Configuring WinCollect Agent to Collect Event Logs from Centrify Server Suite
You can forward Windows events to JSA by using WinCollect.
To forward Windows events by using WinCollect, install WinCollect agent on a Windows host.
Download the WinCollect agent setup file from the Juniper Customer Support.
Add a Centrify Server Suite log source and assign it to the WinCollect agent. The following table describes the values that are required for the WinCollect log source parameters.
Table 1: WinCollect Log Source Parameters
Log Source type
Centrify Server Suite
Log Source Identifier
The IP address or host name of the Windows machine from which you want to collect Windows events. The log source identifier must be unique for the log source type.
Select the Local System check box to disable the remote collection of events for the log source. The log source uses local system credentials to collect and forward logs to JSA.
You will need to configure the Domain, Username and Password parameters if remote collection is required.
Event Rate Tuning Profile
For the default polling interval of 3000 ms, the approximate Events per second (EPS) rates attainable are as follows:
For a polling interval of 1000 ms, the approximate EPS rates are as follows:
Polling Interval (ms)
The interval, in milliseconds, between times when WinCollect polls for new events.
Application or Service Log Type
Select None for the Application or Service Log Type.
Standard Log Types
Do not enable the check box for any of the log types.
Select No Filtering as the log filter type for all of the log types. The log types are Security, System, Application, DNS Server, File Replication Service, and Directory Service.
You must select at least one event type.
To forward only Centrify Audit events, you must specify the XPath filter. The query is in XML format and can be created by using Custom View Properties of Microsoft Event Viewer.
For more information about creating an XPath query, go to the Creating a custom view documentation on the IBM Support website (https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.wincollect.doc/t_ug_wincollect_creating_customview.html).
Note: When you create the custom view, ensure that the By Source option is selected. From the Event sources list, select the application name of the Centrify Audit Events.
Example XPath query:
<QueryList> <Query Id="0" Path="Application"> <SelectPath="Application">*[System [Provider[@Name='Centrify AuditTrail V2']]]</Select> </Query> </QueryList>
Enable Active Directory Lookups
Do not select the check box.
Select your WinCollect agent from the list.
Target Internal Destination
Use any managed host with an event processor component as an internal destination.