Search another article?
Installation and Configuration
Requirements
To execeute correctly the Agent, the following software is required:
- .NET Framework 4.0
- Internet Explorer dll framework
- Outgoing open port 443
Antivirus Consideration
We reported that some antivirus can interfere with the normal operation of the Agent (We have especially reported many cases with Sophos). Please be sure to insert an exception
- Sophos
Preliminary Information
- Agent Buffer: in case of the sgbox is offline, the agent will act as Buffer to store the logs until connection with the appliance is restored. The buffer store depend on the free disk space remaining.
- Port used: the port used to communicate is the 443.
- Communication type: SGBox Agent will communicate trough the Internet Explorer DCOM API.
Download
To install the agent you must to download the agent from the dedicated download section.
Installation Configuration
Extract the downloaded archive and run the setup
Click on “Next/Avanti” to continue with the installation
Browse the folder where you want install the agent
Edit the field “Server ip” with the IP or FQDN of your SGBox
You will be asked to confirm the data entered, click “Next/Avanti” to proceed with the installation.
Click on “Yes” to start with the installation
Click on “Close/Chiudi” to finish the installation
If the installation is correctly terminated a new service named “SGBoxTask Service” will be created
Log Retreive Configurations
Capture Logs from Standard Windows Event View
This section explain how to create a new configuration and command. A new command could be added in a same way to an existing configuration.
Log in to SGBox web interface. Go to LM > Configuration > Agents
Click on CLICK HERE TO CREATE NEW CONFIGURATION if you want create a new configuration or click on existing configuration if you want to edit it.
Enter o modify a name for the configuration and select GetEventLog to retrieve new information from Event Viewer.
Enter details of your command:
- Name: a descriptive name of your command.
- Description: brief description of your command ( not mandatory).
- Frequency: how frequent these information will be sent to SGBox.
- Log Name: the registry name. If it not present look the this section
- Select o specify the Event ID. You can Select All events or -1 to tell the agent to send all events from the specified register.
You can add more commands to your configuration.
Drag & Drop your configuration to the target host and Save Changes.
Capture Logs from Operational (Application) Windows Event View
This section explain how to create a new configuration and command from a custom registry log. We’ll take the Terminal Service Registry as example. Here the details of the logs we want retrieve:
Se the previous section to specify a new command from a basic registry:
https://www.sgbox.it/sgbox/EN/knowledge-base/create-a-new-command/
Fist of all we need to find the exact name of the registry: Right click > Properties
A new command could be added in a same way to an existing configuration.
Log in to SGBox web interface. Go to LM > Configuration > Agents
Click on CLICK HERE TO CREATE NEW CONFIGURATION if you want create a new configuration or click on existing configuration if you want to edit it.
Enter o modify a name for the configuration and select GetEventLog to retrieve new information from Event Viewer.
Enter details of your command:
- Name: a descriptive name of your command.
- Description: brief description of your command ( not mandatory).
- Frequency: how frequent these information will be sent toSGBox.
- Log Name: select ADD NEW
- New Log Name: the registry name taken before.
- Select o specify the Event ID. You can Select All events or -1 to tell the agent to send all events from the specified register.
You can add more commands to your configuration.
Drag & Drop your configuration to the target host and Save Changes.
Capture Logs from File/Folders (TailFolder method)
This section explain how to create a new configuration and the related command in order to retrieve logs from a specific folder.
Requirements
- SGBox 5.0.2 or SGBox 4.2.7 is required.
- At least SGAgent 3.2.7433.19116 is required .
Log in to SGBox web interface. Go to LM > Configuration > Agents
Click on CLICK HERE TO CREATE NEW CONFIGURATION if you want create a new configuration or click on existing configuration if you want to edit it.
Enter a name and select TailFolder as command.
A new windows appears. Enter details of your command:
- Name: a descriptive name of your command.
- Description: brief description of your command ( not mandatory).
- Frequency: how frequent these information will be sent to SGBox.
- Directory Path: where how logs are located
- File Name: Logs file name, also star expression could be used.
- List Subdirectories: Use this flag if you want to look also logs located in the subdirectories.
