Managing Audited Computers and Agents

You can monitor agent status from the Audit Manager console. With audited computers selected in the left pane, Audit Manager displays the name and IP address for audited computers, whether the agent is currently connected or disconnected, and how long the agent has been running since last restarted. You can also see the collector to which the agent is sending data, the audit store and audit store database where the audit data is stored, and the version of the agent software installed on the computer.

Audited systems can be either a computer or a network device. Audit Manager displays two kinds of audited systems:

  • System-based: A Windows or UNIX computer that is running an agent. You can access these systems either directly or from the Privileged Access Service Admin Portal.
  • Vault-based: A Windows or UNIX computer or a network device that is not running an agent (agentless). You can access these systems from the Privileged Access Service Admin Portal.

Because agentless systems do not have an agent installed, the Audit Manager displays slightly different information for these kinds of systems. For these systems, you can see the name, IP address, the collector, audit store, and audit store database.

Monitoring Agent Status

You can use the dainfo -d command on audited Linux and UNIX computers to view information about the configuration, connectivity, and auditing status of the agent.

Configuring the UNIX Agent Off-line Database

If the UNIX agent is unable to connect to a collector, it spools the session data to local storage. When a collector becomes available, it then sends the spooled data to that collector.

By default, the minimum amount of allocated disk space that must be available to the offline database before spooling stops and warnings are posted to the agent error log is 10%. You can change this percentage by assigning a different value to spool.diskspace.min in the /etc/centrifyda/centrifyda.conf file. For example, to change the minimum to 15%, set the following value:

spool.diskspace.min: 15

If the threshold is reached and a collector is still not available, the agent stops spooling data, and further audit data is lost. If this happens frequently or unexpectedly, you may want to increase the disk space allocation.

Removing an Audited Computer

If an audited computer has been removed from the audit installation, the audited computer will continue to be listed on the Audit Manager as Disconnected. To remove the decommissioned audited computer, select Delete from its context menu.