Previous Topic: IntroductionNext Topic: Installing an Agent on Linux Systems

Agent Installation GuideInstalling an Agent on a Windows System

Installing an Agent on a Windows System

You can install an agent on either a Windows 32-bit system or a Windows 64-bit system.

If you install the agent on a Windows 64-bit system, CA User Activity Reporting Module can receive events from only integrations that are based on the following:

This section contains the following topics:

Workflow for Agent Installation on Windows

Agent Deployment Flowchart for Windows Platforms

Least-Privileged User Requirements

How to Install Manually

How to Install Silently

Maintenance Considerations

Installing an Agent with CA Software Delivery

Workflow for Agent Installation on Windows

Use the following workflow as a guide:

  1. Plan agent deployment on Windows in a way that makes it possible to use the same response file for multiple silent installations without modification..
    1. Identify the Windows hosts to target for agent installation. Identify a host for first installation and connector export, and then one for testing silent installation.
    2. Plan a common user name and password to define on each target host for the low-privileged user.
    3. View or set the agent authentication key to use for all installations.
    4. Identify the host name or IP address of a common collection server for Windows agents. (Those agents can be installed with the same response file.)
    5. (Optional) Create a setup checklist with these values.
      • Installation path for installed agent: C:\Program Files\CA\elmagent\.
      • FIPS mode: enable or disable
      • Collection server hostname or IP address
      • Agent authentication key
      • Agent user name and password
      • Name of the connectors file you plan to export: Connectors.xml.
  2. Prepare a host and install the first agent.
    1. Create a low-privileged agent-user account with the planned credentials.
    2. Grant the agent-user access to Windows Security.
    3. Download the agent binaries to the desktop for interactive installation.
    4. Install the agent interactively and verify successful agent installation.
  3. Prepare files for broad deployment and test a silent installation
    1. Identify a test host, that is, a host on which to create a response file and test silent installation.
    2. Create connectors on the first installed agent, test them, then export the connectors. Save the Connectors.xml file to the %WINDIR% directory on the test host.
    3. Download agent binaries to %WINDIR%.
    4. Create a low-privileged user with the planned credentials and grant the agent-user access to Windows Security.
    5. Create a response file, using the values you recorded in the setup checklist.
    6. Invoke a silent installation on the test host.
    7. Confirm that results are desired results for remaining agents. If not, make the needed adjustments before continuing.
  4. Prepare remaining target hosts and deploy agents with tested files.
    1. Identify the rest of the target hosts for agent installation.
    2. Prepare each host for silent installation. If installing with the low-privileged user credentials, add the user and assign required access.
    3. Use CA Software Delivery to get the agent package; unseal the package and replace the sample response file with the response file you tested, and also add the Connectors.xml file. The package already contains the binaries.
    4. Distribute and deploy the packages to the target hosts with the CA Server interface.

Agent Deployment Flowchart for Windows Platforms

The following flowchart represents graphically the typical workflow for agent deployment to hosts with Windows operating environments.

Flowchart of the four major steps for agent deployment.

Least-Privileged User Requirements

While you can run the agent as a Windows Administrator user, it is a better security practice to create a least-privileged account for the agent to use. This user account is referred to as the agent-user. You can give the agent-user any account name you like, such as elmagentusr. Create an agent-user account and grant this account access to Window security logs before you install the agent.

Note: You will specify the agent-user name and password during agent installation. The install program automatically assigns the minimum-required privileges on the agent installation directory and the agent service to the agent-user you specify. If you choose to specify an Administrator account during installation, you can create the agent-user account later, grant it access to the security logs, and assign the required privileges by running the AgentAuthUtil utility.

The base requirements for the least-privileged agent-user are the following:

To create the agent-user account, grant this account required permissions, and install the agent, you must be an administrator on the Windows server. To perform other agent-related tasks, you must log on to the CA User Activity Reporting Module server with an Administrator account.

