Security | Vulnerability Scans and Assessment

File Audit: How to install and configure PA File Sight Ultra and PA Endpoints

PA File Sight Ultra can help monitor log files and alerts you on “read” and “write” changes to files. It also lets you detect log tampering etc. In this guide, I will be discussing how to install, configuring, and using PA File Sight Ultra. For a complete review of this tool, see this guide “File Audit and Monitoring: PA File Sight Ultra review and product details“.

The figure (architectural) below is a typical installation. As you can see from the diagram, Every installation has a monitoring service installed on a Windows Server or Workstation and this service helps in monitoring the drives in the server it is installed on.

Note: After completing the installation of the PA File Sight Ultra Monitoring Service in part 1, I will proceed to install the File Sight Ultra Satellite on each device (PA EndPoint) in part 2 that I would love to monitor.

Part 1: PA File Sight Ultra Management Server Setup: The PA File Sight Ultra can be downloaded from the following link. Kindly follow through with the steps below as we download and install the file auditing and monitoring software. These steps are really fast and it should not take so long to complete.
– Click on down to download the PA File sight Ultra application. As you can see, it comes with a fully functional 30 day trial period.

On the security warning window that is promoted, click on “Run” as shown below

You will be required to accept the User Account Control as shown below

Next, you will be required to select your desired language. I will be selecting English language.

Next, the PA file sight Ultra setup window will be prompted, click on Next as shown below

Accept the software license agreement as shown below and Click on “Next”. Otherwise, you cannot proceed.

Browse to your desired location (folder) where you would want the PA File Sight installed.
– I will choose the default location and then click on Next.

I will be installing the following two components, ” The Central Monitoring Service” and “the Console User Interface”.

Note: The Satellite Monitoring Service option help in monitoring of remote servers even across the Internet without needing a VPN. This is accomplished by installing a Satellite Monitoring Service on additional servers or workstations. The Satellite will monitor itself (the server it is installed on). Alerts and monitoring data will be sent back to the Central Monitoring Service via SSL-encrypted HTTP.

By default, all three tasks are selected. The following actions that are checked will be installed.
– Click on Next to continue.

Review the settings and if there is anything you do not like, click on “Back” to make the changes. When you are done,
– Click on “Install”.

This will continue with the installation of the PA File sight as shown below

When the installation is complete, you will be prompted to start your Trail. Select the PA File Sight edition you would love to test (install) and click on “Install Trial License”.

In the next window, you will have to specify whether you want to start the PA File Sight monitoring service or launch the PA File Sight Console. Click on “Finish” to complete the setup.

– The PA File Sight will start all services and will launch the PA File Sight console because we have selected this option. since I have the PA File Sight monitoring service install on this server, I will select the “Local host” option and
– Click on OK

You will be prompted with the startup wizard as well. The start Wizard will help you achieve the following and help you setup your first File Sight Monitor very fast.

Proceed and create a service account in Active Directory. This will be needed to run PA File Sight Ultra as a service.

Enter the following information as shown below.

If you have an SMTP Server in your organisation, you can enter the value in the field provided. Since I currently do not have an SMTP server running in my environment, I will be using the following options. I will check the box close to “send message directly without using the SMTP Server”
– Click on Test and
– Click on “Ok” to complete the email action setup.

Configure the log file settings: I will leave all settings as default and click on “OK” in order to proceed.

Next you will be asked to enter a path to your local Directory that you wish to watch.
– Enter the path and click on OK.

How to install the PA File Sight Ultra License: To have your server licensed, you will have to click on the “License” menu
– This will open up the License Management window
– Click on the “Add License” button.

Browse to the location and select the license as shown below. When you are down, click on OK.

When this step is complete, you will be asked to permit the activation, click on Yes for the activation to take place.
– Ensure you have the right license installed and not the PA EndPoint license at this step!

Part 2: File Sight Ultra Satellite Setup: Now that the management server setup is completed, I will proceed to install the File Sight Ultra Satellite on each device (PA EndPoint) that I would love to monitor. These steps are similar the Central Monitoring Service setup in part 1 above. In this step, only the “Satellite Monitoring Service component” will be installed.

The PA File Sight Ultra can be downloaded from the following link and run the executable. Follow the steps as discussed above.

Next, Install all the additional tasks (components) and click on Next. Finally click on install to install the satellite monitoring service to the EndPoint.

In the next window, you will have to specify whether you want to start the PA File Sight monitoring service and configure the PA File Sight Satellite Service.
– Click on “Finish”

This opens the Configure Satellite Monitoring Service window as shown below. Add the IP address or domain name of the central monitoring server and port number in the Central monitoring service address box. Test the connection to verify connectivity.

Note: You may need to open firewall ports to allow communication between the servers. 
- You may need to check on the services to see if it is running. If the satellite service is not running, please start it.
- Click on Apply Settings, restart the Satellite Service, and click Exit to finish.

Also, when you check on the PA File Sight Ultra Management Server, you will see the connection status.

Note: You may need to accept the remote satellite in the central PA File Sight Ultra Management Server by going to Advanced Services, Satellite Services, right-click on the satellite service, and select Accept Satellite. The server will show up under Servers once accepted as shown above.

Part 3: Additional Configuration on the PA File Sight Ultra Management Server:
– Below are some of the actions that can performed on a PA EndPoint.

A: Add some new monitors. This can be achieved by right-clicking on the Servers/Devices node

This will open the Add New Monitor window as shown below
– Click on any of the option you wish to. For me I will start with the “File Sight Monitor” and
– Click OK.

Perform the following tasks. More information or guidance on these steps can be found here “File Sight – File Access Monitor“.
– For the File Activities, check and uncheck only the part relevant to you.
– Enter the Directory to monitor and
– Set the Monitoring purpose as shown in one of the screenshots below.
– When you are done, navigate to the Copy Detection tab and uncheck both boxes.
– Click on OK and apply the settings.

Below are some screenshoot form my environment. I cannot explain everything detail, with the attached PDF, you will be able to explore this powerful tool.

Part 4: File Sight Endpoint: By itself, the File Sight monitor sees activity on a file server, which includes which users are accessing files, what actions (reading, writing, deleting, etc) they are doing, their IP address, etc. More information can be found on this link.

However, once a file arrives on the client’s computer, the server-based File Sight monitor can’t see what is happening. Is the file being copied to a thumb drive? Opened in Word? Sent via Email? The File Sight Endpoint helps answer those questions.

The File Sight Endpoint performs the following functions:
- Connects to the PA File Sight central service, or to a Satellite service
- Watches files that area accessed from the network, and notes the process that accesses them
- Notes which other files are written by that process
- If a file is read from the network, and then written to disk, it is tagged as a probable copy

A: How to install the File Sight Endpoint. If you have installed the PA File Sight monitoring service and also the PA File Sight Satellite service, you will find the executable program in the following path.

C:\Program Files\PA File Sight\Install\pafsendp.exe

The File Sight Endpoint executable program (pafsendp.exe) just needs to be copied to a client computer and run with some command-line options to direct it to the server it should connect to. It does not require any additional files. The copy and execution steps can be done using any techniques or infrastructure that you already use, such as executing a script (command prompt), using a software distribution program, or Microsoft’s Group Policy. I will be using the typical install command for this as shown below. For more information, visit this link.

pafsendp.exe -s -i -host={central server IP}:{central port}

PA File Sight is Power Admin File Sight settings are so enormous (feature-packed) that I cannot show you everything. If you wish to learn more about this amazing tool, kindly take a look at this official guide

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session. I welcome you to follow me on Twitter and Facebook.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x