3.4 Installing Change Guardian Components

You have to install the following Change Guardian components:

For information about requirements and recommendations for computers running the Policy Editor, see the Technical Information for Change Guardian 5.2 page.

Policy Editor The interface allows you to configure policies and assign policies to assets that you want to monitor. The assets that Change Guardian monitors are Microsoft Active Directory (AD), Microsoft Azure AD, Dell EMC, Microsoft Exchange, Group Policy, NetApp, Linux and UNIX, and Windows.

Change Guardian Agent for Windows Collects change event data for Windows, Windows Active Directory, Microsoft Azure Active Directory, Microsoft Exchange, Group Policy, and Dell EMC.

Security Agent for UNIX Collects change event data for Linux, UNIX, and NetApp.

SmartConnector for Change Guardian Collects change event data in Common Event Format (CEF) from Dell EMC and Microsoft Exchange.

If you want to install a custom configuration not identified in the sections that follow, or if you have questions, contact Technical Support.

IMPORTANT:You can install the Change Guardian components only as an administrator.

3.4.1 Installing Policy Editor

To install Policy Editor, complete the following steps.

To install the Policy Editor:

  1. From Administration Console click, Integration > Agent Manager.

  2. Click All Assets, and then click Manage Installation and select Download.

  3. Select Change Guardian Policy Editor, and then click Start Download.

    Agent Manager downloads ChangeGuardianPolicyEditor.zip to your computer.

  4. Copy ChangeGuardianPolicyEditor.zip to the computer where you want to install the Policy Editor and extract the files.

    The package includes NetIQCGPolicyEditorInstaller.exe and NetIQCGPolicyEditorInstaller.config. Both files must be in the same directory.

  5. Log in to the computer where you want to install the Policy Editor with an administrator account.

  6. Run the installation program, NetIQCGPolicyEditorInstaller.exe, and follow the instructions.

  7. When the installation completes, click Finish.

Accessing Policy Editor

When you start the Policy Editor you must connect to the Policy Repository, which runs on the Change Guardian server, with an account that is a member of the Administrator or Change Guardian Administrator role.

NOTE:You must always launch Policy Editor with an account in the local Administrators group.

3.4.2 Installing Change Guardian Agent for Windows

You can install Change Guardian Agent for Windows in the following ways:

  • Install agents remotely using the Agent Manager

  • Install the agent manually on a local computer

NOTE:Agent Manager and the Change Guardian Agent for Windows are in FIPS mode by default.

Following sections provide information about installing Change Guardian Agent for Windows.

Remote Installation

Remote installation using the Agent Manager provides a convenient and uniform method for installing one or more Change Guardian Agent for Windows.

To remotely install agents, you must first add the assets (computers) where you want to install agents. You can import assets from Active Directory or a text file, or manually add assets. After you add assets, select the assets to which you want to deploy and install the agents.

To install Change Guardian Agent for Windows using Agent Manager:

  1. From Administration Console, click Integration > Agent Manager.

  2. From the assets list, select the computers where you want to deploy the agent. If you select multiple computers, they must use the same credentials.

    For more information, see Adding Assets

  3. Click Manage Installation, and then select Install.

  4. In case of a newly added asset, log in as root, to the computer that you want to connect to and click Next.

    NOTE:You must be logged in as an administrator to deploy agents. The account must be the local administrator account or a domain account in the Local Administrators group.

  5. For the agent version, select Change Guardian Agent for Windows Version.

  6. For the agent configuration, you can choose the default configuration. If you want to modify the default configuration, use the Edit option to customize the default configuration.

  7. Otherwise, if required, you can add a new configuration using the Add option.

  8. Click Start Installation

Agent Manager initiates the action that you selected. Use the In progress Tasks, Completed Tasks, and Failed Tasks tabs to monitor the progress.

NOTE:When you use the Agent Manager to install Change Guardian Agent for Windows, Agent Manager communicates with the agent through the Agent Management service.

To reconfigure an agent using Agent Manager:

  1. Ensure that you have completed the steps in section Adding Assets.

  2. From the assets list, select the computer where you want to deploy an agent.

  3. Provide credentials for an account that can connect to the computer and click Next.

    The account must be the local administrator account or a domain account in the Local Administrators group.

  4. Click Manage Installation, and then select Reconfigure.

  5. Perform the following steps:

    1. For the agent version, select Change Guardian Agent for Windows Agent Version, where Agent Version is the version of the Change Guardian Agent for Windows you want to deploy.

    2. For the agent configuration, click add a new configuration using the Add option. Fill in the details.

    3. Click Start Reconfiguration.

Manual Installation

With Change Guardian 5.0 and later, two communication profiles, legacy (profile_iqc) and the newer enhanced (profile_javos) are available. In case of the enhanced communication profile, download and use host specific certificates for each agent host along with agent artifacts to complete the manual installation.