More information

Updating an Agent with New User Credentials

How to Install Manually

To install an agent, you must log onto the target server with Windows administrative privileges. The following sequence is the recommended way to prepare for installation and install the agent:

  1. Create a Windows user account for the agent.
  2. View or set the agent authentication key.
  3. Download the agent installer (agent binaries) on the server where you plan to install the agent.
  4. (Optional) Export a connector configuration to the server where you plan to install the agent.
  5. Install the agent with the agent installer.

    During installation, you enter the agent user account name and password, domain name, and the agent authentication key. If you exported the connector file, browse for and select it.

More information:

View or Set the Agent Authentication Key

Install the Agent

Updating an Agent with New User Credentials

Create a User Account for the Agent

Export a Connector Configuration

View or Set the Agent Authentication Key

If you are a CA User Activity Reporting Module Administrator, you can set the agent authentication key or view the current setting.

To view or set the agent authentication key

  1. Click the Administration tab and then click the Log Collection subtab.

    The Log Collection Explorer displays in the left pane.

  2. Select the Agent Explorer folder.

    A toolbar appears in the main pane.

  3. Click Agent Authentication Key.
  4. Take one of the following actions:

    Note: The default value is: This_is_default_authentication_key.

  5. Click Save.

Create a User Account for the Agent

Before installing the agent, you can create a new, low-privilege user account for the agent in the Windows Users folder. Although the use of low-privileged accounts is considered a best practice, it is not mandatory.

When you supply the agent user credential information during a manual install or in a response file, you can enter local credentials of the new agent user account.

To create a Windows user account for the agent

  1. Log on to the host where you plan to install the agent, using Administrator credentials.
  2. Click Start, Program Files, Administrative Tools, Computer Management.
  3. Expand Local Users and Groups.
  4. Right-click Users and select New User.
  5. Enter a user name.
  6. Enter and confirm the password.

    Important! Remember this name and password or record it. You will need it when you install the agent.

  7. Click Create, and then click Close.

You will use the user name and password you set for this agent when performing the following tasks:

If you create an agent user account with a different agent-user name and password on other computers, you must update that data when preparing a response file for re-use.

Grant the Agent-User Access to Windows Security Logs

Administrator-level access for the agent-user is not necessary or recommended. For access to local and remote WMI events, the agent-user should be a least-privileged user account which has the user right, Manage auditing and security log. (This user right is also known as the SeSecurityPrivilege.) You can set this user right for the agent-user in the Local Security Settings, Local Policies area.

To set the local security policy

  1. Access the Control Panel.
  2. Open the Administrative Tools folder.
  3. Double-click the Local Security Policy utility.
  4. Expand the Local Policies node.
  5. Select the User Rights Assignment node, and scroll down through the alphabetical list to the option, Manage auditing and security log.
  6. Double-click Manage auditing and security log.
  7. Click Add User or Group....

    The Select Users or Groups appears.

  8. Enter the name of the agent-user account you created and click Check Names.

    This action verifies that the user account name is populated correctly in the list.

  9. Click OK.

Download Agent Binaries

You can place the agent installation program on the target Windows server in one of the following ways:

You must be an Administrator or have a role that grants you write access to the Administrative tab and Log Collection subtab of the CA User Activity Reporting Module interface.

To download the agent installer from CA User Activity Reporting Module

  1. Log on to the computer where you want to install the agent, connect to the CA User Activity Reporting Module interface and log on with Administrator credentials.
  2. Click the Administration tab.

    The Log Collection subtab displays the Log Collection Explorer in the left pane.

  3. Select the Agent Explorer folder.

    A toolbar displays in the main pane. The downward-pointing arrow button is Download Agent Binaries.

  4. Click Download Agent Binaries.

    Links for the available agent binaries appear in the main pane.

  5. Select the desired Windows platform.

    The dialog, Select location for download by <IP address>, appears.

