Communication Between WinCollect Agents and JSA
Open ports are required for data communication between WinCollect agents and the JSA host, and between WinCollect agents and the hosts that they remotely poll.
WinCollect Agent Communication to JSA Console and Event Collectors
All WinCollect agents communicate with the JSA Console and Event Collectors to forward events to JSA and request updated information. Managed WinCollect agents also request and receive updated code and configuration changes. You must ensure firewalls that are between the JSA Event Collectors and your WinCollect agents allow traffic on the following ports:
Port 8413--This port is required for managing the WinCollect agents to request and receive code and configuration updates. Traffic is always initiated from the WinCollect agent, but the port must be open bidirectionally for the agent to receive updates. This traffic is sent over TCP and communication is encrypted using the Console's public key and the
ConfigurationServer.PEMfile on the agent.
Port 514--This port is used by the WinCollect agent to forward syslog events to JSA. You can configure WinCollect log sources to provide events by using TCP or UDP. You can decide which transmission protocol is required for each WinCollect log source. Port 514 traffic is always initiated from the WinCollect agent.
WinCollect Agents Remotely Polling Windows Event Sources
WinCollect agents that remotely poll other Windows operating systems require additional ports to be open. These ports only need to be open on the WinCollect agent computer and the computer(s) that are remotely polled, but not on your JSA appliances. The following table describes the ports that are used.
Table 1: Port Usage for WinCollect Remote Polling
Microsoft Endpoint Mapper
NetBIOS name service
NetBIOS datagram service
NetBIOS session service
Microsoft Directory Services for file transfers that use Windows share
49152 – 65535
Note: Exchange servers are configured for a port range of 6005 – 58321 by default.
Default dynamic port range for TCP/IP
The MSEVEN protocol uses port 445. The NETBIOS ports (137 - 139) can be used for host name resolution. When the WinCollect agent polls a remote event log by using MSEVEN6, the initial communication with the remote machine occurs on port 135 (dynamic port mapper), which assigns the connection to a dynamic port. The default port range for dynamic ports is between port 49152 and port 65535, but could be different dependent on the server type. For example, Exchange servers are configured for a port range of 6005 – 58321 by default.
To allow traffic on these dynamic ports, enable and allow the two following inbound rules on the Windows server that is being polled:
Remote Event Log Management (RPC)
Remote Event Log Management (RPC-EPMAP)
To limit the number of events that are sent to JSA, administrators can use exclusion filters for an event based on the EventID or Process.
Enabling Remote Log Management on Windows
You can enable remote log management only when your log source is configured to remotely poll other Windows operating systems. You can enable remote log management on Windows 7, Windows Server 2008, Windows 2008 R2, or Windows 2012 R2 for XPath queries.
- On your desktop, select Start >Control Panel.
- Click the System and Security icon.
- Click Allow a program through Windows Firewall.
- If prompted, click Continue.
- Click Change Settings.
- From the Allowed programs and features pane,
select Remote Event Log Management.
Depending on your network, you might need to correct or select more network types.
- Click OK.