Collecting Windows Events remotely
To collect Windows events you need to create the Monitor Remote Windows Events data collector.
Recommendation
This data collector can collect Windows events both locally and remotely, but BMC recommends you to use it for remote collection.
Local collection implies collection of events by using the Collection Agent and from the computer where the Collection Agent resides, while remote collection implies collection of events by using the Collection Station and from the computer other than where the Collection Station resides. To collect Windows events locally, see Collecting Windows Events locally. For more information about local and remote collection, see Agent types.
Note
You cannot collect Windows events remotely if the collection host and the target host are not operating in the same domain.
The following information describes the process of creating this data collector:
Before you begin
Before you create the data collector for collecting Windows events, certain configurations are required to enable the event collection. For more information, see Configuring for collecting Windows events remotely using a script
To collect Windows Events remotely
- Navigate to Administration > Data Collectors > Add Data Collector .
- In the Name box, provide a unique name to identify this data collector.
- From the Type list, select Monitor Remote Windows Events.
Provide the following information, as appropriate:
Field Description Target/Collection Host Target Host (Optional) Select from a list of hosts that you have already configured under Administration > Hosts.
The target host is the computer from which you want to retrieve the data. You can choose to select the target host and inherit the host-level tags and group access permissions already added to the host, or manually enter the host name in the Server Name field.
Collection Host (Agent) Type or select the collection host depending on whether you want to use the Collection Station or the Collection Agent to perform data collection.
The collection host is the computer on which the Collection Station or the Collection Agent is located.
By default, the Collection Station is already selected. You can either retain the default selection or select the Collection Agent.
Note: For this type of data collector, the target host and collection host are expected to have different values.Collector Inputs Server Name Enter the host name of the server from which you want to retrieve the data.
Note: If you selected a target host earlier, this field is automatically populated. The value of this field is necessary for generating the "HOST" field that enables effective data search.
Credentials (Optional) Select one of the following options:
- Apply security credential to automatically populate the user name and password fields.
Then select the appropriate credential (profile) from the Available Credential list that you already configured under Administration > Credentials. - Provide Credential to manually add user name and password credentials.
Then enter the credentials in the User Name, Password, and Domain fields.
You can also create a credential that uses the manually entered details by clicking Add Credential next to the Domain field.
User Name Provide the user name for connecting with the server from which you want to retrieve the data.
Note: This field is disabled if you applied a security profile earlier.
Password Provide the password for connecting with the server from which you want to retrieve the data.
Domain (Optional) Provide the domain of the Windows user with which you want to connect for retrieving the data files.
Click Test Connection
next to the Domain field to verify that the credentials to the server are correct and are working.Click Add CredentialAdministration > Credentials.
, provide a credential profile name, and click OK to create a new credential profile from the credentials that you provided in the user name, password, and domain fields. Once this credential profile is created, it is displayed underWindows Event Log(s) The product retrieves all the application logs configured on the collection host.
Enter the name of the log type that you want to collect and analyze; from the list of suggestions displayed select the correct log type. You can select multiple log types.
If your TrueSight IT Data Analytics installation is in a Linux environment, the following event logs are supported for Remote Windows Events:
- Application
- Security
- System
Read from Past (#days) Indicates the number of days for which the past data must be collected and indexed.
The maximum amount of past data that can be collected into the system is defined by the maximum data retention period set at Administration > System Settings.
By default, this value is set to 0. You cannot search data with a custom time that is set to a duration exceeding the value specified in this field.
BMC recommends you to not use a very high value in this field (for example, 365). This is necessary to avoid a very large amount of data collected into the system in a short time.
Poll Interval (mins) Enter a number to specify the poll interval (in minutes) for the log collection.
By default, this value is set to 1.
Start/Stop Collection (Optional) Select this check box if you want to start the data collection immediately. - Apply security credential to automatically populate the user name and password fields.
Click Create to save your changes.
Comments