  6. Select the location based on the type of installation you want:
  7. Click Save.

    A message showing the download progress of the selected agent binary appears, followed by a confirmation message.

  8. Click OK.

    If you downloaded to the desktop, the agent installation setup launcher appears there.

Install the Agent

You must be a Windows Administrator on the computer on which you plan to install the agent. Before you begin the installation, gather the following information:

To install a Windows agent

  1. Double-click the agent installation launcher.

    The installation wizard starts.

  2. Click Next, read the end user license agreement, indicate your acceptance of the terms to continue, and click Next.
  3. Accept the installation path or change it, and click Next.
  4. Choose whether to install in FIPS mode when prompted.

    The agent FIPS mode you choose should match the FIPS mode for the CA User Activity Reporting Module server which manages it. The agent, by default, starts in that mode. However, the agent automatically detects the server FIPS mode and restarts itself as needed regardless of the mode you choose.

  5. Enter the IP address or host name for the CA User Activity Reporting Module server to which this agent is to forward the logs it collects, and then enter the agent authentication key in the Authentication Code field.

    Important! Enter the host name if the CA User Activity Reporting Module is assigned its IP address dynamically.

  6. Enter one of the following for the Agent user credential information, and then click Next.
  7. (Optional) If you downloaded the Connector.XML file on this host, browse and select it, and then click Next.

    The Start Copying Files page appears.

  8. Click Next.

    The agent installation process completes.

  9. Click Finish.

    The host name where the agent is installed appears in the Default Agent Group folder on the CA User Activity Reporting Module server.

More information:

Updating an Agent with New User Credentials

How to Protect Agents from Impact of Server IP Address Changes

(Optional) Verify the Agent Installation

You can use this procedure to verify the agent installation.

To verify the installation

  1. Open the browser and enter the URL for the CA User Activity Reporting Module.
  2. Log on as a user with the Administrator role.
  3. Click the Administration tab.
  4. The Log Collection subtab displays the Log Collection Explorer.
  5. Expand Agent Explorer and then expand the Default Agent Group.

    The name of the computer where you installed the agent appears.

Export a Connector Configuration

You can export a connector configuration, allowing reuse as a template on different servers of the same platform. This streamlines connector configuration in subsequent agents.

The first time you create an agent on a given platform, you must configure connectors from CA User Activity Reporting Module in order to collect events. When you create subsequent agents on different servers of the same platform, you can export your initial connector configuration to that target server before installing the new agent.

You can enter the name of that connector list file during the agent installation. After agent installation, you can customize this connector for the new agent, rather than configuring an entirely new one.

To export a connector configuration to use as a template

  1. From the Windows server where you plan to install the agent, connect to the CA User Activity Reporting Module interface, and log on with Administrator credentials.
  2. Click the Administration tab. Expand Agent Explorer and then expand the agent group with the agent where the connector you want to export is deployed.
  3. Select the agent with the configured connectors, select one or more connectors, and click Export Connector configuration(s) SIM--btn_ExportAgentOrConnConfig .

    The Select location for download dialog appears with Connectors.xml as the File name.

  4. For Save in, navigate to the directory where ca-elmagent-x.x.x.x.exe exists and click Save.

    Note: If doing a silent install, the responsefile.iss should also be in this directory.

    A message that the integration file has been exported successfully appears.

  5. Click OK.
  6. Click Save and Close for the New Saved Configuration.

    A success message appears.

  7. Click OK.

How to Install Silently

If the silent installation is to include a reference to an exported connector, you must manually install an agent first and create the connector. Create a connector for the Windows platform using a domain account for the credentials and local host for the hostname. Export this connector to create a connector configuration file, Connectors.xml.

Installing silently involves the following procedures:

  1. Create a user account for the agent.
  2. Review the setup checklist, and record the following values for the response file:
  3. Load the agent installer in the default directory for the response file, %WINDIR%.
  4. Create a response file.
  5. Invoke the silent install.
  6. (Optional) Verify the silent installation.

