Use Collectors

About Collectors

You can create collectors to gather information about Windows log entries. You can create as many collectors as you like, and you can then organize the gathered information based on the collectors that you are creating. You can also choose to use the Auditor service for collection instead of deploying collectors to local machines. This provides an agent-less solution for gathering event logs.

The type of data that you are collecting will determine the most suitable scheduling requirements. We suggest scheduling collections during non-peak hours for your network.

Packages I Need to Use This Feature

Module

Description

License Required?

Server/Console

The Server/Console module provides fundamental setup features such as deploying agents; configuring e-mail accounts; and creating schedules to associate with collectors, policies, and auditing.

ü

Event Vault for Windows

Event Vault for Windows provides centralized collection and management of all event log data. It also provides customizable views, filtering, sorting, exporting, and reporting options for all captured event logs.

ü

Requirements for Agent-based Collection

Overview

Log collection can be done using an agent or agent-less. Using the agent is recommended because it performs significantly better than the alternative.

Agent Deployment Requirements

The credentials of the Management Server service account are used to deploy the agents. The account will need:

  • Administrator access to the target host and dbo access on the Auditor database
  • Remote registry services and DNS name resolution

Agent Service Account

The local admin access is needed to access the event logs, r/w access is needed to the SQL Server database to store the log data.

Requirements for Central Collection

To configure central collection, the following requirements must be met.

  • The target computers must be running the Remote Registry service.
  • The target computers must have the Remote Event Log Management firewall rule enabled.
  • The Auditor Management Server must be installed on Windows Server 2008, Windows Vista, or later if the target computers are running those operating systems.
  • The target computers’ administration shares must be accessible by the Auditor Server service account.