• Spaces
  • Collections
  • Help
    • ×
     
     
    •  
    BMC TrueSight IT Data Analytics 1.1

    Page tree

    You can create a data collector to collect Windows event logs.

    This topic contains the following information:

    Related topics

    Managing data collectors

    Enabling the target host for Windows event collection

    Before you create the data collector for collecting Windows events from the target host (where the events reside), you need to perform a registry update to enable the event collection.These events are collected remotely by the data collector. This change is required for Microsoft Windows 2008 R2 and later.

    The following steps pertain to the Windows 2008 R2 operating system. These steps might change depending on the Windows operating system that you are using. For example, on the Windows 2012 R2 operating system, the steps are the same, except these changes:

    • While changing the owner, you need to ensure that the location displays the machine name instead of the domain name (that shows by default).
    • After selecting the Administrators group, you need to click Edit and under Basic permissions, select the Full Control check box.

    To enable the target host for Windows event collection

    1. Launch regedit (as an Administrator).
    2. Search for the following registry key in HKEY_CLASSES_ROOT\CLSID:
      {76A64158-CB41-11D1-8B02-00600806D9B6}
    3. Right-click the key displayed and select Permissions.
    4. Click Advanced tab displayed at the bottom right of the dialog box.
    5. Click Owner.
    6. Change owner from TrustedInstaller to the Administrators group. To do this, select Administrators and click OK.

    7. Select the Administrators group, and then select the Allow check box to provide Full Control permissions.

    8. Click Apply. Click OK.

    To configure the Windows event log as a data collector

    1. Navigate to Administration > Data Collectors > Add Data Collector .
    2. In the Name box, provide a unique name to identify this data collector.
    3. From the Type list, select Monitor Windows Events.

    4. Provide the following information, as appropriate:

       

      FieldDescription
      Target/Collection Host
      Target Host

      (Optional) Select from a list of hosts that you have already configured under Administration > Hosts.

      The target host is the computer from which you want to retrieve the data. You can choose to select the target host and inherit the host-level tags and group access permissions already added to the host, or manually enter the host name in the Server Name field.

      Collection Host (Agent)

      Type or select the collection host depending on whether you want to use the Collection Station or the Collection Agent to perform data collection.

      The collection host is the computer on which the Collection Station or the Collection Agent is located.

      By default, the Collection Station is already selected. You can either retain the default selection or select the Collection Agent.

      Note: For this type of data collector, the target host and collection host are expected to have different values.
      Collector Inputs
      Server Name

      Enter the host name of the server from which you want to retrieve the data.

      Note: If you selected a target host earlier, this field is automatically populated. The value of this field is necessary for generating the "HOST" field that enables effective data search.

      Credentials

      (Optional) Select Apply security credential to provide user name and password credentials automatically and not having to enter it manually and then select the appropriate credential profile from the Available Credential list, that must have already configured under Administration > Credentials.

      OR

      Select Provide Credential to manually add credentials, and then manually enter the credentials in the following User Name, Password, Domain fields. You can create a credential profile using the manually entered details by clicking Add Credential  next to the Domain field.

      User Name

      Provide the user name for connecting with the server from which you want to retrieve the data.

      Note: This field is disabled if you applied a security profile earlier.

      Password

      Provide the password for connecting with the server from which you want to retrieve the data.

      Domain

      Provide the domain of the Windows user with which you want to connect for retrieving the data files.

      Click Test Connection  next to the Domain field to verify that the credentials to the server are correct and are working.

      Click Add Credential , provide a credential profile name, and click OK to create a new credential profile from the credentials that you provided in the user name, password, and domain fields. Once this credential profile is created, it is displayed under Administration > Credentials.

      Windows LogsSelect the log type for which you want to create this data collector. You can select Application, Security, or System.
      Read from Past (#days)

      Indicates the number of days for which the past data must be collected and indexed. The maximum amount of past data that can be collected into the system is defined by the data retention period (default 7). You can change this value by navigating to Administration > System Settings.

      By default, this value is set to 0. You cannot search data with a custom time that is set to a duration exceeding the value specified in this field.

      BMC recommends you to not use a very high value in this field (for example, 365). This is necessary to avoid a very large amount of data collected into the system in a short time.

      Poll Interval (mins)

      Enter a number to specify the poll interval (in minutes) for the log collection (0 indicates that this is a one-time log collection).

      By default, this value is set to 1.

      Start/Stop Collection(Optional) Select this check box if you want to start the data collection immediately.

      Ignore Data Matching Input

      (Optional) If you do not want to index certain lines in your data file, then you can ignore them by providing one of the following inputs:

      • Provide a line that consistently occurs in the event data that you want to ignore. This line will be used as the criterion to ignore data during indexing.
      • Provide a Java regular expression that will be used as the criterion for ignoring data matching the regular expression.

      Example: While using the following sample data, you can provide the following input to ignore particular lines.

      • To ignore the line containing the string, "WARN", you can specify WARN in this field.
      • To ignore lines containing the words both "WARN" and "INFO", you can specify a regular expression .*(WARN|INFO).* in this field.
      Sample data
      Sep 25, 2014 10:26:47 AM net.sf.ehcache.config.ConfigurationFactory parseConfiguration():134
WARN: No configuration found. Configuring ehcache from ehcache-failsafe.xml  found in the classpath:

Sep 25, 2014 10:26:53 AM com.bmc.ola.metadataserver.MetadataServerHibernateImpl bootstrap():550
INFO: Executing Query to check init property: select * from CONFIGURATIONS where userName = 'admin' and propertyName ='init'

Sep 30, 2014 07:03:06 PM org.hibernate.engine.jdbc.spi.SqlExceptionHelper logExceptions():144
ERROR: An SQLException was provoked by the following failure: java.lang.InterruptedException

Sep 30, 2014 04:39:27 PM com.bmc.ola.engine.query.ElasticSearchClient indexCleanupOperations():206
INFO: IndexOptimizeTask: index: bw-2014-09-23-18-006 optimized of type: data

      Inherit Host Level Tags From Target HostSelect this check box to inherit your tag selections associated with the target host that you selected earlier. This option is not applicable if you did not select a target host.
      Select Tag nameYou can manually add tags by selecting one of the tags in the list, specifying a corresponding value, and clicking Add . The list of added tags is displayed in the Tags pane on the Search tab.
      Click Remove Tag to remove a tag.

      Inherit Host Level Access Groups From Target HostSelect this check box to inherit your group access configurations associated with the target host that you selected earlier. This option is not applicable if you did not select a target host.
      Select All Groups

      Select this option if you want to select all user groups. You can also manually select multiple user groups.

      If you do not select any user groups and data access control is not enabled, then by default all users can access data retrieved by this data collector. You can restrict access permissions by selecting the relevant user groups that must be given access permissions. To enable data access control, navigate to Administration > System Settings.

      If you do not select any user group and data access control is enabled, then only the creator of the data collector has access to data retrieved by this data collector.

      For more information, see Managing user groups.

    5. Click Create to save your changes.

    © Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.