Using the Audit Collector Workload

AuditClosed collectors send auditClosed data to the Delinea Platform, so recorded activities and events can be displayed.

AuditClosed Collectors function as intermediary services that receive and compress real-time activities captured by agentsClosed deployed on auditedClosed computers. Additional collectors can be deployed at any point for additional resiliency or improved scale.

We recommend setting up at least two collectors to ensure uninterrupted auditingClosed.

The agentClosed on each auditedClosed machine captures user activities and forwards them to a designated collector. When the agentClosed cannot establish a connection with a collector—such as when computers hosting the collector service are offline for maintenance—the agentClosed temporarily stores the session data locally. When the connection is reestablished, the agentClosed transfers this session data to the collector. The collector then transmits the data to the Delinea Platform.

Editing Audit Collector Settings

  1. Open the Engine managementClosed settings page (use the Search bar to find it).

  2. Select a site.

  3. Select the Settings tab.

  4. Click Edit.

  5. Enable or disable Session Recordings to Platform, or change the port number.
Setting Description
Send Session Recordings to Platform When enabled, session recordings are sent from the collector to the platform for analysis and storage.
Port Number 5063 TCP is used by default. The AuditClosed Collector listens on this port. AgentsClosed deployed on auditedClosed computers forward their captured user activities to the AuditClosed Collector using this port.

Audit Collector Account Permissions

The permissions described in this section are needed only when you use the AuditClosed Collector as a standalone workload, without the Command Relay, as when using Server Suite with the Delinea Platform. If you are using the Command Relay workloadClosed, it takes care of all the permissions that are needed.

For information about using Server Suite with the Delinea Platform, see Server Suite Integration with Delinea Platform.

On the server where you will install the Delinea Platform EngineClosed and the Audit Collector workloadClosed, define a service account for AuditClosed Collector, then configure the account with local server permissions, domain permissions, or domain administrator permissions (temporary) as described in the next few sections.

If you do not want to grant any of your organization's users full control at the root level, create the DelineaPlatform OU and grant Delinea full control over it. Delinea then takes care of all child objects in the OU. At a minimum, you must grant Delinea read permissions at the root.

Local Server Permissions

With local permissions on the server where the Delinea Platform Engine and AuditClosed Collector will be installed, the AuditClosed Collector service account can create the DelineaPlatform OU manually before running the setup for AuditClosed Collector. The local server permissions must include the LogClosed on as a batch job permission in order for PCSClosed to work.

To assign the LogClosed on as batch job permission:

  1. Select Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.



  2. Select the LogClosed on as a batch job permission.

  3. On the Local Security Setting tab, click Add User or group.

  4. Navigate to and select the AuditClosed Collector service account to apply the permission.

The LogClosed on as batch job permission is granted by default to all members of these three ADClosed groups:

- Administrators

- Backup Operators

- Performance LogClosed Users

Domain Permissions

An object named OU=DelineaPlatform must be created at the root of the domain. Permissions giving Full Control to create the OU=DelineaPlatform object and all child objects must be given to the AuditClosed Collector service account. In the Permissions section of the Permission Entry dialog, every checkbox must be selected.