The audit agent plug-in (Agent) is a plug-in installed on database systems or business systems. It is used to capture data packets accessing the database system and send the data packets to Database Audit. When the database system is deployed on a public cloud or private cloud or in actual scenarios where port mirroring is not possible, database traffic can be captured through a traffic proxy.
How Agent Works
Agent captures the database operation traffic belonging to the IP+Port delivered by the asset on the database server interface.
Agent consists of two processes: dbagent.exe and dbMonitor.exe. DBAgent establishes a connection with port 13002 of Database Audit to forward traffic, and DBMonitor establishes a connection with port 13001 of Database Audit to control the system, including receiving assets and other configurations delivered by Database Audit.
Remotely Install Agent via SSH
You can use the SSH protocol to install the Agent on the server that needs to be audited automatically. Currently, only Linux systems are supported.
Enter the server IP address, SSH port number, root username, and password on the interface. Database Audit will transfer the Agent installation package to the host through the SCP protocol and automatically install it.
1. In the menu, select System Management > Manage Agent to enter the Manage Agent page and select the Install Agent tab.
2. Click Start Installation to enter the page for remote installation of Agent via SSH, edit the audit server IP address, add the server where Agent needs to be installed, and click Install. See the table below for how to enter the parameters.
Parameter | Parameter Description |
Audit Server IP | The default IP address is the current audit server IP address, which can be modified by the user as needed. |
Server for Agent Installation | Supports form format and text format. Enter the server IP address for Agent installation and the password of the server's root account. The default port is 22, which can be modified based on the actual situation. Supports IPv4 and IPv6, and a maximum of 20 servers can be entered. |
Description
Click Installation Status to enter the Installation Status viewing page and the following operations are available:
Click Uninstall to remotely uninstall Agent that has been successfully installed.
Click Reinstall to reinstall Agent on the server where it has not been successfully installed.
Hover the cursor over the
icon next to Installation Failed to view the reason for the failure.
Manually Install Agent
You can manually download the Agent installation package and install it manually on the server that needs to be audited. Currently supports Windows and some Linux systems. For the supported operating systems, see the Limitations section.
Install Agent on a Linux OS
1. In the left menu, select System Management > Agent Management, to enter the Agent Management page, select the Agent Installation tab, and select a suitable version of Agent installation package and download.
Note:
The downloaded Agent will forward traffic to the current Database Audit instance by default. If you need to forward traffic to other Database Audit instances, find the serviceIp option in the agent.ini configuration file in the unzipped Agent path and change the address.
Whether it is the Linux version installation package, AIX version installation package or Windows version installation package, there is a ReadMe document in the folder, which contains instructions for use, file description, precautions, running environment description, and configuration file description. Please read this document carefully before installation and follow the requirements strictly.
2. After downloading the installation package, upload the Agent installation package to the specified directory of the Linux server.
Description
Do not execute binary files directly.
The decompression directory cannot contain spaces.
Each time you change the running or decompression directory, you need to re-run the installation script.
In a Linux environment, you need to run the script as the root user and specify Bash as the interpreter, or run the script directly without specifying an interpreter.
3. Use the tar –xf dbAgent_V2.28.tar.gz command to decompress the Agent installation package and enter the Agent installation directory.
4. In the installation directory, execute the ./install.sh command to install Agent.
Install Agent on a Windows OS
1. In the left menu, select System Management > Agent Management, to enter the Agent Management page, select the Agent Installation tab, and select a suitable version of Agent installation package and download.
Note:
The downloaded Agent will forward traffic to the current Database Audit instance by default. If you need to forward traffic to other Database Audit instances, find the serviceIp option in the agent.ini configuration file in the unzipped Agent path and change the address.
Whether it is the Linux version installation package, AIX version installation package or Windows version installation package, there is a ReadMe document in the folder, which contains instructions for use, file description, precautions, running environment description, and configuration file description. Please read this document carefully before installation and follow the requirements strictly.
2. After downloading the installation package upload the Agent installation package to the Windows server.
3. Unzip the compressed package to the specified running directory. In the Agent installation directory, run dbAgent-setup.exe as the administrator to enter the installation wizard and click Next.
4. Then, two options Install winpcapand and Install npcapare are displayed. Select based on your actual needs and click Next.
Description
If there is no need for local audit, select Install winpcap;
If there is a need for local audit, select Install npcap.
The Install winpcap installation method is recommended by default, which is more compatible with Windows operating systems.
For Data encrypted transmission, you only need to check this option if you need to configure transmission encryption for Agent data.
5. Click Install.
6. Click I Agree to agree to the installation agreement, and then follow the instructions.
Description
Due to the difference in the fourth step, the installation options for Wincap and Npcap will be slightly different:
You can install the Wincap plug-in based on the default selection.
For the Npcap plug-in, you need to select the two options: "Legacy loopback support for Nmap 7,80 and older, Not needed for Wireshark." and "Install Npcap in WinPcap API-compatible Mode."
6. After the installation is complete, click Finish to quit the installation wizard.
Monitor Agent Status
On the Agent Management page, click Monitor in the operation column of the installed Agent list to enter the Agent Monitoring Information page. You can set the monitoring period as needed, or select different monitoring metrics (e.g. CPU usage, memory usage, forwarding rate, packet loss, and disk read/write).
Modify Agent Configuration
1. On the Agent Management page, select the Agent for which you want to modify the configuration and click Configure in the Operation column in the list.
