This topic describes the user interface for Configuring Windows Legacy Collection.
The Windows Legacy/Windows or Windows Legacy/NetApp options on the Log Collector service Config View > Event Sources tab displays the parameters that you specify to configure Windows Legacy event sources.
To access the Windows Legacy and NetApp Collection Configuration Parameters:
- In the Security Analytics menu, select Administration > Services.
- In the Services grid, select a Log Collector service.
- In the Actions column, select > View > Config, then click the Event Sources tab.
- In the Event Sources tab, select one of the following options from the drop-down menu
- Windows Legacy/Windows
- Windows Legacy/NetApp
The Event Sources tab for Windows Legacy/Windows and Windows Legacy/NetApp has two panels: Event Categories and Sources.
Event Categories Panel
The Event Categories panel lists existing Windows Legacy event source aliases. Use this section to add or delete Windows Legacy event source aliases.
The windows domain, referred to as alias, is the configuration parameter that the Log Collector uses to group event sources. Most often, the alias defines a single domain because credentials (that is username, and password), and event log name are domain‐wide. Occasionally, you need to define multiple alias entries for the same domain if you need to customize the settings for different groups of event sources.
The Sources panel displays a list of existing Windows Legacy event sources. Use this section to add or delete Windows Legacy event sources (that is the windows event source address and associated communication parameters).
The following table provides descriptions of the toolbar options.
Add Source Dialog
In this dialog, you define parameters for a new Windows Legacy event source.
|Name*||The name of the event source. Valid value is a name in the [_a-zA-Z] [_a-zA-Z0-9]* range. You can use a dash "-" as part of the name.|
|Event Source Address*||IP address of the event source. Valid value is an IPv4 address, IPv6 address, or a hostname including a fully qualified domain name. Security Analytics defaults to 127.0.0.1.|
Log Collector converts the hostname to lower-case letters to prevent duplicate entries.
|Event Log Name|| |
The name of the event log from which to collect event data (for example, System, Application, or Security).
|Enabled||Select this checkbox to collect from this event source. If you do not check this checkbox, the Log Collector does not collect events from this event source.|
|Event Directory Path|| |
NetApp .evt files directory path. This must be the UNC path.
In each polling cycle, Log Collector browses the configured NetApp shared path for the .evt files that you identified with the Event Directory Path and Event File Prefix parameters. Log Collector:
|Event File Prefix||Prefix of the .evt files (for example, adtlog.) saved in the Event Directory Path.|
|Event Buffer Size|| |
Maximum size of the data the Log Collector pulls from the event source for each request.
Valid value is a number in 0 to 511 Kilobytes range. You specify this value in Kilobytes.
|Event Too Large Result||Tells Log Collector what to do if an event is too large for the event buffer.|
|Maximum Event Data|| |
Maximum size of event data to include in the output. Valid value is a number in 0 to 511Kilobytes range. You specify this value in Kilobytes or Megabytes.
|Max Events Per Cycle||The maximum number of events per polling cycle (how many events collected per polling cycle).|
|Polling Interval|| |
Interval (amount of time in seconds) between each poll. The default value is 180.
For example, if you specify 180, the collector schedules a polling of the event source every 180 seconds. If the previous polling cycle is still underway, it will wait for it to finish that cycle. If you have a large number of event sources that you are polling, it may take longer than 180 seconds for the polling to start because the threads are busy.
Caution: Only enable debugging (set this parameter to On or Verbose) if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector.
Enables or disables debug logging for the event source. Valid values are:
This parameter is designed to debug and monitor isolated event source collection issues. If you change this value, the change takes effect immediately (no restart required). Limit the number of event sources for which you use Verbose debugging to minimize performance impact.
|Cancel||Closes the dialog without adding the Windows Legacy event source.|
|OK||Adds the current parameter values as a new event source|