Sie sind auf Seite 1von 18

SysPatrol Server Monitor

Flexense Ltd.

SysPatrol

Server Monitor

Server Monitor Flexense Ltd. SysPatrol Server Monitor User Manual Version 1.4 Mar 2012 Flexense Ltd.
Server Monitor Flexense Ltd. SysPatrol Server Monitor User Manual Version 1.4 Mar 2012 Flexense Ltd.

User Manual

Version 1.4

Mar 2012

Flexense Ltd. www.flexense.com www.syspatrol.com

1

SysPatrol Server Monitor

Flexense Ltd.

Product Overview

SysPatrol is a server monitoring solution allowing one to monitor one or more servers and detect unauthorized changes in the system files, kernel drivers, system services, installed software products and registry database. The user is provided with the ability to learn a reference server configuration, periodically monitor the server configuration, detect all unauthorized system changes, automatically save reports and send E-Mail notifications.

automatically save reports and send E-Mail notifications. SysPatrol Server allows one to send E-Mail notifications,

SysPatrol Server allows one to send E-Mail notifications, submit error messages to the system event log and/or automatically save HTML, ASCII text, Excel CSV, XML or PDF reports when one or more unauthorized system changes are detected in a server. In addition, the user is provided with the ability to keep a history of system changes in an SQL database.

Initially, SysPatrol scans the system configuration and saves a reference state of the system files (including SHA256 signatures), installed kernel drivers and system services, the state of the registry database and the installed software products and Windows updates. During the monitoring stage, SysPatrol periodically scans the current system configuration and compares it with the reference configuration detecting all newly created, modified and/or deleted system files, kernel drivers, system services, registry database entries or software products.

By default, SysPatrol applies the most rigorous set of settings capable of detecting all types of changes, but if required, the system configuration may be customized for less secure environments thus minimizing the number of change alerts issued for minor or not important configuration changes.

SysPatrol is especially designed to run on production servers using a very small amount of the system memory (6MB-8MB) and intentionally slowing down monitoring operations in order to minimize the performance impact on running production applications. By default, SysPatrol Server is configured to use up to 1%-2% of a single CPU core during the system learning and verification stages, which typically take up to 5 minutes per day.

In order to simplify deployment and everyday use, SysPatrol Server provides a very simple web-based management interface allowing one to control, configure and manage the product locally or through the network using a regular web browser. The user is provided with a number of fully automatic configuration wizards allowing one to install SysPatrol Server and configure system monitors within a couple of minutes making it very easy to deploy the product even for novice computer users.

2

SysPatrol Server Monitor

Flexense Ltd.

Product Installation Procedure

SysPatrol Server is especially designed to be as simple as possible. The product does not require any third-party software applications and may be installed and configured within a couple of minutes. A fully functional 30-days trial version of SysPatrol Server may be downloaded from the following page: http://www.syspatrol.com/downloads.html.

following page: http://www.syspatrol.com/downloads.html . The installation package is very small, 1.5MB - 2MB

The installation package is very small, 1.5MB - 2MB depending on the target operating system, and the product requires just 10MB of the free disk space on the target server. In order to install SysPatrol Server, start the setup program, select a destination directory and press the 'Next' button.

a destination directory and press the 'Next' button. Optionally, enter custom server control and/or web access

Optionally, enter custom server control and/or web access ports. The server control port is used by the SysPatrol command line utility and the web access port is the port for the web- based management interface allowing one to control SysPatrol Server using a standard web browser. If SysPatrol Server should be controlled remotely through the network, make sure one or both of these ports are open in the server's firewall.

3

SysPatrol Server Monitor

Flexense Ltd.

Initial Product Configuration

In order to simplify deployment and everyday use, SysPatrol provides a number of fully automated configuration wizards allowing one to setup and configure the product within a couple of minutes. First of all, login to the SysPatrol Server web-based management console using a standard web browser (default user name and password: syspatrol/syspatrol).

(default user name and password: syspatrol / syspatrol ). After finishing the installation procedure, the product

After finishing the installation procedure, the product is fully functional, but no system monitors are defined in the product configuration. In the simplest case, in order to initialize the default product configuration, just press the 'Init Default Configuration' button. By default, SysPatrol Server applies the most rigorous set of configuration options making sure that all types of system changes are detected.

making sure that all types of system changes are detected. During the initialization process, SysPatrol will

During the initialization process, SysPatrol will scan the current system configuration and save it as the reference system configuration. By default, SysPatrol Server will save the state of the system files (including SHA256 signatures), installed kernel drivers and system services, installed network protocols, the state of the registry database and installed software products and Windows updates. During the monitoring stage, the saved reference configuration will be used to detect unauthorized system changes.

