DocumentationRelease Notes
Log In
Documentation

EVENT SERVER USER GUIDE

Suggest Edits

The event collector role collects events and serves policy for BeyondTrust integrations. Event Server is FIPS 140-2 compliant and supports TLS versions up to TLS 1.2.

⚠️

Important

You can deploy additional event collectors to scale BeyondInsight to accommodate regional deployments in larger environments. However, it is not a typical installation scenario. It is recommended that BeyondTrust's Professional Services advise you on whether this installation scenario is suited to your BeyondInsight deployment.

Installation overview

Use the following instructions to deploy BeyondInsight and the event collectors. The following install files and port requirements must be in place:

  • BeyondInsight
  • Event Server and patches. Confirm the latest version with BeyondTrust. A license is required.
  • Port 21690 must be listening for TCP traffic. The port is used to receive SSL encrypted events from agents.

All files can be downloaded from the client portal.

ℹ️

Note

The license key for all event collectors must match the license key for the main BeyondInsight installation.

Below is a high level overview of the installation steps.

  1. Run the Event Server installer and set up the connection to the database.
  2. Set up the crypto keys.

ℹ️

Note

For more information, please see "Export and import crypto keys for Event Server configuration"

  1. Export the crypto key from the primary BeyondInsight server.
  2. Import the key to all Event Server machines.
  3. Set up the certificates.
  4. Export the three certificates with private keys from primary BeyondInsight server.
  5. Import the certificates to all event collector machines.
  6. Configure scanners to point to the Central Policy and send events to the Event Server.
  7. If using Windows authentication, the Event Server machine name must be added to a local group created on the SQL Server host.

ℹ️

Note

For more information, please see the BeyondInsight Install Guide.

Run the installer

  1. Run the Event Server installer.
  2. Click Next on the Welcome page.
  3. Click the check box to accept the licensing terms.
  4. Select the location for the installation.
  5. Configure the connection to the database.
    • Enter the IP address of the server hosting SQL Server.
    • Enter the name of the database and include the credentials.
    • Select the Trust Server Certificate check box.
    • Select the Use Encryption check box.

ℹ️

Note

If the connection to the database is lost, all events are stored in an encrypted local database. There are no limits on the number of events that can be stored.

  1. Click Test Connection to ensure the Event Server machine can successfully contact the database machine.
  2. Set the log settings, including location for the log file, level of logging, and log type.
  3. Click Apply.

Update the events client

You must update the IP address for the client to establish a connection to the Event Server.

  1. Start the Events Client.
  2. Click the Receiver tab.
  3. Click OK.

Windows authentication

If you use Windows authentication for the Event Server, you must create a local group on the SQL Server host. This group requires db_owner access to the BeyondInsight database and is assigned the REM3Admins role.

You must add each Event Server machine name to this local group. For example, DomainName\EventServerMachineName$.

ℹ️

Note

For more information, please see the BeyondInsight Install Guide.

Export and Import Certificates for Event Server Configuration

The following BeyondInsight certificates must be exported from the primary BeyondInsight server and then imported on the Event Server:

  • eEyeEmsCA: root certificate
  • EmsClientCert: client authentication certificate
  • eEyeEmsServer: server authentication certificate

Export the certificate

To export the certificate using the Certificates snap-in, follow the steps below:

  1. Run mmc.exe.
  2. Select File > Add/Remove snap-in.
  3. Select Certificates, and then click Add.
  4. Select Computer Account, and then click Next.
  5. Select Local Computer, and then click Finish.
  6. Click OK.
  7. Expand Certificates.
  8. Expand Personal, and then select Certificates.
  9. Right-click eEyeEmsClient > All Tasks > Export.
    • Click Next.
    • Select Yes, export the private key.
    • Select the check boxes: Include all certificates in the certification path if possible and Export all extended properties.
    • Enter a password. The password is needed when you import the certificate.
    • Click browse. Save the file with a .pfx extension, and then click Next.
    • Click Finish.
  10. Copy the exported file to a network share.

Import the EmsClientCert and eEyeEmsServer certificates

You must import the EmsClientCert and eEyeEmsServer certificates on every Event Server you deploy. These certificates are imported to the Personal store.

