ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Absent Member.
Absent Member.
1142 views

Experiences with Unified Windows Event Log Connector

We are currently using a third-party tool to send Windows Event Logs via syslog to our central log servers. A syslog SmartConnector picks up the logs there and inserts them into our ESM installation.

We are questioning whether the Unified Windows Event Log Connector might be a solution that makes us independant of the third-party syslog client.

Do you have experience with the Unified Windows Event Log Connector? Especially, we'd be interested in the following topics.

What number of Windows hosts does this agent scale to (while still showing good performance)?

Does the Connector support Kerberos authentication? (The documentation only talks about NTLMv2 which has known weaknesses.)

Does the Connector automatically detect hosts added to or deleted from a domain? If not, how do you handle this in a large dynamic environment?

Thanks and best regards,

Rainer

Labels (3)
0 Likes
7 Replies
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

I can't answer the scaling questions, since i am only running it on maybe 30 machines, but based on current performance I don't see a problem with it scaling to a few hundred. It all depends on the volume of events. You may only be able to support a dozen buzy domain controllers, but 500 member servers with minimal activity. You have to test it out.

I believe the connector itself defaults to NTLMv2 to establish a connection to the event log on the target machine. I do not believe Kerberos is currently supported as an authentication method for the connector, but obviously Kerberos authentication messages in the event log are processed correctly.

And finally, unfortunatley there is no way to dynamically/automagically add to the device list from which the logs get pulled. This list is something you define during the connector setup (it can also be modified by editing agent.properties file directly), but unfortunately it's not capable of detecting new hosts in the domain and automatically pulling logs from them. Though it's probably not too difficult to script something like that.

0 Likes
Absent Member.
Absent Member.

Hello Rainer,

Also keep in mind that there is no way to filter events on device level when you use the "unified" connector. That's not an issue if you're already forwarding all events today, of course. In our environment it would require quite a few connectors for Windows (instead of one with Snare) and probably cause network issues near the connectors if we got all the useless/redundant OS and application debug messages as well.

Tobias

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

When the Unified connector works, I love it - I'm trying to reduce our reliance on Windows machines, so being able to use the connector on a Linux server is a wonderful thing.

To answer your questions:

Number of hosts:  I have a connector pulling in data from 590 hosts.  We have been experiencing a memory leak issue that causes the connector to crash every 30 seconds, however I discovered some info on Friday that may resolve this issue since it looks like a bug.  In theory, the connector should be able to handle up to 2,000 hosts (from their presentation last year, IIRC).  As with everything though, YMMV.  I'll update this once I find out more info today if you'd like.

Regarding hosts - I personally get a list of the hosts in our environment monthly and just import that into the connector.  Unfortunately we have a very flat AD structure so seperating servers from PCs is difficult. I don't think the connector automatically detects new hosts, but rather you have to import and restart the connector.

Unfortunately I don't know the answer to the Kerberos question.

Hope this helps!

0 Likes
Absent Member.
Absent Member.

Were you able to resolve the connector reset issue?
0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Yes and no.  I was able to isolate the issue down to a corrupted event log on a single host.  For some reason, there is a corrupted event in the event log that kills the connector.  I've sent the event log to support and they're working on a fix, but in the meantime I just pulled that one system out and now one connector is pulling from about 600  hosts.  So it appears it can support the large number of hosts, provided you don't stuble upon a bug
0 Likes
Absent Member.
Absent Member.

How were you able to locate the host with the corrupted event log?
0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Split 1 connector up into 2 connectors, and then repeat for whichever connector keeps crashing.  I ended up rolling 10 connectors, and then just removing hosts one by one from the final connector until I found the one causing the problems.  The corrupted event is so bad in a connector by itself, the connector will die in 15 seconds.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.