Highlighted
Super Contributor.. Per Bejder Super Contributor..
Super Contributor..
646 views

Windows Native Connector - WINC - startatend not working

Hi all 

Just started using the Native connector (WINC) istead of the unified connector, (WUC). 

One thing i just saw was the connector started to collect old events and not just new ones? 
I can see this line agents[0].startatend=true. 

Doesn't that mean that is should just pick up new evnets and not any old stuff? 

Do I miss something? 

 

best regrads from Denmark 

Per Bejder

Labels (1)
Tags (3)
0 Likes
2 Replies
pbrettle Acclaimed Contributor.
Acclaimed Contributor.

Re: Windows Native Connector - WINC - startatend not working

Its a confusing setting, but the logic is as follows:

startatend=true

This means that the connector will look for the last date, time or ID number for the log data and store this information. When NEW data is received after this time, date or ID number, process this as normal. 

startatend=false

This means you should, where possible, ignore any date, time or ID number for the log data and start from the earliest possible date that is identified. 

 

Its not quite as logical as it might seem, but there is logic. A great example of this is when you have a database type log source (like McAfee ePO). Set to true, it will run the query, get the most recent log entry and store the date and time as well as ID number for the data. It will not process this, but will then back-off until the next query run and then check if anything has changed. If so, it will process NEW data only.

In the case of set to false and a database type, it will simply identify the first record in the database and process from there - usually in batches and ultimately through what you have. Of course, if you set this to false and restart the connector though, IT WILL START AGAIN. That means you will get duplicate log messages - not great, but just keep on top of this if you have it enabled.

One thing to note though - it is utterly dependent on the log source. I used an illustration with a database for a reason - the data is there until purged! Its different with Windows. WINC and WUC will operate this way, but only if the Windows subsystem that is looking after the data has it present - not backed up or offline. In the case of Windows, that might not always be obvious. In the case of WINC, it might not actually have the data locally anyway, so the startatend might not actually get the data anyway. 

Just be careful, monitor what it does and check that you have the data ready to be read. 

0 Likes
Super Contributor.. Per Bejder Super Contributor..
Super Contributor..

Re: Windows Native Connector - WINC - startatend not working

Hi Paul 

It was as I thought. But what I saw was that some of the added servers, collected everything and not just the new events. 

The default setting is true and I didn't change it. Well it have cached up by now. 

/Per 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.