- Timestamp Pattern: a regex to find the correct timestamp of the logs.
- Timestamp Format: Specify logs timestamp format.
- Timezone: You can specify if the Timestamp is in Localtime or UTC.
ATTENTION: if the folder you are trying to monitor is inside C:/Windows/System32/ you need to use C:/Windows/sysnative/
Your command has been created. If you want you can add more commands to your configuration.
Click on Save Changes to save your configuration.
Drag & Drop your configuration to the target host and Save Changes.
When everything is configured you can see your logs in historical search
Configure File Integrity Monitoring
File Integrity Monitoring is new feature introduced with the last SGAgent version and it’s used to monitor files and shared folders. Using this feature you can monitor when a specific file is read, modified or deleted.
!Attention: File Integrity Monitoring is not File Auditing, you are not able to see the user that execute the action.
Requirements
- SGBox 5.1.3 or higher.
- SGAgent 3.4 or higher.
The FIM package can be installed from SCM>Applications>Packages: Click to install to download and install the package, then click on Run and select the hosts you want to monitor.
Go on LM>Configurations>Agents
In our example we create a specific configuration for this feature, but you can also create a new command on a existing configuration and modify it.
Click on “New Configuration” to create a new configuration and select CheckFolder.
A new window will appear to enter the command’s details:
- Name: a descriptive name of your command.
- Description: a short description of your command (not mandatory).
- Frequency: how often this information will be sent to SGBox (60 sec suggested).
- Directory Path: where the files or folders are located.
- File Name: Name of the file (you can also use the star expression).
- Check Subdirectories: Use this flag if you want to look at files located in sub directories as well.
- File Integrity: Select the monitor mode* you want to use
- Exclude files: you can specify some files to exclude for the monitor (not mandatory, regex supported)
Monitor Mode
- Monitor Only: check the integrity when the PC and agent are running.
- Monitor and store integrity: Store the integrity in a internal DB. Even if some operations on files are performed when the S.O or Agent are not running, the agent can identify them. Store large directories can seriously impact performance.
Click OK to save the command.
Click “Save Changes” to save your configuration.
Drag and drop your configuration to target host and click again on “Save Changes“.
When everything is set up you can see your logs in the historical search or from the “File Integrity Monitoring” dashboards.
FIM is very useful if you want to store critical configurations or backups. It’s no suggested monitor all the C: storage. Here some interested folder to monitor:
C:\inetpub\wwwroot C:\Windows\Boot C:\Windows\System32\drivers\etc
Strict TLS connection with a Personal Certificate
Starting from version 3.7. it is possible configure the SGAgent to check the SGBox/Collector certificate before sending information.
Requirements:
- SGAgent version 3.7
- SGBox must have a valid certificate. Look this section.
After installed go in the installation directory. Default path is C:Files(x86)Agent** Open the file SGBoxTask.exe.config** as Administrator with a text editor like Notepad.
add the following entry after the connection strings: key=”IgnoreCertificate” value=”False”
Save the configuration and restart the SGBoxTask Service service.
Check the file SGBoxTaskLog.txt to verify that everything is ok.
Here an example of error:
220330 14.51.05 0000008 *** Error The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. System at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at SGBoxTask.Utils.Internet.GenerateCommandRequest(String uri, String ApplicationId, String login, String password)
Here an example when it works:
220330 14.54.20 0000004 Starting ServiceSGBoxTask 220330 14.54.20 0000006 Starting Main 220330 14.54.20 0000006 Params 0A002700000D https://sgbox192.sgbox.it/sgbox/LM/dataxchange/cmd.php https://sgbox192.sgbox.it/sgbox/LM/dataxchange/send.php 220330 14.54.20 0000006 SleepTime 10 msec 220330 14.54.20 0000006 RandomStartTimer 2 sec RandomMinStartTimer 1 220330 14.54.20 0000006 Enable TLS 1, 1.1, 1.2 220330 14.54.20 0000006 Starting StartSendPacket 220330 14.54.20 0000006 Starting StartGetCommand
Uninstall
Prerequisites
Before Uninstall the Agent be sure that (for all users connected to the server):
- All mmc.exe instance are closed
- All services panel (services.msc) are closed
- The Task Manager (and Process Explorer) is temporary closed
- All Event Viewer instance are closed
Automatic procedure (Recommended)
To uninstall the Agent, you must go to “Add/Remove Programs”, then select the “SGBox Agent” and select “Uninstall”.
