One of the things we’ve consistently heard over the years is that administrator’s need a way to find out who did what in their system. This could be for security purposes, compliance purposes, or just so you can find out who did something when an unwanted event occurs in your environment. ZENworks 11SP3 introduces new capabilities for auditing events that occur in ZENworks Control Center and on the managed device. ZENworks 11SP3 provides auditing for the following products: ZENworks Configuration Management, ZENworks Patch Management, ZENworks Endpoint Security Management and ZENworks Full Disk Encryption. The initial audit implementation in ZENworks 11SP3 provides the following auditing capabilities:
Audit most changes in ZENworks Control Center. ZENworks 11SP3 allows you to enable various “Change Events” that deal with important changes that can be made in ZENworks Control Center. At the time of release approximately 80% of the change events related to the ZCM, ZPM, ZESM and ZFDE are audited. The remaining 20% will be rolled-out in future releases based on customer feedback. In ZENworks 11SP3 change audit events are controlled at the zone level.
Audit Remote Management operations. ZENworks 11SP3 allows you to audit the remote management events that occur against a device. This includes tasks such as Remote Control, Remote View, File Transfer, Remote Execute, and Remote Diagnostics. Using this auditing capability you will have a centralized log of who performed the operation, when they did it, and in the case of File Transfer, Remote Execute and Remote Diagnostics you will be able to capture what they did during the session. Remote Management audit events can be enabled at the zone, device folder, or at each individual device.
Audit other core agent capability. ZENworks 11SP3 allows you to audit additional agent focused events such as ZENworks login and logout, password changes through the ZENworks agent, and location and network environment changes as a device moves from one location to another. These events can be enabled at the zone, device folder or at each individual device.
Audit Endpoint Security Management events. ZENworks 11SP3 also introduces the ability to audit files that are being transferred to or from removable media as well as Security Policy change events. These events can be enabled at the zone, device folder or at each individual device.
Because the amount of data that audit can generate is significant, ZENworks 11SP3 requires that this data be stored in a separate database. This prevents the large amount of data stored in the audit tables from degrading the performance of the overall ZENworks system. Additionally, from a security perspective this means that the audit database is independent from the actual operational database. During the upgrade or install of ZENworks 11SP3 you will be prompted to provide connection information for both the operational database (install only) and the audit database.
The audit database must be stored on a database that uses the same database platform and version as the operational database. It may be hosted on either the same database server or a separate database server. In the case of a large implementation, it is typically recommended that the audit database be placed on at least a separate disk from the operational database, if not on a completely independent database server.
As agents generate events they are typically cached on the device and then rolled-up. The auditing capabilities of ZENworks 11SP3 following the same procedure as the other events such as Inventory, Patch Scans, Status and Messages data, with one exception. The data stored in the audit events is protected against tampering and encrypted as it is sent to the server. This means that your audit data will use the collection servers defined in the Closest Servers of the active Location or Network Environment to get the audit data stored into the database. Additionally, audit data can be configured to only be sent to the collection servers when the device is in specific locations or network environments.
After you install or upgrade to ZENworks 11SP3, all of the auditing capability of the product is available, but no events are enabled by default. This prevents a large amount of audit data from being built up unless you enable events. To configure audit events you must do the following:
In ZENworks Control Center, if you want to enable an event for the entire zone select Configuration > Audit Management > Events Configuration. If you want to enable agent events on a folder or device you can select Settings > Audit Management > Events Configuration on the device. When you do this you will see an empty data grid as there are no events currently enabled.
Click Add to view all of the available events that can be audited, as shown below:
Select the categories or events that you wish to have tracked by the system.
Define a Criticality for the event, an amount of time to keep the event, and optionally the means you want to use to notify someone of the event.
Click OK to save your changes. On the next refresh the managed devices will read this information and begin logging the configured events.
Be sure to only those events that you are interested in. If you enable more than this there will be more traffic and database utilization as well as many more events stored in the database.
The data in the database is configured to automatically be purged once the event reaches its expiration date, based on the Day to Keep set for that type of event. If you wish to change the time when this pruning operation occurs, how long it runs or one which server it runs you can do this by select Configuration > Audit Management > Audit Purge Schedule. The dialog below shows the configuration settings:
The first way to view the audit data is through the ZENworks Control Center zone audit dashboard. To access this page, simply click the Dashboard link in ZENworks Control Center. A sample dashboard is shown below:
From this page you can see a zone wide view of the audit events that have been logged into the system. You can see key indicators about top events and impacted objects and can drill into the event log view in a filtered manner. By default this dashboard shows you an overview of events in the last 4 hours. If you want to see more data, you can choose alternative schedules.
At the zone, or on each object, there is now an Audit Log tab. This audit log tab lets you view all of the events that have occurred for the object that you are looking at. The view here is similar to the Windows Event Viewer, and is categorized in a similar matter as the event configuration page. You can browse through events that have occurred and if you need more detail, click the event to see the event details, as shown below:
In addition to being able to view audit data in the ZENworks Control Center from the audit log and dashboard you can also use the new ZENworks Report Server to report against the events in the database. In order for you to do this you simply need to setup the ZENworks Report Server on a Windows or Linux server in your environment and then point it at your ZENworks Primary Server. When you create Ad Hoc reports you will now see a new ZENworks Audit Domain. You can then easily select the fields you are interested in for your report, as shown below:
By using the ZENworks Audit domain you are then able to create custom tabular, cross tab, and chart reports. You can further mix and match these reports into dynamic dashboards that provide you the data that matters to you at a glance.
The auditing capabilities of ZENworks 11SP3 makes it possible for you to monitor changes that are happening in ZENworks Control Center as well as events that are happening on your managed devices. New tools for viewing and reporting against this data make it easy to quickly and easily find the important events that are occurring. Using these tools you can now quickly answer the important security questions you have when it comes to operations performed within ZENworks.