Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Windows Log Source Parameters

 

Common parameters are used when you configure a log source for a WinCollect agent or a WinCollect plug-in. Each WinCollect plug-in also has a unique set of configuration options.

Table 1: Common WinCollect Log Source Parameters

Parameter

Description

Log Source Identifier

The IP address or host name of a remote Windows operating system from which you want to collect Windows-based events. The log source identifier must be unique for the log source type.

Used to poll events from remote sources

Local System

Disables remote collection of events for the log source.

The log source uses local system credentials to collect and forward events to the JSA.

Domain

Optional

The domain that includes the Windows-based log source.

The following examples use the correct syntax: LAB1, server1.mydomain.com The following syntax is incorrect: \\mydomain.com

Event Rate Tuning Profile

For the default polling interval of 3000 ms, the approximate Events per second (EPS) rates attainable are as follows:

  • Default (Endpoint): 33-50 EPS

  • Typical Server: 166-250 EPS

  • High Event Rate Server: 416-625 EPS

For a polling interval of 1000 ms the approximate EPS rates are as follows:

  • Default (Endpoint): 100-150 EPS

  • Typical Server: 500-750 EPS

  • High Event Rate Server: 1250-1875 EPS

Polling Interval (ms)

The interval, in milliseconds, between times when WinCollect polls for new events.

Application or Service Log Type

Optional.

Used for XPath queries.

Provides a specialized XPath query for products that write their events as part of the Windows application log. Therefore, you can separate Windows events from events that are classified to a log source for another product.

Event Log Poll Protocol

The protocol that JSA uses to communicate with the Windows device. The default is MSEVEN6.

Security

Select the check box to enable WinCollect to forward security logs to JSA.

Security Log Filter Type

To ignore specific events ID collected from the Windows event log, select Exclusion Filter.

To include specific events ID collected in the Windows event log, select Inclusion Filter.

The NSA Filter option populates the Security Log Filter field with a list of event IDs recommended by National Security Agency.

The default is No Filtering.

Note: If you select a filter type from the list, a new field Security Log Filter displays. You must provide the event IDs that you want to include or exclude.

System

Select the check box to enable WinCollect to forward system logs to JSA.

System Log Filter Type

To ignore specific events ID collected from the Windows event log, select Exclusion Filter.

To include specific events ID collected in the Windows event log, select Inclusion Filter.

The NSA Filter option populates the System Log Filter field with a list of event IDs recommended by National Security Agency.

The default is No Filtering.

Note: If you select a filter type from the list, a new field System Log Filter displays. You must provide the event IDs that you want to include or exclude.

Application

Select the check box to enable WinCollect to forward application logs to JSA.

Application Log Filter Type

To ignore specific events ID collected from the Windows event log, select Exclusion Filter.

To include specific events ID collected in the Windows event log, select Inclusion Filter.

The NSA Filter option populates the Application Log Filter field with a list of event IDs recommended by National Security Agency.

The default is No Filtering.

Note: If you select a filter type from the list, a new field Application Log Filter displays. You must provide the event IDs that you want to include or exclude.

DNS Server

Select the check box to enable WinCollect to forward DNS Server logs to JSA.

DNS Server Log Filter Type

To ignore specific events ID collected from the Windows event log, select Exclusion Filter.

To include specific events ID collected in the Windows event log, select Inclusion Filter.

The NSA Filter option populates the DNS Server Log Filter field with a list of event IDs recommended by National Security Agency.

The default is No Filtering.

Note: If you select a filter type from the list, a new field DNS Server Log Filter displays. You must provide the event IDs that you want to include or exclude.

File Replication Service

Select the check box to enable WinCollect to forward File Replication Service logs to JSA.

File Replication Service Log Filter Type

To ignore specific events ID collected from the Windows event log, select Exclusion Filter.

To include specific events ID collected in the Windows event log, select Inclusion Filter.

Note: If you select a filter type from the list, a new field File Replication Service Log Filter displays. You must provide the event IDs that you want to include or exclude.

Directory Service

Select the check box to enable WinCollect to forward Directory Service logs to JSA.

Directory Service Log Filter Type

To ignore specific events ID collected from the Windows event log, select the Exclusion Filter.

To include specific events ID collected in the Windows event log, select the Inclusion Filter.

Note: If you select a filter type from the list, a new field Directory Service Log Filter displays. You must provide the event IDs that you want to include or exclude.

Log Filter Type

Configures the WinCollect agent to ignore specific events from the Windows event log.

You can also configure WinCollect agents to ignore events globally by ID code or log source.

Exclusion filters for events are available for the following log source types: Security, System, Application, DNS Server, File Replication Service, and Directory Service

Global exclusions use the EventIDCode field from the event payload. To determine the values that are excluded, source and ID exclusions use the Source= field and the EventIDCode= field of the Windows event payload. Separate multiple sources by using a semi-colon.

Forwarded Events

Enables JSA to collect events that are forwarded from remote Windows event sources that use subscriptions.

Forward events that use event subscriptions are automatically discovered by the WinCollect agent and forwarded as if they are a syslog event source.

When you configure event forwarding from your Windows system, enable event pre-rendering.

Event Types

At least one event type must be selected.

Enable Active Directory Lookups

If the WinCollect agent is in the same domain as the domain controller that is responsible for the Active Directory lookup, you can select this check and leave the override domain and DNS parameters blank.

Note: You must enter values for the Domain Controller Name Lookup and DNS Domain Name Lookup parameters.

Override Domain Controller Name

Required when the domain controller that is responsible for Active Directory lookup is outside of the domain of the WinCollect agent.

The IP address or host name of the domain controller that is responsible for the Active Directory lookup.

XPath Query

Structured XML expressions that you use to retrieve customized events from Windows event logs.

If you specify an XPath query to filter events, the check boxes that you selected from the Standard Log Type or Event Type are collected along with the XPath Query.

To collect information by using an XPath Query, you might be required to enable Remote Event Log Management on Windows 2008.

Target Internal Destination

Use any managed hosts with an event processor component as an internal destination.

Target External Destination

Forwards your events to one or more external destinations that you configured in your destination list.