- play_arrow What's New in WinCollect
- play_arrow WinCollect Overview
- play_arrow Installation Prerequisites for WinCollect
- play_arrow WinCollect installations
- WinCollect installations
- Installing and Upgrading the WinCollect Application on JSA Appliances
- Creating an Authentication Token for WinCollect Agents
- Adding Multiple Destinations to WinCollect Agents
- Migrating WinCollect Agents After a JSA Hardware Upgrade
- Stand-alone WinCollect Installations
- WinCollect Configuration Console Overview
- Installing the Configuration Console
- Silently Installing, Upgrading, and Uninstalling WinCollect Software
- Setting an XPath Parameter During Automated Installation
- Migrating from Adaptive Log Exporter to WinCollect
- Installing the WinCollect Agent on a Windows Host
- Installing a WinCollect Agent from the Command Prompt
- Uninstalling a WinCollect Agent from the Command Prompt
- Uninstalling a WinCollect Agent from the Control Panel
- play_arrow Configuring WinCollect Agents After Installation
- Configuring WinCollect Agents After Installation
- Manually Adding a WinCollect Agent
- Deleting a WinCollect Agent
- WinCollect Destinations
- Adding Custom Entries to WinCollect Status Messages
- Forwarding Events Identifier
- Configuring Stand-alone WinCollect Agents with the Configuration Console
- Creating a WinCollect Credential
- Adding a Destination to the WinCollect Configuration Console
- Configuring a Destination with TLS in the WinCollect Configuration Console
- Adding a Device to the WinCollect Configuration Console
- Sending Encrypted Events to JSA
- Increasing UDP Payload Size
- Include Milliseconds in Event Log Timestamp
- Collecting Local Windows Logs
- Collecting Remote Windows Logs
- Changing configuration with Templates in a Stand-alone Deployment
- Configuration Options for Systems with Restricted Policies for Domain Controller Credentials
- play_arrow Log Sources for WinCollect Agents
- Log Sources for WinCollect Agents
- Windows Event Logs
- Microsoft DHCP Log Source Configuration Options
- Microsoft Exchange Server Log Source Configuration Options
- DNS Debug Log Source Configuration Options
- Collecting DNS Analytic Logs by Using XPath
- File Forwarder Log Source Configuration Options
- Microsoft IAS Log Source Configuration Options
- WinCollect Microsoft IIS Log Source Configuration Options
- Microsoft ISA Log Configuration Options
- Juniper Steel-Belted Radius Log Source Configuration Options
- Microsoft SQL Server Log Source Configuration Options
- NetApp Data ONTAP Configuration Options
- Configuring a TLS Log Source
- Adding a Log Source to a WinCollect Agent
- Bulk Log Sources for Remote Event Collection
ON THIS PAGE
WinCollect Log File
The WinCollect log file provides information about your deployment. Logs provide valuable information for troubleshooting issues.
WinCollect Log Overview
WinCollect generates log event extended format (LEEF) messages during installation and configuration and writes them to a single log file. The server in the Status Server field receives the LEEF messages through the syslog. These messages report on the status of the WinCollect service, authorization token, configuration, and more.
Example:
The following example displays a LEEF message that alerts administrators that the WinCollect agent is generating more events than the log source is tuned for.
<13>Sep 22 09:07:56 IPADDRESS LEEF:1.0|IBM|WinCollect|7.2|3|src=MyHost.example.com dst=10.10.10.10 sev=4 log=Device.WindowsLog.EventLog.MyHost.example.com.System.Read msg=Reopening event log due to falling too far behind (approx 165 logs skipped). Incoming EPS r.avg/max = 150.50/200.00. Approx EPS possible with current tuning = 40.00
You search for syslog messages by using the IP address of the WinCollect agent. JSA tracks information from the audit log to determine when log sources are created, when searches are run, and so on.
WinCollect Log Types
WinCollect Log Types
The default log directory is C:\Program Files\IBM\WinCollect\logs\. The log file is named WinCollect.log.
Each log entry is tagged with an identifier that indicates the entry type:
System
Code
Device
The following table describes the types of log entries in the WinCollect log file.
Subfolder | Description |
|---|---|
System | Indicates system information, such as the operating system that the agent is installed on, RAM and CPU information from the operating system, service start-up information, and WinCollect version information. |
Code | Indicates information about for spillover and cache messages, file reader messages, authorization token messages, IP address or host name information for the local host, issues with destinations, log source auto-creation, stand-alone mode messages, and thread or process start-up and shutdown messages. Use these entries to investigate the WinCollect configuration. This log does not provide information about event collection. |
Device | Created when WinCollect collects events, the protocols that run event log collection. The following issues are logged as device entries:: Loading Plug-in Connection issues Permission or Authentication Windows error codes (hex value codes provided by the operating system, such as 0x000005 access denied) File path or location Event log is overdue to be polled Event log transactions RPC is unavailable (unable to find the location that you specified) Reopening due to falling too far behind (tuning messages) |
Disk Space Management for Log Files
WinCollect manages disk space for logs by generating a ".1" version when the log size exceeds 20 MB. After a ".5" version is created, WinCollect deletes the oldest version of the log.
WinCollect also manages disk space by archiving checkpoint folders. When JSA updates WinCollect with new code, the checkpoint folders store a backup of the replaced code. WinCollect archives the oldest patch checkpoint folder after 10 are created. WinCollect creates an archive folder that contains a list of files in the patch checkpoint folder, and a compressed file of the AgentConfig.xml file. WinCollect then deletes the patch checkpoint folder that it archived.
InfoX Debug Logs
InfoX debug logs make debugging WinCollect easier, without interfering with performance.
By default, InfoX is enabled and logs events for the first five minutes that the agent runs, for a maximum of 5,000 log entries. After that, InfoX logs events for one minute every 15 minutes, for a maximum of 200 log entries. InfoX generates debug logs even if your log level is set to info.
You can edit the InfoX configuration by adding any of these parameters to the install_config.txt file.
Parameter | Description |
|---|---|
InfoX.enabled | Used to enable or disable InfoX. Example: InfoX.enabled=true |
InfoX.startLen | The number of seconds to run the agent at startup. To disable this feature, set this value to 0. Example: InfoX.startLen=300 |
InfoX.startMax | The maximum number of events that can be logged at startup. Example: InfoX.startMax=5000 |
InfoX.nextWait | The number of seconds to wait for the next logging period. Example: InfoX.nextWait=900 |
InfoX.nextLen | The number of seconds to run the agent at each interval. To disable this feature, set this value to 0. Example: InfoX.nextLen=60 |
InfoX.nextMax | The maximum number of events that can be logged at each interval. Example: InfoX.nextMax=200 |
