Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Absent Member.
Absent Member.
1090 views

Windows Domain Event Log

Jump to solution

We are planning to log all AD specific events from the Domain Controllers in our network. There are 4 DC running in the network. All Domain Controllers are running on Windows Server 2008 in Native mode.

What is the best practice to do this?

Which SmartConnector is best suitable and how many SmartConnector instances do we have to install?

Is this one per DC or one that can connect to multiple DC?

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
We are using Unified Connectors in production environments. It works very well. Performance is better than Domain Connector and configuration of Unified Connector is much easier.

View solution in original post

0 Likes
6 Replies
Absent Member.
Absent Member.

I did some test with the new Windows Unified Connector. It looks quite good and performs really well.

U have the possibility to add several DC's manually or to specify a Domain-User which is collection Logs from the expected hosts in this domain.

Think about, WindowsEvents are one of the "hardest" events for parseing (categorisation and normalisation), after a few  test you will see how many events one instance of a connector may be parseing. This is very hard to say. A cool feature is also, that this WUC is querying the Domain for new attached hosts and add them automatically.

I've never tested this in a huge production environment - it was just a test. But I hope it gives u some more ideas.

BR from Switzerland, Silvan

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
We are using Unified Connectors in production environments. It works very well. Performance is better than Domain Connector and configuration of Unified Connector is much easier.

View solution in original post

0 Likes
Absent Member.
Absent Member.

I believe the automatically adding hosts in the domain part is only if you configured auto host detection in the connector.

It is not configured with a user by default and therefore wouldnt work.

I havent activated it either, but we just tested it on a smaller container and it was pretty good.

It ID'd the host OS's for us, which in the GUI , is a massive pain to do manually.

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

At my former job I used the WUC for 6 domain controllers.  It worked very well, but will probably require some additional configuration.  The connector version we used had very aggressive default settings.  The connector would send events as fast as they were written to the event log and this utilized ALOT of bandwidth (50-75% of a gigabit connection).  Obviously, this would vary depending on your environment.

Some settings you may want to modify are polling time (maybe start with 1000 ms) and the number of events sent per interval. You'll need to make sure that you have your settings high enough to cover the average number of events plus a little extra.  So if each DC sends 100 EPS and you have 4 DCs, you'll need to account for at least 400 EPS.

You may also want to filter or aggregate certain types of events before turning on the connector in production.  For example, Windows 2008 introduced the Windows Filtering Service events which are probably unnecesary to log.

0 Likes
Absent Member.
Absent Member.

Thanks a lot. We are now successfully running the WUC

0 Likes
Absent Member.
Absent Member.

Thanks a lot. We are now successfully running the WUC

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.