To import the certificate using the Certificates snap-in, follow the steps below:

  1. Open the Certificates snap-in.
  2. Right-click the Personal folder, and then select All Tasks > Import.
  3. Click Next on the first page of the import wizard.
  4. Click Browse
  5. On the Open dialog box, ensure that the file type is selected from the list. The certificate file has a .pfx extension.
  6. Find the file and click Open. Click Next.
  7. Enter the certificate password. This is the password that you created when you exported the certificate.
  8. Ensure the Include all extended properties check box is selected.
  9. Click Next.
  10. The certificate must be imported to the Personal store. Click Next.
  11. Click Finish.

Import the eEyeEmsCA certificate

To import the eEyeEmsCA certificate to the Trusted Root store, follow the steps below:

  1. Open the Certificate Manager snap-in.
  2. Expand Trusted Root Certification Authorities.
  3. Right-click the Certificates folder, and then select All Tasks > Import.
  4. Click Next on the first page of the import wizard.
  5. Click Browse.
  6. On the Open dialog box, ensure that the file type is selected from the list. The certificate file has a .pfx extension.
  7. Enter the certificate password. This is the password that you created when you exported the certificate.
  8. Ensure the Include all extended properties check box is selected.
  9. Click Next.
  10. The certificate must be imported to the Trusted Root store. Click Next.
  11. Click Finish.

Confirm Certificates for BeyondInsight server and Event Server

Confirm certificates on the BeyondInsight server and Event Server are the same by reviewing the information in the Thumbprint for the certificate.

Double-click the certificate, and then select the Details tab.

Export and Import Crypto Keys for Event Server Configuration

Export the key

Perform the following steps on the primary BeyondInsight server to export the crypto key:

  1. Go to the BeyondInsight installation directory. For example, by default: \Program Files (x86)\eEye Digital Security\Retina CS\.
  2. Run xmltodatabasesynctool.exe.
  3. Click Cryptography Key.
  4. Verify Export Key is selected.
  5. Enter a password.
  6. Click Export.
  7. Copy RetinaCS.eKey to a network share.

Import the key

Perform the following steps on each event collector server to import the crypto key:

  1. Access the network share where you exported the crypto key and copy to the Event Server computer.
  2. Run xmltodatabasesynctool.exe.
  3. Click Cryptography Key.
  4. Select Import Key.
  5. Enter the password that you created when you exported the key.
  6. Click Import.
  7. Find the key, and then click Open.
  8. After you import a crypto key, you must set the following values to NULL in the dbo.Version table Access code and Expiry. In SQL Server Management Studio, run the following query on the BeyondInsight database:
update version set AccessCode = null, Expiry = null

Configure BeyondInsight Custom Certificates

In your BeyondInsight configuration, you can create certificates rather than use the certificates created and issued by BeyondInsight. You must configure custom certificates in the registry.

Client certificate overview

Client certificates are used to authenticate clients and ensure secure transmission of data between agents and BeyondInsight. Each client certificate contains a public and private key pair. During the SSL handshake, the server requests the client certificate. The client authenticates the certificate before initiating the connection and the server validates when it is received.

You can use BeyondInsight generated self-signed client certificates or your own certificates. This allows BeyondInsight to operate in a variety of environments and removes the need to register each system instance with an internet certificate authority.

Client certificates must contain the below details:

  • The intended purpose for the certificate. For example, Server Authentication, Client Authentication, or both.
  • A Key Usage value of Digital Signature, Key Encipherment, Data Encipherment, Key Agreement.

Certificate registry keys

The custom certificates in the certificate chain must be added to the correct locations. Review the following tables to confirm the correct locations for the server and client certificates.

BeyondInsight (server side)

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\EMS\Client]
Key

Value

 Type Description
storename MY REG_SZ The store name. The default value is MY if the key is not present.
servercertname eEyeEmsServer REG_SZ

The server certificate name. Use the name of your trusted certificate.

The default value is eEyeEmsServer if the key is not present. Used by Application Bus.
certname eEyeEmsClient REG_SZ

Needs to be created.

The client certificate name. Use the name of your trusted certificate.

The default value is eEyeEmsClient if the key is not present. Used by Event Server.
ValidateCertChain 0 DWORD

Needs to be created.

Set to 0 to turn certificate chain validation off. This is the required value.

Validate certificates

Review the following section to confirm the certificates you created meet the BeyondInsight requirements:

  • Confirm the value for the Key Usage. The key usage must indicate that the certificate can be used as a digital signature.
  • Confirm the value for the Enhanced Key Usage. Enhanced key usage must indicate that the certificate can be used for server authentication, client authentication, or both.
  • Verify the Subject entry. Note the value provided is the name of the certificate that needs to be added to the registry. This example shows the name of the BeyondTrust client certificate.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.