Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

WinCollect Overview

 

WinCollect is a Syslog event forwarder that administrators can use to forward events from Windows logs to JSA. WinCollect can collect events from systems locally or be configured to remotely poll other Windows systems for events.

WinCollect is one of many solutions for Windows event collection. For more information about alternatives to WinCollect, see the Configuring DSMs Guide.

How Does WinCollect Work?

WinCollect uses the Windows Event Log API to gather events, and then WinCollect sends the events to JSA.

WinCollect Managed Deployment

A managed WinCollect deployment has a JSA appliance that shares information with the WinCollect agent installed on the Windows hosts that you want to monitor. The Windows host can either gather information from itself, the local host, and, or remote Windows hosts. Remote hosts don't have the WinCollect software installed. The Windows host with WinCollect software installed polls the remote hosts, and then sends event information to JSA.

Figure 1: WinCollect Managed Deployment Example
WinCollect
Managed Deployment Example
Note

In a managed deployment, the WinCollect agents that are installed on Windows hosts can be managed by any JSA console, Event Collector, or Event Processor.

In a managed deployment, WinCollect is designed to work with up to 500 Windows agents per Console and managed host. For example, if you have a deployment with a Console, an Event Processor, and an Event Collector, each can support up to 500 Windows agents, for a total of 1,500. If you want to monitor more than 500 Windows agents per Console or managed host, use the stand-alone WinCollect deployment.

For more information, see Stand-alone Deployments and WinCollect Configuration Console

The managed WinCollect deployment has the following capabilities:

  • Central management from the JSA Console or managed host.

  • Automatic local log source creation at the time of installation.

  • Event storage to ensure that no events are dropped.

  • Collects forwarded events from Microsoft Subscriptions.

  • Filters events by using XPath queries or exclusion filters.

  • Supports virtual machine installations.

  • Console can send software updates to remote WinCollect agents without you reinstalling agents in your network.

  • Forwards events on a set schedule (Store and Forward)

WinCollect Stand-alone Deployment

If you need to collect Windows events from more than 500 hosts, use the stand-alone WinCollect deployment. A stand-alone deployment is a Windows host in unmanaged mode with WinCollect software installed. The Windows host can either gather information from itself, the local host, and, or remote Windows hosts. Remote hosts don't have the WinCollect software installed. The Windows host with WinCollect software installed polls the remote hosts, and then sends event information to JSA. To save time when you configure more than 500 Windows hosts, you can use a solution such as Juniper Networks Endpoint Manager. Automation can help you manage stand-alone instances.

Figure 2: WinCollect Stand-alone Deployment Example
WinCollect Stand-alone Deployment
Example

You can also deploy stand-alone WinCollect to consolidate event data on one Windows host, where WinCollect collects events to send to JSA.

Stand-alone WinCollect mode has the following capabilities:

  • You can configure each WinCollect agent by using the WinCollect Configuration Console.

  • You can update WinCollect software with the software update installer.

  • Event storage to ensure that no events are dropped.

  • Collects forwarded events from Microsoft Subscriptions.

  • Filters events by using XPath queries or exclusion filters.

  • Supports virtual machine installations.

  • Sends events to JSA using TLS Syslog.

  • Automatically create a local log source at the time of agent installation.

Capabilities of managed and stand-alone WinCollect deployments

Review the following table to understand which capabilities are available when using managed or standalone WinCollect agents.

Table 1: Capabilities of managed WinCollect vs. stand-alone WinCollect

Capability

Managed WinCollect

Stand-alone WinCollect

Central management from the JSA Console or managed host.

Yes

No

Automatic local log source creation at the time of installation.

Yes

Yes

Event storage to ensure that no events are dropped.

Yes

Yes

Collects forwarded events from Microsoft Subscriptions.

Yes

Yes

Filters events by using XPath queries or exclusion filters.

Yes

Yes

Supports virtual machine installations

Yes

Yes

JSA Console can send software updates to WinCollect agents.

Yes

No

Forwards events on a set schedule (Store and Forward).

Yes

No

You can configure each WinCollect agent by using the WinCollect Configuration Console.

No

Yes

You can update WinCollect software with the software update installer

No

Yes

Available with on-prem JSA

Yes

Yes

Setting Up a Managed WinCollect Deployment

For a managed deployment, follow these steps:

  1. Understand the prerequisites for managed WinCollect, which ports to use, what hardware is required, how to upgrade. For more information, see Installation Prerequisites for WinCollect.

  2. Install the WinCollect application on the JSA console that is used to monitor your Windows hosts. For more information, see Installing and Upgrading the WinCollect Application on JSA Appliances.

  3. Create an authentication token so that the managed WinCollect agents can exchange data with JSA appliances. For more information, see Creating an Authentication Token for WinCollect Agents.

  4. Configure a forwarding destination host for the log source data.

  5. Install managed WinCollect agents on the Windows hosts. For more information, see one of the following options:

  6. If you want to configure forwarded event or event subscriptions, see Windows Event Subscriptions for WinCollect Agents..

  7. If you want to use the legacy Log Source UI to bulk add log sources that will be remotely polled by a single WinCollect agent, see Bulk Log Sources for Remote Event Collection.

  8. Tune your WinCollect log sources. For more information, see the Event Rate Tuning Profile parameter in Windows Log Source Parameters.

  9. If you want a managed WinCollect agent to send events to multiple JSA destinations in case one fails, see Adding Multiple Destinations to WinCollect Agents.

Setting Up a Stand-alone WinCollect Deployment

For a stand-alone deployment, follow these steps:

  1. Understand the prerequisites for stand-alone WinCollect, which ports to use, what hardware is required, how to upgrade. For more information, see Installation Prerequisites for WinCollect.

  2. Install stand-alone WinCollect agents on the Windows hosts. For more information, see Installing the WinCollect Agent on a Windows Host.

  3. If you want to add new log sources to your agent or modify existing log sources, install the WinCollect stand-alone configuration console. For more information, see Installing the Configuration Console or Silently Installing, Upgrading, and Uninstalling WinCollect Software.

  4. Configure the destination where the Windows hosts send Windows events. For more information, see Creating an Authentication Token for WinCollect Agents.

  5. If you want to use the stand-alone WinCollect agent to collect events from other devices using remote polling, create a credential in the WinCollect stand-alone configuration console, so that WinCollect can log in to the remote devices. See Creating a WinCollect Credential.

  6. If you want to add additional log sources to the stand-alone WinCollect agent, do so using the WinCollect stand-alone configuration console. For more information, see Adding a Device to the WinCollect Configuration Console.