Maintaining Activity Monitors (BAMs) in File Access Manager

Maintaining Activity Monitors (BAMs) in File Access Manager

About Activity Monitors (BAMs)

The Activity Monitor, which is also sometimes referred to as a Business Application Monitor or BAM, is a File Access Manager component that collects events from an endpoint it is configured to monitor, and sends event data to the Event Manager service. The Event Manager service applies the configured policies to the event; if the result of the action is to store the event, it converts the data into an Activity and stores the activity in Elasticsearch and the database (encrypted).

Installing the Service

Follow the instructions in the relevant Connector Installation Guide for your endpoint (for example, the Windows File Server Connector Installation Guide or the SharePoint Server Connector Installation Guide) to install the Activity Monitor for the individual application endpoints, using the File Access Manager Collector Manager.

Uninstalling the Service

  1. Open the File Access Manager Collector Manager on the server where the Activity Monitor is installed.
    Note: The File Access Manager Collector Manager is located in the installers folder, that is, the folder where you extracted the File Access Manager Installer zip file; it is under the Collectors folder (for example, C:\File Access Manager 8.0 Installers\Collectors)
  2. In the Server Name/IP field, enter the host name or IP address of the server on which the File Access Manager Collector Agent Configuration Manager service is running.
  3. Set the Port to default 8000.
  4. Enter a user name for a user that has admin privileges, in the format <domain name>\User Name. Alternatively, you can enter user name wbxadmin.
  5. Enter the password for the user and click Next.
  6. In the next window, a list of installed products is shown. Select the Activity Monitor you want to uninstall and click on Uninstall Product.
  7. In the next window, you will see status information on the Activity Monitor being uninstalled.
  8. Click Finish to exit the server installer on the server.
  9. Check the logs folder, which is located in the same location as the Collector Manager install, for further information about the uninstallation of the Activity Monitor .
  10. If you encounter errors, try to troubleshoot the error, or contact SailPoint for further assistance. You will be required to send the install log to analyze the issue.

Uninstalling the Service Manually

If you are unable to uninstall an Activity Monitor from a server using the steps listed above, follow these steps to manually uninstall the collector from the server:

  1. Delete the Activity Monitor service manually:
    1. Open services.msc.
    2. Right-click on the Activity Monitor service and click on Properties.
    3. Copy the name value shown for Service name
    4. Open a command prompt as an administrator and run this command:
      sc.exe delete "WBXBAM_<Application Name>”
      (For example, sc.exe delete "WBXBAM_File Server 1" )
    5. Refresh the services.msc and verify that the Activity Monitor process does not appear.
  2. Delete the Registry entries for the Activity Monitor service.
    1. Open the registry editor (regedit)..
    2. Browse to the locations listed below and delete any keys and subkeys related to the Activity Monitor.
      Note: Make a backup of the keys before deleting, by right-clicking on the key and clicking Export.
      Keys must be deleted entirely along with the subkeys.
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WBXBAM_<Application Name>
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ WBXBAM_<Application Name>
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\File Access Manager Activity Monitor - <Application Name>
      • HKEY_LOCAL_MACHINE\SOFTWARE\whiteboxSecurity\whiteOPS\Components
        Note: Find the Key that has a subkey with the name “ProductType=BAM”
      • HKEY_CLASSES_ROOT\Installer\Products
        Note: Find the Key with appropriate “ProductType” and “Version”
  3. Uninstall the Activity Monitor service from the server.
    1. Go to the control panel and uninstall the File Access Manager Activity Monitor - <Application Name> program.
      Note: You can skip this step if the program is not found.
  4. Delete the Activity Monitor installation folder from the server.
    1. Make a backup of the installation folder C:\Program Files\SailPoint\File Access Manager\<Application Name>
      Note: This step assumes the installation is located in C:\Program Files\SailPoint. You can navigate to the appropriate installation folder in your environment.
    2. Delete the folder.
  5. Update the Activity Monitor entry in the database.
    1. Run this SQL query to retrieve the correct Activity Monitor (BAM) id from the table:
      Select * from whiteops.physical_bam
      Retrieve the id of the Activity Monitor that you wish you update.
    2. Run this SQL query to update the entry:
      update whiteops.physical_bam
      set installed=0, status_enum_id=5 where bam_id=<id>
      Note: Replace the id with the appropriate bam_id.
      installed = 0 will enable the application name to be shown in the Collector Manager so that the Activity Monitor can be re-installed.
  6. Open the Health Center and confirm that the Activity Monitor service does not appear under the Activity Monitoring tab.

 

Comments

In addition have a look at the link below for more details on troubleshooting:

  1. Activity Monitor Troubleshootinghttps://community.sailpoint.com/t5/IdentityIQ-Wiki/Activities-Event-Data-Flow-and-Troubleshooting/ta...
  2. Activity Statistics: https://community.sailpoint.com/t5/IdentityIQ-Wiki/Activity-Event-Statistics-Logs-What-am-I-looking-...
Version history
Revision #:
4 of 4
Last update:
‎Aug 23, 2019 05:04 PM
Updated by: