Experiences with Unified Windows Event Log Connector
We are currently using a third-party tool to send Windows Event Logs via syslog to our central log servers. A syslog SmartConnector picks up the logs there and inserts them into our ESM installation.
We are questioning whether the Unified Windows Event Log Connector might be a solution that makes us independant of the third-party syslog client.
Do you have experience with the Unified Windows Event Log Connector? Especially, we'd be interested in the following topics.
What number of Windows hosts does this agent scale to (while still showing good performance)?
Does the Connector support Kerberos authentication? (The documentation only talks about NTLMv2 which has known weaknesses.)
Does the Connector automatically detect hosts added to or deleted from a domain? If not, how do you handle this in a large dynamic environment?
Thanks and best regards,
I can't answer the scaling questions, since i am only running it on maybe 30 machines, but based on current performance I don't see a problem with it scaling to a few hundred. It all depends on the volume of events. You may only be able to support a dozen buzy domain controllers, but 500 member servers with minimal activity. You have to test it out.
I believe the connector itself defaults to NTLMv2 to establish a connection to the event log on the target machine. I do not believe Kerberos is currently supported as an authentication method for the connector, but obviously Kerberos authentication messages in the event log are processed correctly.
And finally, unfortunatley there is no way to dynamically/automagically add to the device list from which the logs get pulled. This list is something you define during the connector setup (it can also be modified by editing agent.properties file directly), but unfortunately it's not capable of detecting new hosts in the domain and automatically pulling logs from them. Though it's probably not too difficult to script something like that.
Also keep in mind that there is no way to filter events on device level when you use the "unified" connector. That's not an issue if you're already forwarding all events today, of course. In our environment it would require quite a few connectors for Windows (instead of one with Snare) and probably cause network issues near the connectors if we got all the useless/redundant OS and application debug messages as well.
When the Unified connector works, I love it - I'm trying to reduce our reliance on Windows machines, so being able to use the connector on a Linux server is a wonderful thing.
To answer your questions:
Number of hosts: I have a connector pulling in data from 590 hosts. We have been experiencing a memory leak issue that causes the connector to crash every 30 seconds, however I discovered some info on Friday that may resolve this issue since it looks like a bug. In theory, the connector should be able to handle up to 2,000 hosts (from their presentation last year, IIRC). As with everything though, YMMV. I'll update this once I find out more info today if you'd like.
Regarding hosts - I personally get a list of the hosts in our environment monthly and just import that into the connector. Unfortunately we have a very flat AD structure so seperating servers from PCs is difficult. I don't think the connector automatically detects new hosts, but rather you have to import and restart the connector.
Unfortunately I don't know the answer to the Kerberos question.
Hope this helps!