The SysPatrol configuration wizard will create all the required system monitors and setup a daily periodic system test, which will verify the system configuration every 24 hours. If required, the automatically created system monitors and periodic system tests may be customized and tuned for user-specific needs and requirements.

4

SysPatrol Server Monitor

Flexense Ltd.

Periodic Tests and Monitoring

In order to customize server monitors created by the SysPatrol Server configuration wizard, click the 'Settings' link located on the top menu bar and click the 'Configure System Tests' link on the settings page. Each system monitor provides a set of monitor-specific customization options allowing one to optimize and tune SysPatrol Server for user-specific needs.

optimize and tune SysPatrol Server for user-specific needs. By default, SysPatrol Server verifies the system

By default, SysPatrol Server verifies the system configuration every 24 hours. In order to customize periodic tests, press the 'Periodic Tests' button. On the 'Periodic Tests' page click on the default daily periodic test or press the 'Add' button to add a new, custom periodic test.

the 'Add' button to add a new, custom periodic test. On the periodic test page, set

On the periodic test page, set the time interval to execute the periodic test at, select the system monitors that should be verified and press the 'Save' button. SysPatrol Server will verify the selected system monitors periodically according to the specified time interval, detect all unauthorized system changes, save change reports and send E-Mail notifications if configured.

5

SysPatrol Server Monitor

Flexense Ltd.

Reports and E-Mail Notifications

SysPatrol Server allows one to save HTML, ASCII text, Excel CSV, XML or PDF reports or send E-Mail notifications when one or more unauthorized system changes detected. In order to setup reports and/or notifications, click the 'Settings' link located on the top menu bar and click the 'Reports and Notifications' link located on the settings page.

and Notifications' link located on the settings page. SysPatrol Server provides the ability to configure multiple

SysPatrol Server provides the ability to configure multiple report and/or notification actions allowing one to generate different types of reports and/or send notifications to multiple destinations addresses. In order to add a new report or notification action, press the 'Add' button located on the reports and notifications page.

button located on the reports and notifications page. For report actions, the user is provided with

For report actions, the user is provided with the ability to specify an absolute file name or a directory name to save the report to. If an existing directory is specified, SysPatrol Server will automatically generate file names containing the date and time of the test and save reports to the directory. For notification actions, the user is provided with the ability to specify the destination E-Mail address to send notifications to. In addition, in order to enable E-Mail notifications, the user is required to configure an SMTP server to use to send notifications.

6

SysPatrol Server Monitor

Flexense Ltd.

SQL Database Integration

SysPatrol Server provides the ability to save detected system changes to an SQL database allowing one to keep a history of all changes for future review and analysis. In order to enable SQL database export, click the 'Reports and Notifications' link located on the main settings page, press the 'Add' button to add a new report action, select the SQL database report format and press the 'Save' button.

database report format and press the 'Save' button. SysPatrol Server exports SQL database reports through the

SysPatrol Server exports SQL database reports through the ODBC database interface, which should be configured to operate properly. In order to configure the ODBC database interface, click on the 'Configure SQL Database' link located on the main settings page, enable the ODBC database interface, specify the ODBC data source, ODBC user name and password to use to save reports to the SQL database.

interface, specify the ODBC data source, ODBC user name and password to use to save reports

7

SysPatrol Server Monitor

Flexense Ltd.

System Event Log Integration

Another option to send notifications about unauthorized system changes is to submit error messages or warnings to the system event log. In order to add a system event log notification action, click the 'Settings' link located on the top menu bar, click the 'Reports and Notifications' link located on the settings page and press the 'Add' button.

on the settings page and press the 'Add' button. On the notification action page, select the

On the notification action page, select the 'Send Error to System Event Log' action type, enter an error message to submit to the system event log, enter the number of system changes to trigger the action and press the 'Save' button. During the monitoring stage SysPatrol Server will verify the system configuration and submit the error message to the system event log when the specified number of system changes is detected.

and submit the error message to the system event log when the specified number of system

8

SysPatrol Server Monitor

Flexense Ltd.

Managing System Tests and Monitors

In general, the default product configuration created by the SysPatrol Server configuration wizard should be good enough for most users, but sometimes it may be required to tune the SysPatrol Server configuration for user-specific needs and requirements. In order to customize the configuration of SysPatrol Server, click the 'Settings' link located on the top menu bar and click the 'Configure System Tests' link on the settings page.

