Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Communication Between WinCollect Agents and JSA

 

Open ports are required for data communication between WinCollect agents and the JSA host, and between WinCollect agents and the hosts that they remotely poll.

WinCollect Agent Communication to JSA Console and Event Collectors

All WinCollect agents communicate with the JSA Console and Event Collectors to forward events to JSA and request updated information. You must ensure firewalls that are between the JSA Event Collectors and your WinCollect agents allow traffic on the following ports:

  • Port 8413--This port is required for managing the WinCollect agents. Port 8413 is used for features such as configuration updates. Traffic is always initiated from the WinCollect agent. This traffic is sent over TCP and communication is encrypted.

  • Port 514--This port is used by the WinCollect agent to forward syslog events to JSA. You can configure WinCollect log sources to provide events by using TCP or UDP. You can decide which transmission protocol is required for each WinCollect log source. Port 514 traffic is always initiated from the WinCollect agent.

WinCollect Agents Remotely Polling Windows Event Sources

WinCollect agents that remotely poll other Windows operating systems for events that include extra port requirements. The following ports are used when WinCollect agents remotely poll for Windows-based events:

Table 1: Port Usage for WinCollect Remote Polling

Port

Protocol

Usage

135

TCP

Microsoft Endpoint Mapper

137

UDP

NetBIOS name service

138

UDP

NetBIOS datagram service

139

TCP

NetBIOS session service

445

TCP

Microsoft Directory Services for file transfers that use Windows share

Collecting events by polling remote Windows systems uses dynamic RPC. To use dynamic RPC, you must allow inbound traffic to the Windows system that WinCollect attempts to poll for events on port 135. Port 135 is used for Endpoint Mapping by Windows.

If you remotely poll any Windows operating system other than the Windows Vista operating system, you might need to allow ports in the range between 1024 and port 5000. You can configure Windows to restrict the communication to specific ports for the older versions of Windows Firewall. For more information, see your Windows documentation.

Note

To limit the number of events that are sent to JSA, administrators can use exclusion filters for an event based on the EventID or Process.