After you create an initial response file, you can also install silently using a customized response file with the following steps:

  1. Prepare a response file for re-use.
  2. Install silently with a customize response file.

More information:

Create a Response File

Invoke the Silent Install

View or Set the Agent Authentication Key

Prepare a Response File for Re-use

Review Setup Checklist

You need to supply the same values in the agent installation wizard whether you install an agent manually or set up a response file for silent installation. Before you install, gather the data in the following checklist.

Field

Description

Installation directory path

Path where the agent is installed, where the default is C:\Program Files\CA\elmagent\

Server IP (or Name)

IP address or host name of the CA User Activity Reporting Module server

Enter the host name rather than the IP address if the CA User Activity Reporting Module server is assigned its IP address dynamically through DHCP.

Authentication Code

The Agent Authentication Key

FIPSMODE

Indicates if the Agent runs in FIPS mode.

Default: OFF

Username

The user name for the agent as defined in the Windows Users folder under Computer Management

Password

The password associated with the agent Username

File

(Optional) The name of the exported XML file, typically, Connector.XML.

More information:

View or Set the Agent Authentication Key

Create a User Account for the Agent

Export a Connector Configuration

How to Protect Agents from Impact of Server IP Address Changes

Create a Response File

Running the agent installer in record mode from a command line creates a response (*.iss) file and installs an agent. You can use the response file to install the agent silently on remote systems after recording it.

Note: You must be an Administrator on the Windows server operating system to set up a response file.

The naming convention for the agent installer is ca-elmagent-x.x.x.x.exe, where the x.x.x.x represents the build number for the agent. The response file is created in %WINDIR% if you do not specify the absolute path with the /f1 option.

To create a response file

  1. Open the command prompt.
  2. Navigate to the location of the agent installer.

    Note: If you do not know where it is, do a Search for it through Windows Explorer as "ca-elmagent*"

  3. Enter the following command: 
    ca-elmagent-x.x.x.x /r /f1"<path>\responsefile.iss"

    /r indicates record mode and "responsefile.iss" can include the path. Be sure to leave no space between /f1 and the response file name. An example of this is:

    ca-elmagent-12.0.37.10 /r /f1"C:\elmagentresponse.iss"

    The Welcome page of the agent installation wizard appears, click Next.

  4. Complete the agent installation wizard. Supply the values you recorded when reviewing the setup checklist.

    The response file is generated at the specified path. If you specified no path, it can be found in the %WINDIR% directory.

Response File Command Line Examples

Consider the following response file command line examples for use with the agent installer for Windows systems.

This example command line creates the file, agentresponsefile.iss, in the C:\WINDOWS or C:\WINNT directory:

ca-elmagent-12.0.37.8.exe /r /f1"agentresponsefile.iss"

This example command line creates the file, agentresponsefile.iss, in the C:\ directory:

ca-elmagent-12.0.37.8.exe /r /f1"C:\agentresponsefile.iss"

Invoke the Silent Install

You can invoke the silent installation of the agent on a Windows server using the response file (*.iss) with appropriate values for this agent installation. You must be an Administrator to run the silent install program.

To invoke a silent install

  1. Open a command prompt.
  2. Navigate to the directory where the response file is saved.

    The default directory is C:\WINDOWS (or C:\WINNT).

  3. Verify the agent installer is in the current directory. You should see a response similar in format to ca-elmagent-12.0.37.10.exe.
  4. Run the following command to silently install an agent: 
    ca-elmagent-x.x.x.x /s /f1"responsefile.iss"

    An example command line is, ca-elmagent-12.0.37.10 /s /f1"elmagentresponse.iss"

    The agent is installed.

View the Agent Status Details

The Agent Explorer lists new agents as they are installed. The Agent Status Details for a selected agent displays whether the agent service is Running.

To view the agent status details

  1. Log on to the CA User Activity Reporting Module interface with Administrator credentials.
  2. Click the Administration tab.

