Collecting Windows Events remotely

To collect Windows events you need to create the Monitor Remote Windows Events data collector.

Recommendation

This data collector can collect Windows events both locally and remotely, but BMC recommends you to use it for remote collection.

Local collection implies collection of events by using the Collection Agent and from the computer where the Collection Agent resides, while remote collection implies collection of events by using the Collection Station and from the computer other than where the Collection Station resides. To collect Windows events locally, see Collecting Windows Events locally. For more information about local and remote collection, see Agent types.

Note

You cannot collect Windows events remotely if the collection host and the target host are not operating in the same domain.

The following information describes the process of creating this data collector:

Related topics

Setting up data collection

Collecting data by using a Windows Share connection

Before you begin

Before you create the data collector for collecting Windows events, certain configurations are required to enable the event collection. For more information, see Configuring for collecting Windows events remotely using a script

To collect Windows Events remotely

Navigate to Administration > Data Collectors > Add Data Collector .
In the Name box, provide a unique name to identify this data collector.
From the Type list, select Monitor Remote Windows Events.

Provide the following information, as appropriate:

Field	Description
Target/Collection Host
Target Host	(Optional) Select from a list of hosts that you have already configured under Administration > Hosts. The target host is the computer from which you want to retrieve the data. You can choose to select the target host and inherit the host-level tags and group access permissions already added to the host, or manually enter the host name in the Server Name field.
Collection Host (Agent)	Type or select the collection host depending on whether you want to use the Collection Station or the Collection Agent to perform data collection. The collection host is the computer on which the Collection Station or the Collection Agent is located. By default, the Collection Station is already selected. You can either retain the default selection or select the Collection Agent. Note: For this type of data collector, the target host and collection host are expected to have different values.
Collector Inputs
Server Name	Enter the host name of the server from which you want to retrieve the data. Note: If you selected a target host earlier, this field is automatically populated. The value of this field is necessary for generating the "HOST" field that enables effective data search.
Credentials	(Optional) Select one of the following options: Apply security credential to automatically populate the user name and password fields. Then select the appropriate credential (profile) from the Available Credential list that you already configured under Administration > Credentials. Provide Credential to manually add user name and password credentials. Then enter the credentials in the User Name, Password, and Domain fields. You can also create a credential that uses the manually entered details by clicking Add Credential next to the Domain field.
User Name	Provide the user name for connecting with the server from which you want to retrieve the data. Note: This field is disabled if you applied a security profile earlier.
Password	Provide the password for connecting with the server from which you want to retrieve the data.
Domain	(Optional) Provide the domain of the Windows user with which you want to connect for retrieving the data files. Click Test Connection next to the Domain field to verify that the credentials to the server are correct and are working. Click Add Credential, provide a credential profile name, and click OK to create a new credential profile from the credentials that you provided in the user name, password, and domain fields. Once this credential profile is created, it is displayed under Administration > Credentials.
Windows Event Log(s)	The product retrieves all the application logs configured on the collection host. Enter the name of the log type that you want to collect and analyze; from the list of suggestions displayed select the correct log type. You can select multiple log types. If your TrueSight IT Data Analytics installation is in a Linux environment, the following event logs are supported for Remote Windows Events: Application Security System
Read from Past (#days)	Indicates the number of days for which the past data must be collected and indexed. The maximum amount of past data that can be collected into the system is defined by the maximum data retention period set at Administration > System Settings. By default, this value is set to 0. You cannot search data with a custom time that is set to a duration exceeding the value specified in this field. BMC recommends you to not use a very high value in this field (for example, 365). This is necessary to avoid a very large amount of data collected into the system in a short time.
Poll Interval (mins)	Enter a number to specify the poll interval (in minutes) for the log collection. By default, this value is set to 1.
Start/Stop Collection	(Optional) Select this check box if you want to start the data collection immediately.

Advanced Options

Ignore Data Matching Input

(Optional) If you do not want to index certain lines in your data file, then you can ignore them by providing one of the following inputs:

Provide a line that consistently occurs in the event data that you want to ignore. This line will be used as the criterion to ignore data during indexing.
Provide a Java regular expression that will be used as the criterion for ignoring data matching the regular expression.

Example: While using the following sample data, you can provide the following input to ignore particular lines.

To ignore the line containing the string, "WARN", you can specify WARN in this field.
To ignore lines containing the words both "WARN" and "INFO", you can specify a regular expression .*(WARN|INFO).* in this field.

