Using the Audit Collector Workload
Audit collectors send audit data to the Delinea Platform, so recorded activities and events can be displayed.
Audit Collectors function as intermediary services that receive and compress real-time activities captured by agents deployed on audited computers. Additional collectors can be deployed at any point for additional resiliency or improved scale.
We recommend setting up at least two collectors to ensure uninterrupted auditing.
The agent on each audited machine captures user activities and forwards them to a designated collector. When the agent cannot establish a connection with a collector—such as when computers hosting the collector service are offline for maintenance—the agent temporarily stores the session data locally. When the connection is reestablished, the agent transfers this session data to the collector. The collector then transmits the data to the Delinea Platform.
Editing Audit Collector Settings
-
Open the Engine management settings page (use the Search bar to find it).
-
Select a site.
-
Select the Settings tab.
-
Click Edit.
- Enable or disable Session Recordings to Platform, or change the port number.
Setting | Description |
---|---|
Send Session Recordings to Platform | When enabled, session recordings are sent from the collector to the platform for analysis and storage. |
Port Number | 5063 TCP is used by default. |
Audit Collector Account Permissions
The permissions described in this section are needed only when you use the Audit Collector as a standalone workload, without the Command Relay, as when using Server Suite with the Delinea Platform. If you are using the Command Relay workload, it takes care of all the permissions that are needed.
For information about using Server Suite with the Delinea Platform, see Server Suite Integration with Delinea Platform.
On the server where you will install the Delinea Platform Engine and the Audit Collector workload, define a service account for Audit Collector, then configure the account with local server permissions, domain permissions, or domain administrator permissions (temporary) as described in the next few sections.
If you do not want to grant any of your organization's users full control at the root level, create the DelineaPlatform OU and grant Delinea full control over it. Delinea then takes care of all child objects in the OU. At a minimum, you must grant Delinea read permissions at the root.
Local Server Permissions
With local permissions on the server where the Delinea Platform Engine and Audit Collector will be installed, the Audit Collector service account can create the DelineaPlatform OU manually before running the setup for Audit Collector. The local server permissions must include the Log on as a batch job permission in order for PCS to work.
To assign the Log on as batch job permission:
-
Select Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
-
Select the Log on as a batch job permission.
-
On the Local Security Setting tab, click Add User or group.
-
Navigate to and select the Audit Collector service account to apply the permission.
The Log on as batch job permission is granted by default to all members of these three AD groups:
- Administrators
- Backup Operators
- Performance Log Users
Domain Permissions
An object named OU=DelineaPlatform must be created at the root of the domain. Permissions giving Full Control to create the OU=DelineaPlatform object and all child objects must be given to the Audit Collector service account. In the Permissions section of the Permission Entry dialog, every checkbox must be selected.