Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring WinCollect Agent to Collect Event Logs from Centrify Server Suite

 

You can forward Windows events to JSA by using WinCollect.

To forward Windows events by using WinCollect, install WinCollect agent on a Windows host.

Download the WinCollect agent setup file from the Juniper Customer Support.

Add a Centrify Server Suite log source and assign it to the WinCollect agent. The following table describes the values that are required for the WinCollect log source parameters.

Table 1: WinCollect Log Source Parameters

Parameter

Value

Log Source type

Centrify Server Suite

Protocol Configuration

WinCollect

Log Source Identifier

The IP address or host name of the Windows machine from which you want to collect Windows events. The log source identifier must be unique for the log source type.

Local System

Select the Local System check box to disable the remote collection of events for the log source. The log source uses local system credentials to collect and forward logs to JSA.

You will need to configure the Domain, Username and Password parameters if remote collection is required.

Event Rate Tuning Profile

For the default polling interval of 3000 ms, the approximate Events per second (EPS) rates attainable are as follows:

  • Default (Endpoint): 33-50 EPS

  • Typical Server: 166-250 EPS

  • High Event Rate Server: 416-625 EPS

For a polling interval of 1000 ms, the approximate EPS rates are as follows:

  • Default (Endpoint): 100-150 EPS

  • Typical Server: 500-750 EPS

  • High Event Rate Server: 1250-1875 EPS

Polling Interval (ms)

The interval, in milliseconds, between times when WinCollect polls for new events.

Application or Service Log Type

Select None for the Application or Service Log Type.

Standard Log Types

Do not enable the check box for any of the log types.

Select No Filtering as the log filter type for all of the log types. The log types are Security, System, Application, DNS Server, File Replication Service, and Directory Service.

Event Types

You must select at least one event type.

XPath Query

To forward only Centrify Audit events, you must specify the XPath filter. The query is in XML format and can be created by using Custom View Properties of Microsoft Event Viewer.

For more information about creating an XPath query, go to the Creating a custom view documentation on the IBM Support website (https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.wincollect.doc/t_ug_wincollect_creating_customview.html).

Note: When you create the custom view, ensure that the By Source option is selected. From the Event sources list, select the application name of the Centrify Audit Events.

Example XPath query:

<QueryList> <Query Id="0" Path="Application"> <SelectPath="Application">*[System [Provider[@Name='Centrify AuditTrail V2']]]</Select> </Query> </QueryList>

Enable Active Directory Lookups

Do not select the check box.

WinCollectAgent

Select your WinCollect agent from the list.

Target Internal Destination

Use any managed host with an event processor component as an internal destination.