Overview
In some cases, Sensage customers need to retrieve the Forwarded Events log from customer's Windows log sources apart from configuring registry keys as indicated in page 1 of the Collector Guide.
However, the process indicated in the Collector Guide does not retrieve the log correctly.
Environment
Sensage AP all versions
Requirement
Access to Sensage AP environment and Windows Servers (for configuring registry keys).
Root Cause
When readers pull information from both custom and standard sources (i.e. fwd, sec) it causes the collector to pull information from the custom log source incorrectly.
Resolution
Consider the following steps performed by an agent to retrieve Forwarded Events log for one of the configured servers where the Registry Keys were set correctly as documented in the Collector Guide on pages 106-107.
- The agent was able to retrieve the logs correctly from the Forwarded Events source in the Windows machine after identifying that
logmap.fwd=ForwardedEvents
did not require the space between the words "ForwardedEvents" in the agentless2k8.prop configuration file- This is opposed to the documentation under Setup Instructions for Forwarded Logs in the Collector Guide which says the following:
IMPORTANT: Be sure to separate the two words of the key name Forwarded Events with a space.
- This is opposed to the documentation under Setup Instructions for Forwarded Logs in the Collector Guide which says the following:
- Additionally, on the reader line, the agent left only the fwd logs to make sure they were gathering from the correct log file.
- After reviewing all the configurations, the agent restarted the collector and was able to gather Forwarded Events log sourced from the configured Windows server.
Confirmation
The log should retrieve and load normally.
Comments
0 comments
Please sign in to leave a comment.