Implementation GuideConfiguring Event Collection › Example: Enable Direct Collection Using the WinRMLinuxLogSensor

Previous Topic: Example: Enable Direct Collection Using the ODBCLogSensor

Next Topic: View and Control Agent or Connector Status

Example: Enable Direct Collection Using the WinRMLinuxLogSensor

You can enable direct collection of events generated by Windows applications or the Windows Server 2008 operating system with the WinRMLinuxLogSensor. To do this, you create a connector on the default agent that is based on an integration that uses the WinRMLinuxLogSensor. Many integrations use this sensor, for example, Active_Directory_Certificate_Services, Forefront_Security_for_Exchange_Server, Hyper-V, MS_OCS, and WinRM. The Microsoft Windows application and operating system that generate events that can be retrieved by the WinRMLinuxLogSensor are those for which Windows Remote Management is enabled.

Following is a partial list of products that generate events that can be collected directly by the default agent on a CA Enterprise Log Manager server. For each product, a unique connector is used; each connector uses the WinRMLinuxLogSensor.

For a complete list, see the Product Integration Matrix on Support Online.

This example shows how to enable direct collection of events using a connector based on the WinRM integration. When such a connector is deployed, it collects events from a Windows Server 2008 operating system event source. Collection begins after you configure the event sources to log events in the Windows Event Viewer and enable Windows Remote Management on the server as specified in the Connector Guide associated with this integration.

To learn how to configure the Windows Server 2008 event source

  1. Select the Administration tab and the Library subtab.
  2. Expand Event Refinement Library, expand Integrations, expand Subscription, and select WinRM.

    The View Integrations Details displays the sensor name, WinRMLinuxLogSensor. Supported platforms include both Windows and Linux.

  3. Click the Help link on the WinRM View Integration Details.

    The Connector Guide for Microsoft Windows Server 2008--WinRM appears.

To configure the event source and verify logging

  1. Log on to the target host with a Windows Server 2008 operating system.
  2. Follow the directions in the CA Connector Guide for Microsoft Windows Server 2008 to ensure events are displayed in the Windows Event Viewer and to ensure Windows Remote Management is enabled on the target server.

    Note: Part of this process is creating the user name and password that you must enter when you configure the connector. These credentials enable authentication required to establish connectivity between the event source and CA Enterprise Log Manager.

  3. Verify logging.
    1. Open eventvwr from the Run dialog.

      The Event Viewer appears.

    2. Expand Windows Logs and click Security.

      A display similar to the following indicates that logging is occurring.

    Event Viewer shows events.

To enable direct collection of events from Windows event sources

  1. Select the Administration tab and the Log Collection subtab.
  2. On the Log Collection Explorer, expand Agent Explorer, and expand the agent group containing the CA Enterprise Log Manager default agent.
  3. Select a default agent, that is, an agent with the name of a CA Enterprise Log Manager server.

    The default agent may have other connectors deployed to it.

  4. Click Create New Connector

    select the agent and click create new connector.

    The New Connector Creation wizard opens with the Connector Details step selected.

  5. Select an integration that uses the WinRM log sensor from the Integration drop-down list.

    For example, choose WinRM.

    Selecting WinRM integration creates WinRM_Connector.

    This selection populates the Connector Name field with WinRM_Connector

  6. (Optional) Click Apply Suppression Rules and select rules associated with the supported events.
  7. Click the Connector Configuration step and click the Help link.

    Instructions include CA Enterprise Log Manager Sensor Configuration--WinRM.

    Click the link, CA Enterprise Log Manager Sensor Configuration--WinRM.

  8. Follow the instructions in this Connector Guide to configure the sensor. Enter the IP address, rather than the hostname, of the host on which you configured Windows Remote Management. The Username and Password entries reflect credentials you added during configuration of Windows Remote Management.

    An example follows:

    Follow the instructions in the connector guide for sensor configuration.

  9. Click Save and Close.
  10. The new connector name displays under the agent in the Agent Explorer.

    WinRM_Connector appears under the default agent in Agent Explorer.

  11. Click WinRM_Connector to view the status details.

    Initially, the status shows Configuration pending. Wait until that status shows Running.

    WinRM_Connector shows status Running.

  12. Click Running to get summary data such as the EPS (events per second).

    The status shows average EPS among other metrics.

To verify that the default agent is collecting events from the target event source

  1. Select the Queries and Reports tab. The Queries subtab is displayed.
  2. Expand Prompts in the Query List and select Connector.
  3. Enter the connector name and click Go.
  4. View the collected events.

More information:

Event Sources for Direct Log Collection