Reinstall Note: It is recommended, in case of agent reinstall, to full restart the machine before proceeding with the new install.
Manual Full Remove
To Full remove the Agent if anything goes wrong, you must check and remove these items:
- Service: Stop and remove the service, you can use this Powershell command:
get-service SGBoxTask | stop-servicethen on a cmd windowsc delete SGBoxTask - Registry: Find and delete this Regsitry Key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SGBoxTask - Folders: Full Remove this Folder:
C:\Program Files (x86)\SGBox Agent
Update Agent
To update the Agent you must completely uninstall the old version (we recommend also to reboot the machine if possible), then install the new version with the specific installer.
Silent/Unattended Mode
Install
In order to distribuite SGAgent in silent mode you have to type the follwing command:
SetupSGBox.msi /q ServerIP="192.168.xxx.xxx"
Uninstall
In order to uninstall SGAgent in silent mode you have to type following command:
msiexec /q /x {C09891C0-0E34-4873-A869-F9DC136E67C2}
Troubleshooting
The Agent is composed by:
- A service: named SGBoxTask, must be set on automatic start and running
- Default Installation folder:
C:\Program Files (x86)\SGBox Agent– Main files and folders - SGBoxTask.exe: is the main executable file and service
- SGBoxTaskLog.txt: the main log file of agent itself
- SGBoxAgent.exe.config: configuration file for the agent
C:\programdata\SGBoxTask\Packet: the folder where packet ready to be send, or cached are stored
How to analyze Agent log
The main log file is: SGBoxTaskLog.txt If you have any sort of problem related to the agent, you can send this file to assistance to check the stream.
Some useful rows to check the correct comunication are:
- Row with the command: GetCommand, the agent is checking the command to execute coming from LM -> Configuration -> Agents
- Detected OLD Reqest xxx: SGAgent has identified a cached command that is not used and has been marked as inactive. It’s informational
- Read Json … : the Json command received from SGBox – Sending File … : a final packet has been sended to SGBox
Check Service
To check the service is running you can from a CMD execute this command:
sc query SGBoxTask
If status equal to Running the service si correctly running, otherwise must be started or check the whole configuration.
Reconfigure IP on change appliance IP
Attention: this procedure is valid only on change IP and not when you are migrating to new appliance istance or a new major version
To change the query IP point for the agent go to the configuration file SGBoxTask.exe.config in the default folder and change these rows:
<add key="SGCommandUrl" value="https://<ip_to_change>/sgbox/LM/dataxchange/cmd.php" /><add key="SGResponseUrl" value="https://<ip_to_change>/sgbox/LM/dataxchange/send.php" />
SGBoxTask.exe.config Definition
- <CommandDelay>: Time interval in seconds between the request of new command configuration coming from SGBox
- <MaxLogFileSize>: Max size of the log file SGBoxTaskLog.txt
- <LogLevel>: SGagent log verbosity level for SGBoxTaskLog.txt
- <SGCommandUrl>: Complete Url interrogation for command list coming from SGBox
- <SGResponseUrl>: Complete Url where log is sended to SGBox
- <PageSize>: Max size in bytes of the file sended to SGBox each time
- <SleepTime>: Milliseconds of delay before send the file to SGBox
- <MaxPacketFolderSize>: Max size of the whole log waiting to be sended (or cached)
Network Connectivity Checklist
If the agent is unable to communicate with the Appliance/Collector, please check these actions to be sure that the communication over network is correct:
- Check that machine firewall does not block the requests
- Check that Antivirus installed does not block the requests
- Check that network device between machine and main gateway does not block or drop requests
- Check that no GPO configuration can collide with the agent requests
- Check that the machine is enabled with communication with at least SSL 1.3