'Configure System Tests' link on the settings page. The ' System Files ' test monitors the

The 'System Files' test monitors the integrity of the operating system files. By default, the 'System Files' test is configured to monitor executable programs, DLL libraries and configuration files located in the Windows system directory and the 'Program Files' directory. During the learning stage, SysPatrol Server saves the state of the system files (including SHA256 signatures) and during the monitoring state verifies the integrity of all files by comparing file names, attributes, last modification dates and signatures with the reference system configuration.

by comparing file names, attributes, last modification dates and signatures with the reference system configuration. 9

9

SysPatrol Server Monitor

Flexense Ltd.

The 'Kernel Drivers' and 'System Services' tests monitor the configuration of Windows kernel drivers and system services. During the learning stage, SysPatrol Server saves the reference configuration of kernel drivers and system services and during the monitoring stage verifies the system configuration by comparing kernel drivers and system services names, startup modes, statuses, attributes, registered executables, etc. In addition, SysPatrol Server detects newly created and deleted kernel drivers and system services.

created and deleted kernel drivers and system services. The ' Network Protocols ' test monitors and

The 'Network Protocols' test monitors and verifies the installed network protocols. SysPatrol Server is capable of monitoring and verifying all types of network protocols including hidden protocols, which are not visible in the Windows control panel. For each network protocol, SysPatrol Server verifies the protocol version, provider flags, service flags, security scheme, etc. In addition, SysPatrol Server detects all newly created and deleted network protocols.

flags, security scheme, etc. In addition, SysPatrol Server detects all newly created and deleted network protocols.

10

SysPatrol Server Monitor

Flexense Ltd.

The 'Registry Database' test monitors a number of important registry database keys, which are controlling execution of startup programs on the server. In order to add one or more custom registry keys to the SysPatrol configuration, click on the 'Add' link located beside the first registry key and select a root key and a sub key to monitor. By default, SysPatrol Server detects newly created, modified and deleted registry keys and values. In addition, SysPatrol Server detects unexpected changes in registry keys last modification dates and times.

changes in registry keys last modification dates and times. The ' Installed Software ' test monitors

The 'Installed Software' test monitors the installed software products and Windows updates. By default, SysPatrol Server detects newly installed, modified or uninstalled software packages and Windows updates. In order to disable detection of changing Windows updates, unselect the 'Detect Changes in Windows Software Updates' option.

detection of changing Windows updates, unselect the 'Detect Changes in Windows Software Updates' option. 11

11

SysPatrol Server Monitor

Flexense Ltd.

Configuring SysPatrol Server

SysPatrol Server provides a variety of configuration options allowing one to easily integrate the product into a user-specific network environment. In order to open the main settings page, click on the 'Settings' link located on the top menu bar.

on the 'Settings' link located on the top menu bar. The SysPatrol Server web-based management console,

The SysPatrol Server web-based management console, requires users to login with a SysPatrol user name and password. The default user name and password is set to syspatrol/syspatrol. In addition, SysPatrol Server provides the ability to set a custom user name and/or password for the SysPatrol web-based management interface and the command line utility, which may be used to automate configuration and management tasks.

may be used to automate configuration and management tasks. In order to set a custom user

In order to set a custom user name and password, click on the 'Configure Server Login' link located on the main settings page, enter a new user name and password and press the 'Save' button.

12

SysPatrol Server Monitor

Flexense Ltd.

SysPatrol Server uses the TCP/IP port 9140 as the default server control port and the TCP/IP port 80 as the default web access port. Sometimes, these ports may be in use by some other software products or system services. If one or both of these ports are in use, SysPatrol will be unable to operate properly and the user needs to change the SysPatrol server control port and/or web access port.

the SysPatrol server control port and/or web access port. In order to set a custom server

In order to set a custom server control port and/or web access port, click on the 'Setup Server Ports' link located on the main settings page, select the 'Use Custom Port' option and enter a custom port number to use. If the SysPatrol server should be controlled through the network, make sure the custom ports are open in the server's firewall.

sure the custom ports are open in the server's firewall. SysPatrol Server provides the ability to

SysPatrol Server provides the ability to send E-Mail notifications when a user-specified number of system changes is detected. In order to configure an SMTP E-Mail server to use to send E- Mail notifications, click on the 'Configure E-Mail Server' link located on the main settings page, enter the SMTP server host name, SMTP server port, SMTP user name, password and the source E-Mail address to use to send E-Mail notifications.

