can you please let me know the difference between legacy aganteless collection and windows eventing collection WMI?
when should i use windows eventing?
Legacy Windows agentless collection uses a Windows API for collection of logs. With Windows 2008, Microsoft changed logging to now include event channels. Developers can now specify various event channels to write logs to. Windows Eventing is necessary to collect logs from these channels. Windows Eventing is more difficult to set up, but does allow for secure log collection utilizing SSL/TLS.
Even though it has been out for awhile yet, it's not really ready for prime time yet, and is entirely command line driven. No UI like you have for agentless collection. I have only set up two servers for Windows Eventing so far as I needed the PrintService\Operational logs. You need to make sure the permissions are set up correctly on the event source. Of the two servers, one stopped working completely one night for no apparent reason. We had to remove the operational channel from the configuration to get it to work again so we could collect the Security, Application and System event logs. There are at least a couple of known issues for which I am still waiting for a fix from RSA.
Unless you need any logs from any of the new event channels, I would stay with agentless collection.
thanks for the valuable infrmation spnorton
Can you advise me if the legacy collection can collect user permission changes, GPo logs?
It will collect the logs you have enabled on the event source and configured for collection in the Windows Service on enVision. You will need to enable Directory Services auditing on the event source, and collection of Directory Services logs on enVision for the event source(s) which will be your domain controllers. You might also want to research the event IDs that you need to look for. Hope that helps.
Retrieving data ...