AnsweredAssumed Answered

Interrogation about Winrm collection

Question asked by Dujardin on Feb 12, 2014

Hello everyone,

 

I have a customer wich have a windows log concentrator. It's based on a Windows 2008.

All other windows send their logs to the channel "ForwardedEvents" of this windows.

 

So I configure SA to pull events from this channel.

It's working almost correctly but I'm facing some interrogation/problem.

 

1) I think I'm not retreiving all events :

In /var/log/messages I can see my log collector this message :

"[WindowsCollection] [info] [xxxxxxxxxx] Got 200 events" every 2 seconds.

Is it possible to retreive more than 200 events ?

 

2) I would like to filter some logs based on the original source of logs :

In SA you can filter the event you want to pull by the EventID. Does there is a way to filter by the tag <Computer> ?

 

3) Here what I understand about the winrm collection :

The log collector send a http request some XML in input. Can it be possible to modify this xml ?

 

4) If there is no way to change all of this, events are then store by computer name, date ect ...

So the idear would be to retrieve these files by the nicsftp agent. Can SA integrate .evtx file ?

 

If someone have some feedback regarding these question I'm interested.

Outcomes