    The Log Collection subtab displays the Agent Explorer.

  3. Expand Agent Explorer and then expand the Default Agent Group.

    The name of the computer on which you installed the agent appears.

  4. Click the agent name and verify on Agent Status Details that the Status is displayed as Running.

    Note: The status of Not Responding indicates that the agent, watchdog, or dispatcher process is not running. Take remedial action specific to the operating environment.

Prepare a Response File for Re-use

Setting up a response file minimizes installation time when installing many agents. You do not have to type in each parameter manually for each installation. For example, if you want to install an agent on 1000 systems, you can automate the process by reusing the first response file you create as a template.

When you create a new agent user account on a target server, keeping the same name and password specified in the response file may offer an advantage. When the account credentials match the response file, you can reuse it without change, because the agent registers with the same CA User Activity Reporting Module server. This means that the authentication key does not change.

To prepare to reuse the response file

  1. Log on to the Windows server where you created the response file.
  2. Navigate to the directory where the original response file resides.

    The default directory is %WINDIR%, for example, C:\WINDOWS or C:\WINNT or it may be on the C:\ drive.

  3. Copy the response file and give it a different name.

    Ensure that the file has the extension, *.iss. (You will later copy the new file to the target server.)

  4. Log in to a different Windows server.
  5. Create a Windows user account for the agent.
  6. Copy the response file to the %WINDIR% directory.
  7. Edit the file to customize it for your requirements. Examples of the response file data that you can modify includes the following:

More information:

Invoke the Silent Install

Install Silently with a Customized Response File

Use this procedure to install an agent silently using a customized response file.

Note: This procedure assumes that you have created a response file and customized it.

To install silently with a custom response file

  1. Copy the customized response file to the target server, if it is not already there.
  2. Invoke the silent install with the following command: 
    ca-elmagent-x.x.x.x /s /f1"customizedresponsefile.iss"

    In this command, replace x.x.x.x with the actual release number for your agent installation package. Replace the sample file name with your actual file name.

More information

Prepare a Response File for Re-use

Maintenance Considerations

After you have an agent installed, started, and configured, you may need to perform the following tasks:

More information:

Updating an Agent with New User Credentials

Prepare a Response File for Re-use

Updating an Agent with New User Credentials

You can update user credentials for an agent after installation by running the AgentAuthUtil utility. You might need to do this if you are moving to a user account with lower privileges, or if an employee who is responsible for overseeing the account leaves your company.

You can change user credentials for an agent without needing to re-install the agent. If you did not set up a dedicated agent user account before installing the agent, you could run this utility to allow the agent to run as a non-Administrator or non-root user.

Updating an agent with new user credentials involves the following steps:

  1. Run the utility, AgentAuthUtil, from a command line.
  2. Edit the agent details in the CA User Activity Reporting Module interface.
  3. Restart the agent.

More information

Create a User Account for the Agent

Run the AgentAuthUtil Utility

Use this procedure to update user credentials for the agent.

Important! This procedure is not part of the normal installation process.

To update the agent with new low-privilege user account credentials

  1. Log onto a Windows server where you have installed an agent.
  2. Access the command prompt and navigate to ...\CA\elmagent\bin.

    This is the directory that contains the AgentAuthUtil program that you use to perform the update.

  3. Enter the following command: 
    agentauthutil -dir "<agent install directory>" <agent-username>

    Note: For a local user account, do not specify a domain, not even a dot (.).

    The default agent install directory is C:\Program Files\CA\elmagent, and the agent-username is the name you assigned to the user account you created in the Users group for this Windows server.

    When this command completes, the agent user named agent-username has full control (modify, read, execute, write, delete, list contents) over the agent installation folder, subfolders, and files.

  4. Enter the following command: 
    agentauthutil -srv caelmagent <agent-username>

    The service name is caelmagent, and the agent-username is the name you assigned to the user account you created in the Users group for this Windows server.

