To deploy the MIM Auditor, the following high level tasks must be performed:
- Download and compile the MIM Auditor source code
- Create the Log Analytics Workspace
- Install the service on each server with the MIM Service installed
- Ensure that .Net 4.7.2 is installed on the server
-
Download the latest version of the MIM Auditor (source code or compiled binaries)
-
Compile the code to the latest version or download the compiled version
These following steps can be used for a default configuration of the Log Analytics Workspace.
Note: Please use the Location and SKU settings for your organization.
-
Login to the Azure Portal (https://portal.azure.com )
-
Open a "Cloud Shell" (PowerShell) from the Portal
-
Create a new Resource Group (MIMAuditor)
- New-AzResourceGroup -Name 'RG-MIMAUDITOR' -Location 'East US'
-
Create a new Log Analytics Workspace (MIMAuditor). Associate the workspace with the new Resource Group. Save the Customer ID and Workspace Key for later usage.
- New-AzOperationalInsightsWorkspace -Location 'East US' -Name 'MIM-Auditor' -Sku standard -ResourceGroupName 'RG-MIMAUDITOR'
- Get-AzOperationalInsightsWorkspace -Name MIM-AUDITOR -ResourceGroupName RG-MIMAuditor | Select CustomerID
- Get-AzOperationalInsightsWorkspace -Name MIM-AUDITOR -ResourceGroupName RG-MIMAuditor | Get-AzOperationalInsightsWorkspaceSharedKeys
-
Adjust the retention days (Log Analytics workspaces->MIM-Auditor->Usage and Estimated Costs). By default, log analytics workspace data will only be retained for 30 days.
- Select the Data Retention (Days) in the right pane of the console to the customer's retention requirements
-
Login to the MIM Service server as the MIM Installer account (Local Administrator)
-
Enable Hybrid Reporting Request Logging
- Launch a PowerShell window as an Administrator
- Run the Enable_Hybrid_Reporting.ps1 script
-
Run MIM Auditor's Setup.exe as an Administrator
- Add the workspaceID from the Log Analytics Workspace deployment
-
Run the Encrypt utility
- Launch a PowerShell window as an Administrator
- Switch the root of C: by typing: *CD*
- Switch the default location of MIM Auditor by typing: CD 'C:\Program Files\Microsoft\MIM Auditor'
- Encrypt the Workspace Key by typing: .\Encrypt.exe -certificate localhost -string
Note: The utility will encrypt the workspace key and update the configuration files for the Auditor service and scavenger utility.
Note: The encrypt utility uses the certificate defined in the .config file. **If the certificate is refreshed or if the workspace key is refreshed, the utility should be run again. **.
Note: By default, the localhost certificate is used. However, the site's SSL certificate could be used to standardize when the workspace key encrypted value should be refreshed.
-
Configure the MIM Service to have a dependency on the MIM Auditor service to prevent the MIM Service from running when the MIM Auditor is no longer running.
- Launch a PowerShell window as an Administrator
- Set the dependency by typing: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\FIMService" -Name DependOnService -Value @("MIMAUDITOR")
- Reboot the server
Note: It is important to prevent the MIM Service from issuing requests while the MIM Auditor is not watching for the log events to prevent coverage gaps.
-
Start the MIMAuditor service
- Logon to the server as an Administrator (if you had rebooted in the previous step)
- Launch a PowerShell window as an Administrator
- Validate/Start the Service: Start-Service -Name "MIMAuditor"
-
Create an event and validate that the event is sent to the Log Analytics Workspace
-
Create a scheduled task to run the Scavenger utility to process any requests that may not have been written to the Log Analytics Workspace. Any failure to write the log successfully to the Log Analytics Workspace will be captured to the C:\Program Files\Microsoft\MIM Auditor\Requests folder
-
Repeat steps 1 to 8 on each of your MIM Service Servers.