Bulk Log Sources for Remote Event Collection
Bulk log sources are designed for systems that have multiple log sources with the same protocol configuration.
-
Create a destination for Windows events on each JSA appliance that you want to use for Windows event collection. See Adding a Destination.
Note:It is helpful to provide a destination name that includes the IP address, such as "Agent1_1.2.3.4". If you have to edit the log source and change a destination in the future, you can determine the IP address for the destination. Also, set the throttle value to 5000 EPS, which is the max EPS rate for a WinCollect agent.
-
Create bulk log sources. See Adding Log Sources in Bulk for Remote Collection.
Wait for the configurations to be pushed to the remote agents.
Verify in the Log Activity tab that events being received.
Adding Log Sources in Bulk for Remote Collection
You can add multiple log sources at one time in bulk to JSA. The log sources must share a common configuration protocol and be associated with the same WinCollect agent.
You can upload a text file that contains a list of IP addresses or host names, run a query against a domain controller to get a list of hosts, or manually enter a list of IP addresses or host names by typing them in one at a time.
Depending on the number of WinCollect log sources that you add at one time, it can take time for the WinCollect agent to access and collect all Windows events from the log source list.
Ensure that you created destinations so that WinCollect agents can send Windows events to JSA appliances. Ensure that you created one destination for each JSA Event Collector 16xx or 18xx appliance.
Plan your bulk collection strategy with the WinCollect Event Log Report tool.
You can have a maximum of 500 log sources for each managed WinCollect agent. You must also remain under 5,000 EPS for local collection and 2,500 EPS for remote polling on the WinCollect Agent. You can review the Event Viewer on the Windows systems to determine how many EPS are generated in each hour. Divide that value by 3600 seconds to get the EPS rate. This calculation helps you to plan how many agents you need to install. Alternately, look at events over a 24-hour period to see how busy each Windows server is. This helps determine how to tune agents and avoid minimum and maximum EPS rates that you see only when reviewing hour-by-hour.
On the Admin tab navigation menu, click Data Sources, and then click the WinCollect icon.
Select the WinCollect agent that you want to assign log sources to, and click Log Sources.
Click Bulk Actions >Bulk Add.
Provide a name for the bulk log source. To make it easy to locate, specify the name as the WinCollect agent that does remote collection.
From the Log Source Type list box, select Microsoft Windows Security Event Log.
From the Protocol Configuration list box, select WinCollect.
Use the tuning value specified by the WinCollect Event Log Report tool to tune your log sources appropriately.
Select all of the Standard Log Types check boxes. The WinCollect agent reads and forwards these remote logs to JSA.
Note:Do not select Forwarded Events the check box. Forwarded events is a special use case. Selecting this option will not add multiple log sources correctly.
Select all of the Event Types check boxes.
Select the Enable Active Directory Lookups check box. This option identifies user names in Windows events that appear as a hexadecimal and resolves them to human readable user names.
From the WinCollect Agent list, select the Windows host that manages the log source.
From the Target Internal Destination list, select the JSA appliance that receives and processes the Windows events.
Add the IP addresses for the Windows operating systems that you want to remotely poll for events.
You can upload a text file that contains a list of IP addresses or host names, run a query against a domain controller to get a list of hosts, or manually enter a list of IP addresses or host names by typing them in one at a time.
Depending on the number of WinCollect log sources that you add at one time, it can take time for the WinCollect agent to access and collect all Windows events from the log source list.
Click Save and then click Continue.
Wait for the configurations to be pushed to the remote agents. Verify in the Log Activity tab that events are received.