Release Notes › Features › Log Collection

Log Collection

The CA User Activity Reporting Module server can be set up to collect logs using one or more supported techniques. The techniques differ in the type and location of the component that listens for and collects the logs. These components are configured on agents.

The following illustration depicts a single-server system, where agent locations are indicated with a dark (green) circle.

The numbers on the illustration refer to these steps:

1. Configure the default agent on the CA User Activity Reporting Module to fetch events directly from the syslog sources you specify.
2. Configure the agent installed on a Windows collection point to collect events from the Windows servers you specify and transmit them to the CA User Activity Reporting Module.
3. Configure agents installed on hosts where event sources are running to collect the configured type of events and perform suppression.

Note: Traffic from the agent to the destination CA User Activity Reporting Module server is always encrypted.

Consider the following advantages of each log collection technique:

• Direct log collection

  With direct log collection, you configure the syslog listener on the default agent to receive events from the trusted sources you specify. You can also configure other connectors to collect events from any event source that is compatible with the soft appliance operating environment.

  Advantage: You do not need to install an agent to collect logs from event sources that are in close network proximity to the CA User Activity Reporting Module server.

• Agentless collection

  With agentless collection, there is no local agent on the event sources. Rather, an agent is installed on a dedicated collection point. Connectors for each target event source are configured on that agent.

  Advantage: You can collect logs from event sources running on servers where you cannot install agents, such as severs where corporate policy prohibits agents. Delivery is guaranteed, for example, when ODBC log collection is configured properly.

• Agent-based collection

  With agent-based collection, an agent is installed where one or more event sources are running and a connector is configured for each event source.

  Advantage: You can gather logs from a source where the network bandwidth between that source and the CA User Activity Reporting Module is not good enough to support direct log collection. You can use the agent to filter the events and reduce the traffic sent across the network. Event delivery is guaranteed.

Note: See the Administration Guide for details on agent configuration.

More information:

Planning Direct Log Collection

Planning Agentless Log Collection

Planning Agent-Based Log Collection