We are planning to log all AD specific events from the Domain Controllers in our network. There are 4 DC running in the network. All Domain Controllers are running on Windows Server 2008 in Native mode.
What is the best practice to do this?
Which SmartConnector is best suitable and how many SmartConnector instances do we have to install?
Is this one per DC or one that can connect to multiple DC?
I did some test with the new Windows Unified Connector. It looks quite good and performs really well.
U have the possibility to add several DC's manually or to specify a Domain-User which is collection Logs from the expected hosts in this domain.
Think about, WindowsEvents are one of the "hardest" events for parseing (categorisation and normalisation), after a few test you will see how many events one instance of a connector may be parseing. This is very hard to say. A cool feature is also, that this WUC is querying the Domain for new attached hosts and add them automatically.
I've never tested this in a huge production environment - it was just a test. But I hope it gives u some more ideas.
BR from Switzerland, Silvan
I believe the automatically adding hosts in the domain part is only if you configured auto host detection in the connector.
It is not configured with a user by default and therefore wouldnt work.
I havent activated it either, but we just tested it on a smaller container and it was pretty good.
It ID'd the host OS's for us, which in the GUI , is a massive pain to do manually.
At my former job I used the WUC for 6 domain controllers. It worked very well, but will probably require some additional configuration. The connector version we used had very aggressive default settings. The connector would send events as fast as they were written to the event log and this utilized ALOT of bandwidth (50-75% of a gigabit connection). Obviously, this would vary depending on your environment.
Some settings you may want to modify are polling time (maybe start with 1000 ms) and the number of events sent per interval. You'll need to make sure that you have your settings high enough to cover the average number of events plus a little extra. So if each DC sends 100 EPS and you have 4 DCs, you'll need to account for at least 400 EPS.
You may also want to filter or aggregate certain types of events before turning on the connector in production. For example, Windows 2008 introduced the Windows Filtering Service events which are probably unnecesary to log.