Communication Between WinCollect Agents and JSA
Open ports are required for data communication between WinCollect agents and the JSA host, and between WinCollect agents and the hosts that they remotely poll.
WinCollect Agent Communication to JSA Console and Event Collectors
All WinCollect agents communicate with the JSA Console and Event Collectors to forward events to JSA and request updated information. Managed WinCollect agents also request and receive updated code and configuration changes. You must ensure firewalls that are between the JSA Event Collectors and your WinCollect agents allow traffic on the following ports:
Port 8413--This port is used for managing the WinCollect agents to request and receive code and configuration updates. Traffic is always initiated from the WinCollect agent, and is sent over TCP. Communication is encrypted by using the JSA Console public key and the
ConfigurationServer.PEM
file on the agent.Create a bidirectional rule to allow communication from the WinCollect agent to JSA on port 8413. If the rule is not bidirectional, traffic is blocked. JSA does not send updates to the WinCollect agent on port 8413.
Port 514--This port is used by the WinCollect agent to forward syslog events to JSA. You can configure WinCollect log sources to provide events by using TCP or UDP. You can decide which transmission protocol to use for each WinCollect log source. Port 514 traffic is always initiated from the WinCollect agent.
WinCollect Agents Remotely Polling Windows Event Sources
WinCollect agents that remotely poll other Windows operating systems require extra ports to be open. These ports need to be open on the WinCollect agent computer and the computer(s) that are remotely polled, but not on your JSA appliances. The following table describes the ports that are used.
Port |
Protocol |
Usage |
---|---|---|
135 |
TCP |
Microsoft Endpoint Mapper |
137 |
UDP |
NetBIOS name service |
138 |
UDP |
NetBIOS datagram service |
139 |
TCP |
NetBIOS session service |
445 |
TCP |
Microsoft Directory Services for file transfers that use Windows share |
49152 – 65535 Note:
Exchange servers are configured for a port range of 6005 – 58321 by default. |
TCP |
Default dynamic port range for TCP/IP |
The MSEVEN protocol uses port 445. The NETBIOS ports (137 - 139) can be used for host name resolution. When the WinCollect agent polls a remote event log by using MSEVEN6, the initial communication with the remote machine occurs on port 135 (dynamic port mapper), which assigns the connection to a dynamic port. The default port range for dynamic ports is between port 49152 and port 65535, but might be different dependent on the server type. For example, Exchange servers are configured for a port range of 6005 – 58321 by default.
To allow traffic on these dynamic ports, enable and allow the two following inbound rules on the Windows server that is being polled:
Remote Event Log Management (RPC)
Remote Event Log Management (RPC-EPMAP)
To limit the number of events that are sent to JSA, administrators can use exclusion filters for an event based on the EventID or Process.
Enabling Remote Log Management on Windows
You can enable remote log management only when your log source is configured to remotely poll other Windows operating systems. You can enable remote log management on Windows 2012 R2 for XPath queries.
WinCollect does not support reverting Citrix Virtual Machines that are polled remotely.
-
On your desktop, select Start >Control Panel.
-
Click the System and Security icon.
-
Click Allow a program through Windows Firewall.
-
If prompted, click Continue.
-
Click Change Settings.
-
From the Allowed programs and features pane, select Remote Event Log Management.
Depending on your network, you might need to correct or select more network types.
-
Click OK.