Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Communication Between WinCollect Agents and JSA

 

Open ports are required for data communication between WinCollect agents and the JSA host, and between WinCollect agents and the hosts that they remotely poll.

WinCollect Agent Communication to JSA Console and Event Collectors

All WinCollect agents communicate with the JSA Console and Event Collectors to forward events to JSA and request updated information. You must ensure firewalls that are between the JSA Event Collectors and your WinCollect agents allow traffic on the following ports:

  • Port 8413--This port is required for managing the WinCollect agents. Port 8413 is used for features such as configuration updates. Traffic is always initiated from the WinCollect agent. This traffic is sent over TCP and communication is encrypted.

  • Port 514--This port is used by the WinCollect agent to forward syslog events to JSA. You can configure WinCollect log sources to provide events by using TCP or UDP. You can decide which transmission protocol is required for each WinCollect log source. Port 514 traffic is always initiated from the WinCollect agent.

WinCollect Agents Remotely Polling Windows Event Sources

WinCollect agents that remotely poll other Windows operating systems require extra ports . The following table describes the ports that use WinCollect :

Table 1: Port Usage for WinCollect Remote Polling

Port

Protocol

Usage

135

TCP

Microsoft Endpoint Mapper

137

UDP

NetBIOS name service

138

UDP

NetBIOS datagram service

139

TCP

NetBIOS session service

445

TCP

Microsoft Directory Services for file transfers that use Windows share

49152 – 65535

TCP

Default dynamic port range for TCP/IP

Note

Use Windows Server to perform remote polling whenever you are polling a large number of remote machines.

The MSEVEN protocol uses port 445. The NETBIOS ports (137 - 139) can be used for host name resolution. When the WinCollect agent polls a remote event log by using MSEVEN6, the initial communication with the remote machine occurs on port 135 (dynamic port mapper), which assigns the connection to a dynamic port. The default port range for dynamic ports is between port 49152 and port 65535. To allow traffic on these dynamic ports, enable and allow the two following inbound rules on the Windows server that is being polled:

  • Remote Event Log Management (RPC)

  • • Remote Event Log Management (RPC-EPMAP)

Note

To limit the number of events that are sent to JSA, administrators can use exclusion filters for an event based on the EventID or Process.

Enabling Remote Log Management on Windows 7

You can enable remote log management only when your log source is configured to remotely poll other Windows operating systems. You can enable remote log management on Windows 7 for XPath queries.

You can enable remote log management on Windows 7 for XPath queries.

  1. On your desktop, select Start >Control Panel.
  2. Click the System and Security icon.
  3. Click Allow a program through Windows Firewall.
  4. If prompted, click Continue.
  5. Click Change Settings.
  6. From the Allowed programs and features pane, select Remote Event Log Management.

    Depending on your network, you might need to correct or select more network types.

  7. Click OK.

Enabling Remote Log Management on Windows 2008

You can enable remote log management only when your log source is configured to remotely poll other Windows operating systems. You can enable remote log management on Windows Server 2008 for XPath queries.

You can enable remote log management on Windows Server 2008 for XPath queries.

  1. On your desktop, select Start >Control Panel.
  2. Click the Security icon.
  3. Click Allow a program through Windows Firewall.
  4. If prompted, click Continue.
  5. From the Exceptions tab, select Remote Event Log Management and click OK.

Enabling Remote Log Management on Windows 2008 R2 and Windows R2

You can enable remote log management only when your log source is configured to remotely poll other Windows operating systems. You can enable remote log management on Windows 2008 R2 and Windows 2012 R2 for XPath queries.

You can enable remote log management on Windows 2008 R2 and Windows 2012 R2 for XPath queries.

  1. On your desktop, select Start >Control Panel.
  2. Click the Window Firewall icon.
  3. Click Allow a program through Windows Firewall.
  4. If prompted, click Continue.
  5. Click Change Settings.
  6. From the Allowed programs and features pane, select Remote Event Log Management check box.

    Depending on your network, you might need to correct or select more network types.

  7. Click OK.