Managing Collectors
You can select the Collector node in Audit Manager to view details about each collector you have added to the installation. You can then expand the Collectors node and select an individual collector in the left pane to display information about the audited computers that send sessions to that collector in the right pane.
The following table describes the columns available in the right pane for collectors.
| Column name | Description |
|---|---|
| Collector | Name of the collector |
| IP Address | Location of the collector on the network |
| Status | Whether the collector is disconnected from or connected to the audit store. If a collector has never been successfully assigned to an audit store, it is not even shown in the left-pane list. |
| Uptime | How long a connected collector has been running since it was last booted |
| Last Update Time | The date and time of the last update received by the collector. |
| Port Number | The port through which the collector communicates with its assigned audited computers and audit store. Default is 5063. |
| Audit Store | The audit store to which this collector is assigned |
| Audit Store Database | The active database to which the collector is currently sending audit data |
| Connected Machines | The number of audited computers currently connected to this collector. Because agents can communicate with a collector only if the agents and collector are in the same Active Directory forest, this column only includes audited computers that are in the same forest as the collector. |
| Disconnected Machines | The number of audited computers of which the collector is aware but that are not currently connected to this collector. Note that the collector is only aware of audited computers that were at one time connected to it. |
| Collector Version | The version of the collector software installed on the computer. |
Monitoring Collector Status
The Collector Control Panel is available from the Start menu on any Windows computer on which you have installed a collector.
The Collector Control Panel enables you to monitor the local collector by giving you an overview of collector connectivity and status, including the collector’s current installation, audit store, audit store database, port number, and service status. To change the collector’s port number, installation, or authentication, click Configure. If you change the collector configuration, it might take a minute for the change to be reflected in the Collector Control Panel.
You can also use the Collector Control Panel to start, stop, or restart the collector service, and to generate more detailed information about the status of the collector. To see detailed information about the installation, audit store, audit store database, trusted agents, and connectivity between components, click the Troubleshooting tab, then click Diagnostics. The collector will generate a report and display the information in a separate window.
Modifying the Command Prompt Recognized by the Collector
For the collector to identify the command events executed in a session, it must also be able to identify the command prompt. Although there are several characters that are commonly used and recognized by default, most computers also allow you to customize the command prompt. If a customized command prompt is not detected by the collector, commands will not be displayed properly in the session Events list, making it difficult for auditors to see the commands executed in a selected session.
To enable the collector to detect custom or unusual command prompts, you can add a registry key on the computer where the collector is installed and specify a text string or a regular expression that will match the command prompt.
To specify a regular expression for the command prompt:
-
Log on to the computer where the collector component is installed and running.
-
Open the Registry Editor.
-
Expand the HKEY_LOCAL_MACHINE > SOFTWARE > Centrify > DirectAudit registry.
-
Select the Collector component, right-click, then select String Value.
-
Type Prompt as the new key name.
-
Select the new Prompt key, right-click, then select Modify.
-
Type a text string or regular expression that will enable the collector to identify the command prompt you are using on computers you are auditing.
If you don’t define a registry value, the default regular expression ^[^#%>\$]*[#%>\$]\s* is used to detect the command prompt.
Removing Collectors
If you want to remove a collector, go to the installer and select the collector. The Collector Setup wizard Welcome page appears.
Because a collector is present on the computer, the next page enables you to select Change, Repair, or Remove the collector. Click Remove.