Sample data

Sep 25, 2014 10:26:47 AM net.sf.ehcache.config.
ConfigurationFactory parseConfiguration():134
WARN: No configuration found. Configuring ehcache from 
ehcache-failsafe.xml  found in the classpath:

Sep 25, 2014 10:26:53 AM com.bmc.ola.metadataserver.
MetadataServerHibernateImpl bootstrap():550
INFO: Executing Query to check init property: select * 
from CONFIGURATIONS where userName = 'admin' and 
propertyName ='init'

Sep 30, 2014 07:03:06 PM org.hibernate.engine.jdbc.spi.
SqlExceptionHelper logExceptions():144
ERROR: An SQLException was provoked by the following 
failure: java.lang.InterruptedException

Sep 30, 2014 04:39:27 PM com.bmc.ola.engine.query.
ElasticSearchClient indexCleanupOperations():206
INFO: IndexOptimizeTask: index: bw-2014-09-23-18-006 
optimized of type: data

Data Block

Indicates the index block with which you want to associate the data collector. You can associate a data collector to one of the various index blocks, each having a configurable retention period.

By default, this value is set to Small.

The maximum number of index blocks allowed are 5. Besides the three defined index blocks, Small, Medium and Large, you can create two more custom index blocks.

When you select an index block, the properties of that index block are displayed below it. The properties that are displayed are:

Archive: This indicates whether the data that you index using the selected index block will be archived.
Retention Days: This indicates the retention days associated with the index block.

Following are the retention days associated with the typical index blocks. The retention days displayed can be as configured by your Administrator.

Index Block	Retention
Small	7
Medium	14
Large	30
Metrics	7

Select the index block as per your needs of retention days and the Archive status. If the Archive status is Off and you need to archive your data, contact your administrator to set the Archive status for the index block to On. For more information on how to set the archive status of the index block, see Changing System Settings.

Note

If you select the ITDA Metrics data pattern while creating a data collector, the Index Block field is unavailable since the Metrics Index Block is automatically associated with the data collector.

Tags

Inherit Host Level Tags From Target Host

(Optional) Select this check box to inherit your tag selections associated with the target host that you selected earlier. This option is not applicable if you did not select a target host. Note: After selecting this check box, you can further manually select additional user groups. When you manually select additional user groups, both the inherited permissions as well as the manually assigned permissions are applied. To remove the inherited permissions, clear this check box.

Select Tag name and corresponding value

(Optional) Select a tag name and specify the corresponding value by which you want to categorize the data collected. Later while searching data, you can use these tags to narrow down your search results.

Example: If your are collecting data from hosts located at Houston, you can select a tag name for "Location" and in the value specify "Houston". While searching the data, you can use the tag, Location="Houston" to filter data and see results associated with the Houston location.

To be able to see tag names, you need to first add them by navigating to Administration > System Settings.

To specify tag names and corresponding values, in the left box select a tag name and then type the corresponding tag value in the right box. While you type the value, you might see type-ahead suggestions based on values specified in the past. If you want to use one of the suggestions, click the suggestion. Click Add

to add the tag name and corresponding value to the list of added tags that follow. Click Remove Tag

to remove a tag.

The tags saved while creating the data collector are displayed on the Search tab, under the Filters panel, and in the Tags section.

Note: At a time, you can specify only one value for a tag name. To specify multiple values for the same tag name, each time you need to select the tag name, specify the corresponding value, and click Add.

For more information about tags, see Understanding tags.

Group Access

Inherit Host Level Access Groups From Target Host

(Optional) Select this check box to inherit your group access configurations associated with the target host that you selected earlier. This option is not applicable if you did not select a target host.

Note: After selecting this check box, you can further manually select additional user groups. When you manually select additional user groups, both the inherited permissions as well as the manually assigned permissions are applied. To remove the inherited permissions, clear this check box.

Select All Groups

(Optional) Select this option if you want to select all user groups. You can also manually select multiple user groups.

Notes: You can access data retrieved by this data collector based on the following conditions.

If user groups are not selected and data access control is enabled: Only the creator of the data collector can access data retrieved by this data collector.
If user groups are not selected and if data access control is not enabled: All users can access data retrieved by this data collector. You can restrict access permissions by selecting the relevant user groups that must be given access permissions. To enable data access control, navigate to Administration > System Settings.

For more information, see Managing user groups in IT Data Analytics.

Click Create to save your changes.

Collecting Windows Events remotely

Before you begin

To collect Windows Events remotely

Comments