    When this command completes, the agent user named agent-username can start, stop, pause, or continue (resume) the CA User Activity Reporting Module Agent service on the Windows agent host.

  5. Verify that the response messages indicate that each operation completed successfully.

    In this example, agent-username is elmagentusr. Example response messages from running this utility follow:

    This graphic shows a set of example responses messages generated by the agent authorization utility.

More information

Create a User Account for the Agent

AgentAuthUtil Command Examples

To assign permissions to the agent installation directory

The following command gives the agent account, elmagentusr, full control over the elmagent folder, its subfolders, and all of the files they contain:

agentauthutil -dir “C:\Program Files\CA\elmagent” elmagentusr

To assign permissions for the caelmagent service

The following command gives the agent account, elmagentusr, the ability to change the state of the caelmagent service:

agentauthutil -srv caelmagent elmagentusr
Edit the Agent Details in CA User Activity Reporting Module

You can edit the agent details in the CA User Activity Reporting Module interface to use the new user credentials.

To edit the agent details

  1. Click the Administration tab.
  2. Expand the Agent Explorer.
  3. Expand the Default Agent Group or the user-defined agent group to which the agent belongs, and select the agent.
  4. Click Edit Agent Details.
  5. Enter the new user credentials.
  6. Click Save.
Restart the Agent

Use this procedure to restart the agent from the CA User Activity Reporting Module interface after changing the user credentials.

To restart the agent

  1. Click the Administration tab.
  2. Expand the Agent Explorer.
  3. Expand the Default Agent Group or the user-defined agent group to which the agent belongs, and select the agent.
  4. Click Status and Command and select View Status of Agents.
  5. Select the Select check box for the agent and click Restart.

    A confirmation message states that the command is placed in the queue.

  6. Click Status and Command. You can view the status change from stopped to running.

Uninstall an Agent

You can uninstall an agent on a Window host server.

To uninstall an agent on a Windows host

  1. Access the Add or Remove Programs utility from the Windows Control Panel.
  2. Do one of the following steps:
    1. If you have installed the CA User Activity Reporting Module agent on a Windows 32-bit system, select the CA User Activity Reporting Module Agent, and click Change/Remove.
    2. If you have installed the CA User Activity Reporting Module agent on a Windows 64-bit system, right-click on CA User Activity Reporting Module [x86-64] Agent, and click Uninstall.

    The install wizard appears with a message to confirm deletion.

  3. Click Yes.

    The wizard uninstalls the agent.

  4. Reboot the host server when the wizard finishes to complete the uninstallation process.

Installing an Agent with CA Software Delivery

Packages are available to deliver CA User Activity Reporting Module agents with the CA Software Delivery program. The required packages are located in the CA User Activity Reporting Module Application ISO image.

Use the Windows-only program, SDRegister.exe, to register software delivery packages with the Software Delivery Manager. These packages contain pre-recorded sample response files that are only for use as templates. The sample response files (*.iss and *.rsp) reside in separate directories identified by operating system name.

You can run SDRegister.exe from its current location lower in the directory structure to register one package at a time, or it can be run from a root directory to see and register all available packages at one time.

To deliver CA User Activity Reporting Module agents to Windows hosts through a USD/DSM server, you need:

To use USD packages for Unicenter Software Delivery

  1. Access a Windows server and open the CA User Activity Reporting Module Application ISO image, or access the Application DVD's file list.
  2. Navigate to the directory, \USDPackages.
  3. Run the SDRegister.exe program.
  4. Select products to register, view and acknowledge the related license files, and register the necessary installation, update, or uninstall files with the Software Delivery Manager. These sealed packages are not yet ready for deployment or distribution.
  5. Unseal the packages and update the sample response files using one of the following methods:
  6. Install one agent using the custom response file to verify your settings, then re-seal the package.
  7. Distribute and deploy the packages to the appropriate systems using the CA Server interface.

More information

Set Up a Response File

Create a Response File