13

SysPatrol Server Monitor

Flexense Ltd.

Web-Based Interface

SysPatrol Server provides a complete web-based management interface, which allows one to fully control, manage and configure one or more SysPatrol servers locally or though the network using a standard Web browser. By default, the web-based interface uses the TCP/IP port 80, which is the default HTTP port web browsers are using to connect to a web server.

HTTP port web browsers are using to connect to a web server. The SysPatrol web-based interface

The SysPatrol web-based interface is a dynamic web application, which shows the current status of the server and the progress of performed operations without reloading the currently displayed web page. In order to operate properly, the web-based interface requires JavaScript to be enabled in the web browser.

web page. In order to operate properly, the web-based interface requires JavaScript to be enabled in

14

SysPatrol Server Monitor

Flexense Ltd.

Command Line Utility

In addition to the web-based management interface, SysPatrol Server provides a command line utility, which may be used to control, manage and configure one or more SysPatrol Servers locally or through the network. By default, the SysPatrol command line utility is located in the '<Product Dir>\bin' directory.

in the '<Product Dir>\bin' directory. When executed without any command line parameters, the

When executed without any command line parameters, the command line utility operates in the interactive mode showing available menus, accepting commands and executing selected operations. The interactive mode is very simple to use, all available commands are displayed in a self-explanatory way making it very easy to setup and configure the product even for a novice computer user.

and configure the product even for a novice computer user. In addition to the interactive mode,

In addition to the interactive mode, the command line utility may be executed in the batch mode with a variety of command line parameters and options allowing one to automate control, configuration and management of one or more SysPatrol Servers using batch files or shell scripts. For detailed information about available command line options, execute the command line utility with the '-help' command line parameter.

15

SysPatrol Server Monitor

Flexense Ltd.

Product Update Procedure

Flexense develops SysPatrol Server using a fast release cycle with minor product versions, updates and bug fixes released almost every month and major product versions released every year. New product versions and product updates are published on the product web site and may be downloaded from the following page: http://www.syspatrol.com/downloads.html.

following page: http://www.syspatrol.com/downloads.html . Due to the fact that the product is especially designed for

Due to the fact that the product is especially designed for servers running in production environments where stability is a major decision factor, SysPatrol Server updates should be manually performed by the user. In order to update an existing product installation, download the latest product version and just start the setup program.

the latest product version and just start the setup program. The SysPatrol Server setup program will

The SysPatrol Server setup program will properly shutdown the running SysPatrol Server, update the product and restart the SysPatrol service after finishing the update procedure. All product configuration files, the saved reference system configuration and product registration will remain valid and there is nothing to reconfigure or manage after the update.

16

SysPatrol Server Monitor

Flexense Ltd.

Product Registration Procedure

Within a couple of hours after purchasing a product license, the customer will receive two e- mail messages: the first one confirming the payment and the second one containing an unlock key, which should be used to register the product. If you will not receive your unlock key within 24 hours, please check your spam box and if the unlock key is not in the spam box contact our support team: support@flexense.com.

spam box contact our support team: support@flexense.com . If the computer where SysPatrol is installed on

If the computer where SysPatrol is installed on is connected to the Internet, login to the SysPatrol server (default user name and password: syspatrol/syspatrol) using a standard web browser, click on the 'About' link located on the top menu bar, press the 'Register' button, enter your name or your company name, enter the received unlock key and press the 'Register' button.

received unlock key and press the 'Register' button. If the computer is not connected to the

If the computer is not connected to the Internet, press the 'Manual Registration' button, export the product ID file and send the product ID file to register@syspatrol.com as an attachment. Within a couple of hours, you will receive an unlock file, which should be imported in order to finish the registration procedure.

17

SysPatrol Server Monitor

Flexense Ltd.

Supported Operating Systems

32-Bit Operating Systems

Windows XP

Windows Vista

Windows 7

Windows Server 2003

Windows Server 2008

Windows Storage Server 2008

64-Bit Operating Systems

Windows XP 64-Bit

Windows Vista 64-Bit

Windows 7 64-Bit

Windows Server 2003 64-Bit

Windows Server 2008 64-Bit

Windows Storage Server 64-Bit

SysPatrol Server System Requirements

Minimal System Configuration

Supported Operating System

500 MHz or better CPU

256 MB of system memory

25 MB of free disk space

Recommended System Configuration

Supported Operating System

2 GHz or better CPU

512 MB of system memory

25 MB of free disk space

18