Microsoft Windows Event Management Guide
- 06 Jun 2022
- 8 Minutes to read
- Print
- DarkLight
- PDF
Microsoft Windows Event Management Guide
- Updated on 06 Jun 2022
- 8 Minutes to read
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Overview
The Microsoft Windows Event Management module is used to configure, view, and manage the Windows Event logs collected from a remote server or device.
Leveraging the power of the Unified Communications Management Platform (UCMP), Nectar is able to deliver real-time visibility, map system interdependencies, and zero in on failed links, services, and components to minimize business interruption.
About this Guide
This guide provides the instructions to configure, view, and manage Windows Event logs using the Nectar Microsoft Windows Event Management module, a component of Nectar Foundation.
This guide explains how to:
Create a Domain Account and Configure Permissions
Configure Windows Event Management Module
Configure Windows Events for Collection
Audience
This guide is intended for Nectar partners and engineers who have system administration access and technical knowledge of the Windows Event Management module along with a familiarity with deploying Nectar Foundation.
Supported Software Versions
- Nectar UCMP v8.7
Create a Domain Account and Configure Permissions
Creating a domain account and configuring permissions includes the following tasks:
Create a New Domain Account in Active Directory
Add Local Administrator Permissions to Domain Account
Create a New Domain Account in Active Directory
Follow these steps to create a new user in Active Directory (AD):
- Login to your Domain Controller.
- Open Active Directory Users and Computers with an account that has permissions to create new user accounts and assign permissions.
- Right-click on your domain and select New > User.
Figure 2-1 Add New User
The New Object - User window appears.
Figure 2-2 New Object - User
- Enter the following information about the new user:
Parameter | Enter ... |
First Name | First name of the new user. |
Initial | Middle initial of the new user, if applicable. |
Last Name | Last name of the new user. |
Full Name | This field automatically populates when you enter First Name, Initial, and Last Name. |
User Logon Name | Value in Full Name field to complete logon name. |
Table 2-1 New User
- Click Next.
Figure 2-3 Add Password
- Enter your Password; then confirm your password.
- Click Password Never Expires.
- Uncheck any other boxes, if applicable.
- Click Next; then click Finish.
A new user is added for the on-boarding process.
Figure 2-4 New User
Add Local Administrator Permissions to Domain Account
You must have local administrator permissions on all servers.
Follow these steps to add local administrator permissions to the newly created domain account on each Windows Event Management server:
- Log on to a Windows server.
Navigate to Local Users and Groups (Local) > Groups > Administrators.
Figure 2-5 Local Users and Groups (Local) > Groups > Administrators
The Administrators Properties window appears.
- Click Add.
Figure 2-6 Administrators Properties
The Select Users, Computers, Service Accounts, or Groups window appears.
Figure 2-7 Select Users, Computers, Service Accounts, or Groups
- Enter the domain user previously added, such as plano; then click Check Names to search and complete the user name.
- Click OK.
- Repeat this process for each Windows Event Management server.
Configure Windows Event Management Module
Configuring the Windows Event Management module includes the following tasks:
Enable the Windows Event Management Module
Add an Agent
Configure the Agent
Enable the Windows Event Management Module
Follow these steps to enable the Windows Event Management module:
- Navigate to RIG > Module Configuration. The Module Configuration window appears.
- Select Microsoft Windows Event.
- Click Apply.
Figure 3-1 Enable Windows Event Management Module
- To restart the RIG and apply the changes:
- Navigate to RIG > Admin > Restart.
- When the following message appears, click Yes.
Figure 3-2 Restart
Note
After you enable this module, Windows Events is now a module under the
Configure and Tools menus.
Add an Agent
Before you can deploy the Microsoft Events Management module, you must add an agent for each remote Windows server or device from which you want to collect events.
Follow these steps to add an agent:
- Navigate to Health > Elements. The Elements window appears.
- Click Agents to view a list of agents.
- Right-click in the All Agents pane and select Add. The Add Agent window appears.
Figure 3-3 Add Agent
- Enter the Name, IP address, and Community for the new agent; then click OK. The new agent is added to the list of agents in the All Agents pane.
Note
You can also enter the following optional information for the new agent.
Parameter | Description |
Create Agent dependency tree | Select to create a dependency tree for the new agent. |
SNMP Version | Select one of the following for the SNMP version: |
| |
| |
| |
Port | Enter the SNMP port, such 161. |
Table 3-1 Add an Agent
Parameter | Description |
Community | Enter the community string previously configured. |
Authentication | Select one of the following authentications:
|
User ID | Enter the user ID set up for the SNMP read only community string. |
Password | Enter the password set up for the SNMP read only community string. |
Privacy Protocol | Select the protocol from one of the following:
Note: Enabled for SNMP V3 only. |
Privacy Password | Enter the password for the Privacy Protocol. Note: Enabled for SNMP V3 only. |
Table 3-1 Add an Agent
Configure the Agent
After adding a new agent, you must edit the properties for the agent to add the PowerShell properties and user data.
Follow these steps to edit an agent:
- Navigate to Health > Elements. The Elements window appears.
