
• Console Logons (AD or Local)
• Domain Joins
• Domain Leaves
• Failed Console Logons (AD or Local)
• Failed Group Policy Updates
• Failed Kerberos Refresh
• Failed Password Change
• Failed Root Logons (Local)
• Failed SSH Logons (AD or Local)
• Failed Sudo
• AD Bridge Services Failures
• Network Offline Warning
• Root Account Logons (Local)
• SSH Logons (AD or Local)
• Sudo

Configure Settings for the Dashboard

Configure settings for the dashboard

By default, the dashboard is set to display selected metrics. As you become familiar with these metrics, you can customize settings so you can track critical activities occurring in your clients.

You can:

• change the list of metrics displayed
• configure alerting
• change the refresh rate for the display
• customize metrics

Add the dashboard to the console

By default, the Operations Dashboard node is displayed in the BeyondTrust Management Console. If it is not displayed, you can add the dashboard plug-in to the console.

1. On a Windows administrative workstation, start the BeyondTrust Management Console.
2. From the File menu, click Add/Remove Plug-in.
3. Click Add.
4. Click Operations Dashboard, click Add, and then click Close.
5. Click OK.

Connect to a database using the BeyondTrust Management Console

To connect to a database or change your database connection:

1. Log into the BeyondTrust Management Console.
2. Right-click Operations Dashboard and then click Connect to.
3. Click Change.
4. Select the database type.
5. From the Server\Instance list, select the instance, and then select the credentials.
6. Click OK.

Change the refresh rate in the BeyondTrust Management Console

You can change the minutes that pass before the information on the dashboard is updated with the latest metrics. The default value is 5 minutes.

To change the refresh rate:

1. Log into the BeyondTrust Management Console.

2. Right-click Operations Dashboard and then click Metric settings.

   

3. In the Refresh Interval box, enter the minutes that pass before the information on the dashboard is updated with the latest metrics.

4. Click Close.

Change the metrics to display on the operations dashboard

You can change the metrics that you want to display on the Operations Dashboard.

1. To change the metrics displayed, log into the BeyondTrust Management Console.

2. Right-click the Operations Dashboard node, and then click Metric settings.

   

3. Scroll through the list of metrics and check or clear the boxes depending on the metrics that you want to display.

After you change the metrics, the database update program runs to ensure the data between the database and Active Directory is synchronized.

Change the properties for a metric

You can configure the following properties for a metric:

• Warning limits

For example, you might want to set a Red flag limit on a metric. When the activity exceeds that value, a Red flag is issued.

• Alerts

If you configure the warning limits, you can set an alert that will be issued when the limit is reached.

• Add a query that adds the total number of events.

To set properties for a metric:

1. Log into the BeyondTrust Management Console.

2. Expand the Operations Dashboard node.

3. Right-click the Domains node, or Subnets node, and then select Metric settings.

   

4. Right-click a metric, and then select Configure metric settings.

5. Set the warning limits.

   

6. Depending on your requirements, check the boxes to turn on the alerts for the warning limits.

7. Click Close.

Analyze events on the dashboard

After you configure and customize the view on the dashboard, you can quickly view the results to determine if assets are out of compliance.

To view the number of events:

1. Log into the BeyondTrust Management Console.
2. Expand the Operations Dashboard node, and then expand the Domain node or Subnets node.
3. Select the domain that you want to see the events for. The following example shows Event Sources and Selected Metrics.

• Event Sources: Displays the number of events that have been tracked and displays the domain name where the events occurred.

• Selected Metrics: Displays the total number of events collected and the selected collection period. You can select the time frame from the Operational Status list to analyze trends over the time period.

  

In the metrics pane, you can view the assets where the events occurred. For example, in the following, select a green rectangle (that represents a period in time), which will display the computers in the right pane where the activity occurred.

Set alert notifications in the BeyondTrust management console

You can track specific activities and receive email alerts when the activity occurs.

To track event activities and configure alerts:

1. Log into the BeyondTrust Management Console.

2. Right-click the Operations Dashboard, and then select Alert Settings.

   

3. On the Operations Dashboard Alert Settings dialog box, select the following:

• Run this program: Check the box, and then click Browse to navigate to the program that you want to run.
• Command Line Arguments Click to select the activities that you want to monitor. Click OK.
• Sent email message to: Check this box to send email alerts. Click the Email Settings button to configure the SMTP server and add the email account that will receive the alerts.

Archive events with the BTArchive

You can archive events in two ways: either with the Enterprise Database Management plug-in or with the command line.

The AD Bridge event-archiving utility BTArchive combines events older than one year into compressed archives and stores them in a separate database table. A separate archive is created for each month of old event data. After events are archived, they are deleted. The event-archiving utility is intended to be run according to a monthly schedule.

Archive events using the console

To archive events using the console:

1. In the console tree, expand Enterprise Database Management.
2. Right-click Archive Status, and then select Create archive.
3. Follow the instructions in the wizard.

Archive events using the command line

To view the arguments of BTArchive, execute the following command at the shell prompt on a Windows computer running the AD Bridge collectors:

C:\Program Files\BeyondTrust\PBIS\Enterprise>btarchive --help

The –p and –c options identify the database type and connection string of the central AD Bridge database.

The connection string is the same as the one that you used when you configured the connection to the database. With SQL Server, for example, you enter a string like this:

Data Source=DBSERVERNAME;Initial Catalog=LikewiseEnterprise;Integrated Security=True

✅

Example

Data Source=DBSERVERNAME;Initial Catalog=LikewiseEnterprise;Integrated Security=True

The -a and –t options are used to control the archive time unit and the date threshold for archiving.

ℹ️

Note

We suggest you use the default settings, which are -a monthly and -t 12. These defaults create monthly archives for data older than 12 months.

The –o option is used to control where the log output of BTArchive is written.

By default, the output is written to the console.