Unable to Extract winevent_nic Logs using lsdata utility
Recently we integrated few windows 2008 servers using "Windows Eventing Collector service", I am able to see the logs in the Analysis tab and in query, But i am unable to extract the logs using lsdata specifying the IP address of the device in the command.
Could you please share the screenshot of the events that you can see using the Analysis tab?
Also, could you please share the complete lsdata command you are using to extract the logs along with the output or any error message you get when you run lsdata?
What kind of enVision setup do you have? ES? LS? EA? Where are you running the lsdata command?
On which system are you running the lsdata command? LC? DSRV, ASRV? lsdata command is supposed to be run on DSRV only.
Also, could you please provide the other information I requested in my previous comment.
By the way, I am "Susam". It ends with "m", not "n'.
The command you have specified is:
lsdata -d -0 -time c:\output.text
This is not a valid lsdata command. This won't return results.
A valid lsdata command would look somewhat like this:
lsdata -d 0 -time start end -devices 10.0.0.1
You may also use a device type instead of device address, so something like this would also work:
lsdata -d 0 -time start end -devices winevent_nic
Of course, you'll have to replace 10.0.0.1 with the IP address of the device from which the Windows events are being collected.
Could you please share the complete and exact lsdata command you are using to extract the logs along with the output or any error message you get when you run lsdata?
I'll need the lsdata command as well as any error messages you are getting while trying to get winevent_nic logs.
I am not receiving any error.Please find the below command where i am specifying the device IP address at -devices "device ip" and the result is only application logs but not any security logs.
E:\nic\4100\.....\bin>lsdata -d 0 -time 201411140200 201411140400 -devices "10.164.2.127" >C:\output.txt
When i run the below command specifying the device type and the Device IP i am able to see the security logs in the output file.
E:\nic\4100\.....\bin>lsdata -d 0 -time 201411140200 201411140400 -devices "winevent_nic:10.164.2.127" >C:\output.txt
I usually use the following command in D-SRV:
lsdata -events Syslog -time 20140901000000 20140930000000 -devices winevent_nic:192.168.0.1 > data_file.txt
NOTE: The IP address is just an example.
If with this you only get Application logs data, please check in your [Monitored] Windows server the configuration of Local Security Setting---> Local Policies ----> Audit Policy to check what kind of information are you logging.
And please, please, please, If you want to get help, please provide evidences.