Enabling Windows event collection (Linux collection host)

This topic contains configuration steps required for enabling event collection in the following scenarios:

  • If you are using a Linux computer as your collection host.
  • While creating the data collector, if you plan to specify credentials of a user that is part of the Administrator group.

Before you create the data collector for collecting Windows events remotely from the target host, you need to perform a registry update on the target host. You can either manually perform the registry update or run a script (batch file) that automates the process of updating the registry. This action is required for Microsoft Windows 2008 R2 and later.

This topic contains the following information:

Running a script to enable event collection

To enable the event collection, as an administrator, you can run a script (batch file) on the target host.

Before you begin

Ensure that Windows PowerShell 2.0 or later is installed on the target host.

Tip

To find out whether the target host has PowerShell installed, open command prompt and run the following command:

powershell -Command "&{$PSVersionTable.PSVersion}"

or

Write-Host $PSVersionTable.PSVersion.Major

Ensure that you have administrator privileges to run the script.

To enable the target host for Windows event collection by running a batch file

  1. Navigate to %BMC_ITDA_HOME%\utilities directory.
  2. Copy the windows-eventlog-init.zip file to the target host from which you want to collect events.
  3. Unzip the windows-eventlog-init.zip file to locate the configure.bat file.
  4. Open the command prompt by navigating to Start > Run > cmd.
  5. Navigate to the windows-eventlog-init file location.
  6. Run the configure.bat file in the following format:
    configure.bat

    After the script execution completes successfully, you can see a message that indicates that the ownership privileges is done.
    For example, Administrators Group ownership privileges set.

Manually performing a registry update to enable event collection

To enable the event collection, as an administrator you can manually perform a registry update on the target host.

The following instructions pertain to the Windows 2008 R2 operating system. These steps might change depending on the Windows operating system that you are using. For example, on the Windows 2012 R2 operating system, the steps are the same, except these changes:

  • While changing the owner, you need to ensure that the location displays the machine name instead of the domain name (that shows by default).
  • After selecting the Administrators group, you need to click Edit and under Basic permissions, select the Full Control check box.

Before you begin

Ensure that you have administrator privileges to manually perform the registry update.

To manually enable the target host for Windows event collection

  1. Launch regedit (as an Administrator).
  2. Search for the following registry key in HKEY_CLASSES_ROOT\CLSID:
    {76A64158-CB41-11D1-8B02-00600806D9B6}
  3. Right-click the key displayed and select Permissions.
  4. Click Advanced tab displayed at the bottom right of the dialog box.
  5. Click Owner.
  6. Change owner from TrustedInstaller to the Administrators group. To do this, select Administrators and click OK.
  7. Select the Administrators group, and then select the Allow check box to provide Full Control permissions.

  8. Click Apply. Click OK.
Was this page helpful? Yes No Submitting... Thank you

Comments