Hello there -
I wanted to understand how polling of logs takes place? How does it happen? Are all the logs sent to envision continuously or periodic intervals? Are the logs normalized?
Hi cbeierle -
Thanks for your reply.
We have LS series implemented with one LC, RC A-srv and D-srv. Currently there are 180+ devices reporting to enVision which includes Windows servers (agentless), UNIX servers (agentless + syslog) and Cisco ACS servers using sftp.
Please let me know if you need more info.
The Agentless windows service has a sliding or adaptive poll. You can see the default by going to Overview->System Configuration->Services->Device Services->Windows Service->Manage Windows Logs. You can also modify it per client and log by going to Overview->System Configuration->Services->Device Services->Windows Service->Manage Windows Service and clicking on the IP of the node in question.
Syslog is near realtime (events have to go through the 'digestion' process)
File uploads are checked every minute if I remember correctly.
Note: In terms of EPS the combined non-syslog eps is throttled to no more than 75% of your license. This setting is not configurable. You have license + 30% before you get into trouble with possibly losing events. There is a small additional buffer beyond that but don't count on it to save you. Be aware too that when adding a new device enVision may go into a discovery mode lasting minutes. When it does this event processing is put on hold until the new device's type can be declared or marked unknown (or the timeout is reached) this may cause EPS to rocket when the parsing picks up again to process the backlog. A patch was available but was recently pulled...I am eagerly waiting for its return.
Does this help?
cbeierle - Thanks again for your reply.
I have one more question which isnt related to EPS but hope you can help.
We have the ping identity application (SSO) hosted on a JBoss server which generates logs in text files. For the interim, we wish to stores the logs to envision. Parsing is something we'll do later, perhaps when the ESI is released.
Do you know how to do this? I know we need to follow the procedure similar to that of Cisco ACS integration as the logs are in text files. First step is to install the sftp agent, configure the agent file, winssh & file reader service. Reality is we dont have the agent file. Considering we wish to just store the logs for the interim. Do you know how to accomplish this?
Thanks for your help in advance,Tera
Retrieving data ...