For reference, the communication profile that Change Guardian uses is determined as indicated in the table below:

Table 3-1 Change Guardian Profile Types

Profile Type

Description

profile_iqc (legacy)

The Change Guardian server upgrade path includes version 4.2.1 or earlier, but the communication profile is not explicitly switched to profile_javos.

profile_javos (enhanced)

The Change Guardian server is a clean install of version 5.0 and later or the profile is explicitly switched to profile_javos in case of an upgrade to version 5.0 and later.

For more information, see Secure Communication Profile

Agent Certificates and Artifacts

You must use Change Guardian Agent Manager to download and install agent artifacts and certificates on one or more hosts.

NOTE:You can use agent artifacts and certificates only for the server specified and one at a time.

To download agent certificates and artifacts:

  1. Log in to the Administration Console.

  2. Click Integration > Agent Manager.

  3. Click All Assets > Manage Installation > Download.

  4. Select the Agent certificates and artifacts package.

  5. Specify the hostname and the IP address, and then click Start Download.

  6. Copy and extract ChangeGuardianAgentCertificates.zip file to the agent artifact directory, before installing the agents.

To manually install Change Guardian Agent for Windows:

  1. From Administration Console click, Integration > Agent Manager.

  2. Click All Assets, and then click Manage Installation and select Download.

  3. Download the agent artifacts and certificates. See Agent Certificates and Artifacts for the procedure.

  4. Select the package you want to download and the configuration you want to use, and then click Start Download.

    Agent Manager downloads ChangeGuardianAgentforWindows.zip to your computer.

  5. Copy ChangeGuardianAgentforWindows.zip to the computer where you want to install the Change Guardian Agent for Windows and extract the files.

    Agent artifacts include: NetIQCGAgentSilentInstaller.exe and NetIQCGAgentSilentInstaller.config. The configuration file contains the configuration you chose when you downloaded agent artifacts.

    NOTE:Both agent artifacts and certificates should be in the same directory to successfully complete the installation.

  6. Change directory to the location where you extracted the files, right-click NetIQCGAgentSilentInstaller.exe file and select Run as administrator option.

3.4.3 Installing Security Agent for UNIX

For information about installing Security Agent for UNIX, see Security Agent for UNIX documentation.

3.4.4 Installing SmartConnector for Change Guardian

To collect events from Dell EMC and Microsoft Exchange assets, you must install the SmartConnector for Change Guardian to collect events in common event format (CEF).

At the time of installation, consider the following:

  • SmartConnector for Change Guardian and the assets must be members of the same domain.

  • You must not install the agent on a Domain Controller.

Pre-task for Microsoft Exchange PowerShell:

  1. Open Local Group Policy Editor.

  2. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell.

  3. Set Turn on Script Execution to Enabled.

  4. Set Execution Policy to Allow local scripts and remote signed scripts.

To install SmartConnector for Change Guardian:

  1. Download SmartConnector for Change Guardian from the Agent Manager.

  2. Open the SmartConnectorForChangeGuardian-7.14.exe to launch the SmartConnector Installer for Change Guardian.

  3. In the installer window, do the following:

    • Specify the local path in which you want to install the SmartConnector for Change Guardian.

    • Select the connector to configure:

      • EMC Unity and VNXe Storage: To monitor Dell EMC

      • Microsoft Exchange PowerShell: To monitor Microsoft Exchange

    • Specify the location to store events in CEF.

    • Values for File Rotation Interval and File Size.

      File Rotation Interval is the interval, in seconds, at which a new file is created. A new file is created when either the File Rotation Interval or the file size, in MB, exceeds the set value.

    • For Microsoft Exchange PowerShell, enter the FQDN and the PowerShell path.

  4. Open Windows services, and restart the required services:

    • ArcSight Dell EMC Unity and VNXe Storage

    • ArcSight Microsoft Exchange PowerShell

    NOTE:Restart the services only once after the installation. Due to limitations on ArcSight SmartConnector, after the installation, the change events are not generated in CEF. Restarting the appropriate services start generating events in CEF.

Post Installation Configuration for Microsoft Exchange PowerShell

You must configure SmartConnector for Change Guardian services to run as the user who has access to receive exchange audit log.

To run the services as a domain administrator:

  1. Open Windows services, and select ArcSight Microsoft Exchange PowerShell.

  2. Open Properties, click Log On.

  3. Click This Account > Browse > Locations, and select the domain name.

  4. Specify the domain administrator credentials.

For information about uninstallation, and conceptual information about ArcSight SmartConnector, see the following guides at ArcSight Connectors Documentation site.

  • MS Exchange PowerShell

  • Dell EMC Unity and VNXe Storage

  • SmartConnector User Guide