Privilege Management Reporting Installation Guide

This document explains how to install and configure BeyondTrust Privilege Management Reporting, which enables organizations to monitor and report on activity from Windows and Mac desktops and servers.

There are several methods available for centralizing audit data. The most common is Windows Event Forwarding. Privilege Management Reporting can use Windows Event Forwarding to centralize audit data to one or more Windows Event collector server hosts.

Once audit data are collected, one (or more) instances of the BeyondTrust Event Parser component load the data into the BeyondTrust Privilege Management database on a Microsoft SQL Server instance. All audit event data is stored in one logical SQL Server instance. 

Reports provide visibility to the audit data and are implemented as custom reports in Microsoft SQL Server Reporting Services 2012 or later.

Microsoft SQL Server Reporting Services is typically hosted independently from the audit events SQL Server database instance, except for small implementations and evaluation scenarios where it may share the audit database server host.

Reporting is also available in the BeyondTrust Privilege Management ePO Edition. With the Privilege Management ePO Edition, event centralization and report presentation are built on the ePO framework agent and ePO server, with audit data storage in Microsoft SQL Server as described in this guide.

For more information, please see the following:

Configuration Options

There are two options for deploying the solution:

Option 1: Use a single box solution, which is suitable for evaluating the product, or for SME installations.

Option 2: Use a scaled out deployment, which is recommended for larger production environments.

Option 1 - Single Box Solution

Privilege Management Reporting single box deployment architecture diagram

In this deployment scenario, one server provides all functions.

  • The server must be running Windows Server 2012 or later.
  • SQL Server 2012 R2 or later must be installed on the server.

For an evaluation:

  • A Windows Client, such as Windows 8, is supported.
  • SQL Server Express is supported.

Select the Reporting Services feature in the feature selections page of the Microsoft SQL Server installer. To install Reporting Services, use Native Mode.

Option 2 - Enterprise Scaled Out Deployment

Privilege Management Reporting enterprise deployment architecture diagram

In this deployment scenario the Event Collectors, Database and Reporting Server are installed on dedicated servers.

SQL Server Database

The database is a repository for the data collected from the clients.

  • The minimum version required is SQL Server 2012.
  • Clustered databases are supported.
  • When you install SQL Server, you must select a case insensitive collation. We recommend you select Latin1_General_CI_AS.
  • PMC installations require Azure SQL Server which is also supported.
  • Windows Integrated Authentication must be used for Event Parser connections.
  • SSRS connections can use either Windows Integrated Authentication or SQL Server Authentication.
  • TCP/IP connections must be enabled on the SQL Server to allow the Event Collector service to submit events.
  • Microsoft SQL Server CE is not supported.

The database is created during the installation of the Privilege Management Reporting Database component. By default, the database is named BeyondTrustReporting. The installation provides the option to provide a custom database name.

Event Collector (Server)

The Privilege Management Event Parser is a service that detects and submits new Privilege Management events to the database. Typically, the Event Parser is installed on a dedicated Windows Event Collector Server, and by default scans the ForwardedEvents Log for new events.

The Event Parser service can be configured to scan the Application Event Log if required, by editing the following Registry value:

HKEY_LOCAL_MACHINE\Software\Avecto\Privilege Guard Event Parser\
REG_SZ "EventLog"

The Event Collector host should be built on Windows Server. The following versions are supported: 2012, 2014, and 2016.

Ideally, the server is dedicated to this role.

You may configure multiple Event Collector servers that feed into a single database.

The Event Parser services are the only components which establish direct connections to the events database. This keeps the number of concurrent connections to a minimum.

Report Server

  • SQL Server Reporting Services (SSRS) 2012 or later is required.
  • The server must be dedicated to this role.
  • The events database and SSRS can be hosted on the same SQL Server instance.
  • We recommend that the SSRS instance be separate from the database instance to prevent performance issues on the database.

The SSRS reports are installed and preconfigured during the installation of the Privilege Management Reporting Pack component. By default, the SSRS instance is named ReportServer. You can provide a custom name during the SQL Server installation.

Client Configuration

Windows Event Forwarding is the technology used to gather events from the clients running Privilege Management Reporting.

  • Event forwarding must be configured for all computers running the Privilege Management Reporting Client that need to forward events.
  • The minimum OS level required on each client is Windows 7.
  • Events can be forwarded to any of the supported Windows Server OS versions (Windows Server 2012 or later).
  • Each client requires Windows Remote Management (WRM) 1.1 or later installed.

For more information for installation and configuration details on Windows Event Forwarding, please see the Event Centralization Guide.