Unity Device Configuration for Activity Monitoring for NetWrix StealhAudit

Summary: Dell Unity Device Configuration for Activity Monitoring for NetWrix StealhAudit

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

The Dell Common Event Enabler (CEE) Options tab provides options to configure settings for monitoring Dell devices. File activity monitoring leverages the Dell CEE to deliver activity events from Dell devices.

CEE supports two protocols to deliver events to Activity Monitor: Remote Procedure Call (RPC) and HTTP. An agent can receive activity from several CEEs simultaneously. Among them can be a local Windows CEE, remote Windows, and Linux CEEs. Windows versions of CEEs can use both RPC and HTTP protocols. Linux versions can only support HTTP protocols.

Dell CEE can be installed on the same host as the Activity Agent, or on a different host. If it is installed on the same host, the Activity Agent can configure it automatically.

 

The options are:

  • Check CEE Status - Click the button to confirm the status of Dell CEE installed on the agent server.
  • Choose the CEE event delivery mode:
    • Synchronous real-time delivery - Events are delivered immediately as they occur, one by one.
    • Asynchronous bulk delivery (VCAPS) - Events are delivered in batches with a cadence based on a time period or several events. As this mode provides better throughput, it is recommended for heavily loaded servers. If selected, specify how often Dell CEE delivers events using the following options:
      • Every [number] seconds (from 60 to 600) - Default is 60 seconds.
      • Or every [number] events (from 10 to 10000) - Default is 100 events.
        The number of events and number of seconds are used simultaneously, whichever is reached first.

Choose network protocols for event delivery:

  • Both - Delivers events by Microsoft-RPC and HTTP protocol.
  • Microsoft-RPC - Delivers events by the Microsoft-RPC protocol (Windows versions of CEE only).
  • HTTP - Delivers events by the HTTP protocol (Windows and Linux versions of CEE)
  • HTTP port - The port number to communicate with the agent. The default port number is 4492, modify if needed. The agent adds the port to the firewall exclusions automatically.
  • IPv4 or IPv6 allowlist - Specify IP addresses of CEE instance that are allowed to connect to the agent by the HTTP protocol. Leave blank to accept connections from any host.

For Remote Windows CEE or Linux CEE, Manual Configuration is needed.

Click OK to commit the modifications. Click Cancel to discard the modifications. The Agent Properties window closes.

 

Windows CEE Manual Configuration
Windows CEE is configured with the Windows registry and depends on the selected event delivery mode, AUDIT or VCAPS.
For the synchronous real-time delivery mode (AUDIT), use the following steps.

  1. Navigate to the following windows registry key: HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\Audit\Configuration.
  2. Set the Enabled parameter to 1.
  3. If the EndPoint parameter is empty, set it to the string listed below. If it is not empty (For example, if a third-party application is also receiving activity events from CEE), append the following string to the existing EndPoint value, separating them with a semicolon:
    • For the RPC protocol, stealthAudit@ip-address-of-the-agent 
    • For the HTTP protocol, StealthAUDIT@http://ip-address-of-the-agent:port
  1. Restart the CEE Monitor service.

 

For the asynchronous bulk delivery mode with a cadence based on a time period or a number of events (VCAPS), use the following steps:

  1. Navigate to the following windows registry key HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CEE\CEPP\VCAPS\Configuration.
  2. Set the Enabled parameter to 1.
  3. If the EndPoint parameter is empty, set it to the string listed below. If it is not empty (for example, a third-party application is also receiving activity events from CEE), append the following string to the existing EndPoint value, separating them with a semicolon:
    • For the RPC protocol, stealthVCAPS@ip-address-of-the-agent
    • For the HTTP protocol, StealthVCAPS@http://ip-address-of-the-agent:port

 

  1. Set FeedInterval to how often, in seconds, information is sent from CEE to the Activity Monitor. The default is 60 seconds. The range is from 60 seconds to 600 seconds.
  2. Set MaxEventsPerFeed to how many events must occur before information is sent from CEE to Activity Monitor. The default is 100 events. The range is from 10 events to 10,000 events.
  3. Restart the CEE Monitor service.

    The FeedInterval and MaxEventsPerFeed delivery cadences are used simultaneously.

All protocol strings are case-sensitive.

Affected Products

Isilon
Article Properties
Article Number: 000305048
Article Type: How To
Last Modified: 15 Dec 2025
Version:  1
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.