2. When the configuration modification dialog box pops up, you can modify the relevant parameters as needed. Then, click OK. See the table below for the parameters of each configuration item.
Parameter | Configuration Item Description |
CPU Affinity | When this is enabled, Agent will only run on a single CPU core. CPU affinity means that a process runs on a specified CPU for as long as possible without being migrated to other processors, also known as CPU correlation. On a multi-core machine, each CPU has a cache that caches process usage information. If the process is scheduled to another CPU, the CPU cache hit ratio will decrease, resulting in reduced processing performance. Once the configuration is modified, Agent will automatically restart and the new configuration will apply. |
CPU Usage Limit | The default value is 100%; the value range is: 0% to 100%, and 0 means no limit. |
Memory Usage Limit | The memory used by Agent to cache data packets. The default limit is 200 MB and the limit cannot exceed the maximum memory size of the device. |
System CPU Usage Threshold | The default value is 100%; the value range is: 0% to 100%, and 0 means no limit. |
System Memory Usage Threshold | The default value is 100%; the value range is: 0% to 100%, and 0 means no limit. |
System Disk Read I/O Threshold | The default value is 0, which means no limit. The threshold cannot exceed the maximum read rate of the system disk. |
System Disk Write I/O Threshold | The default value is 0, which means no limit. The threshold cannot exceed the maximum write rate of the system disk. |
Packet Capture Network Port | When this is configured, only traffic on the specified network port will be captured. If this is empty, traffic on all network ports will be captured. Separate multiple network ports with spaces. |
Packet Capture Filtering String | When this is configured, the packet capture network port will only capture traffic that matches the filtering string (usually set to the specified port traffic of the specified server, e.g. host 192.168.0.1 and port 3306). Once this is configured, packets will no longer be automatically captured based on the configured assets. |
Filter by Tool | After this is filled in, the traffic of the specified client tool will no longer be forwarded. You can fill in multiple values and separate them with commas. |
Filter by Account | After this is filled in, the traffic of the specified database account will no longer be forwarded. You can fill in multiple values and separate them with commas. |
Local Loopback Configuration | The system supports local loopback auditing, which can implement local database access auditing without TCP/IP connection. Local loopback auditing means that the Agent injects the .so program into the client tool. The client tool will send a copy of the communication traffic between the client tool and the server to Agent, which then forwards it to Database Audit. After Agent is successfully installed, you need to enable the Local Audit function in the web interface. |
Loopback Network Port | Name of the loopback network port. If this is empty, the port will be automatically identified. Configuring this item is not recommended. |
Loopback Packet Capture Filtering String | When this is configured, the loopback port will only capture traffic that matches the filtering string. Once this is configured, packets will no longer be automatically captured based on the configured assets. |
Loopback Port Replacement IPv4/IPv6 | Change the local loopback IPv4 or IPv6 address in the traffic to the set one. If this is empty, the address will not be replaced. |
Remote Login Audit | Disabled by default. When this is enabled, the IP port of the local traffic will be replaced by the IP port of the remote connection. You need to add the IP address of the server that is remotely connected to the asset interface. If there is no remote connection, no replacement will be made. Once this is enabled, the performance will degrade significantly. |
Local Audit | Supports auditing of non-network database communication data (e.g. inter-process communication). Currently, only specific versions of Oracle, PostgreSQL, MySQL, SQL Server, and DB2 are supported for this feature. |
Debugging Mode | Disabled by default. When this is enabled, more detailed debug logs will be recorded. |
Data Transmission Encryption | Disabled by default. When this is enabled, the data forwarded by Agent will be encrypted. |
CPU Anti-exception Protection Threshold | When the CPU usage of Agent exceeds this value, the Agent will automatically fix the exception. Under normal circumstances, the CPU usage of Agent will not exceed the configured limit. This configuration can serve as a bottom-line protection to prevent special situations. The default value is 100%; 0 means disabling this feature. |
Memory Anti-exception Protection Threshold | When the memory usage of Agent exceeds this value, the Agent will automatically fix the exception. This configuration can serve as a bottom-line protection to prevent special situations. The default value is 300 M; 0 means disabling this feature. |
Agent Tag Management
1. On the Agent Management page, click on an area of the tag-displaying column.
2. Select a tag or create a new tag and click "Read" to add the tag.
3. For an Agent that already has a tag, you can click X to remove the tag.
Other Operations
Operation | Description |
Suspend | Select an Agent in the Connected state and click Suspend to stop the Agent running normally from transmitting data but keep it connected. |
Wake | Select an Agent in the Suspended state and click Wake to set the Agent running. |
Start | Select an Agent in the Stopped state and click Start to set the Agent running. For Agent versions older than V4.0.65, an Agent in the Stopped state has been disconnected and cannot be started remotely. It can only be started manually after you log in to the server where the Agent is located. |
Stop | Select an Agent in the Connected or Suspended state, and click Stop to stop the Agent. |
Upgrade | Select an Agent in the Connected state and click Upgrade to upgrade the Agent to the latest version of the built-in Agent. |
Rollback | Select an Agent in the Connected state and click Roll Back to roll back the Agent to the Agent version before an upgrade. |
Log | Click More > Logs in the Operation column to download the last one day's logs of the Agent. |
Diagnose | Click More > Diagnose in the Operation column to check the Agent's running status. |
Unmount | Select an Agent in the Connected, Stopped or Suspended state, and click Unmount to remotely unmount the Agent. |
Delete | Select an Agent in the Abnormal state and click Delete to delete the Agent from the Agent list. |