- Click Agents to view a list of agents.
- Right-click on the new agent and select Edit.
Figure 3-4 Edit
The Edit Agent window appears.
Figure 3-5 Edit Agent
- Click the Properties tab; then click Add to open the Add Property dialog box.
Figure 3-6 Add Property
- Enter a PowerShell property and value for the associated domain user data; then click Add.
The PowerShell properties to be added include:
powershell.domain
powershell.host
powershell.password
powershell.user
Refer to the following example.
Figure 3-7 Add PowerShell Properties
For more information on adding a domain user, see Create a Domain Account and Configure Permissions.
- When all properties have been added, click OK.
Configure Windows Events for Collection
Configuring Windows events for collection includes the following tasks:
Configure Windows Events
View Collection Configuration and Events
Customize Windows Event Alert Levels (Optional)
Configure Windows Events
Follow these steps to configure the events to be collected from the agent (remote server/ device):
- Navigate to Configure > Windows Events.
Figure 4-1 Configure > Events
The Windows Events - Agents window appears.
Click Add.
Click Add.Figure 4-2 Windows Events - Agents
The Add Agent window appears.
- Enter the following information:
Figure 4-3 Add Agent
Parameter | Desciption |
Name | Select an agent name using the drop-down. This is the remote server or device from which you want to collect events. |
Event Log | Select the event log(s) to be collected from the event logs that are listed. The logs that appear are based on the selected agent name. |
Table 4-1 Configure Events
Parameter | Desciption |
Event Type | Select the event type(s) to be collected, such as:
|
Event Time Range | Select the time range for the event collection, such as Last 15 Mins or Last 1 Day, using the drop-down. This specifies the length of time that the events are collected or monitored for the first collection run. |
Event Source Filter | To filter the event data further, enter a specific source for the event in this field. Note: This field also supports regular expressions, which provides additional filtering flexibility. |
Event Message Filter | To filter the event data further, as needed, enter an event message in this field. Note: This field also supports regular expressions, which provides additional filtering flexibility. The fields, Source and Message, can be found in the Event log. View the following example of an Event log: |
- Click OK.
Table 4-1 Configure Events
An entry is generated for the agent and event log combination in the Agents window.
Note
You can also select an entry; then click Edit or Remove on the Agents tab to edit or remove the agent and event log combination.
View Collection Configuration and Events
Follow these steps to view the collection configuration and event data:
- Navigate to Configure > Windows Events.
The Windows Events - Agents window appears.
Figure 4-4 View Collections
- Select an agent; then click View Collections. The Collections window appears.
- Notice the Status of the collection is still executing/processing (see Figure 4-5).
- Notice the Schedule is a Cron expression schedule, such as 0 0/5 + + + ?, and shows how often events are collected. The default is every five minutes.
- The first collection run was scheduled using Event Time Range on the Add Agent window. However, for subsequent collections, the Cron expression schedule is used.
For more information on how to change the Cron expression schedule, see Change a Collection Schedule.
- When the collection process completes, navigate to Configure > Windows Events. The Windows Events window appears.
Figure 4-6 Current Events
- Click the Current Events tab to view the events collected from the Windows event logs.
Figure 4-7 Collected Current Events
Note
You can only view the events here. However, these events are mapped to our Event System where they can be acknowledged and managed.
- View the following information:
- To manage the events, navigate to Tools > Windows Events.
Field | Identifies ... |
Event Host Name | Host name from which the events were retrieved. |
Event Log | Event log that was previously selected for collection during configuration. |
Event Source | Source from which the event was retrieved. |
Event Type | Event type that was previously selected for collection during configuration. |
Time Generated First | Date that the event was first generated. |
Time Generated Last | Date that the event was last generated. |
Number of Events | Number of times the event has been generated. |
Event Message | Message associated with the event; used for monitoring issues on a remote Windows server or device. |
Figure 4-8 Tools > Windows Events
The Windows Events window appears.
Figure 4-9 Windows Events
Note
For more information on how to change the display of the events in the Windows Events pane, see Enter the new expression; then click OK..
View Event Data
Follow these steps to view data for a specific collected event.
- Right-click on an event and select View Event.
Figure 4-10 View Event
The View Event window appears.
Figure 4-11 View Event Data
- View specific data associated with the collected event.
Note
If you right-click on an event and select Acknowledge, the event is acknowledged and removed from the list.
For more information, see the Remote Intelligence Gateway (RIG) Administration Guide.
Change a Collection Schedule
Follow these steps to change the Cron expression collection schedule:
- Right-click on the current schedule entry and select Change Cron String. The Update Cron String dialog appears.
Figure 4-12 Update Cron String
- Enter the new expression; then click OK.
Customize Windows Event Alert Levels (Optional)
Nectar Foundation can trigger alerts when warnings or errors occur in the Windows Event Log. By default, a Windows error event triggers a level 4 (Major) alarm, and a warning or audit failure event triggers a Level 2 (Warning) alarm.
The alert levels can be modified from the default values using the following steps:
- Navigate to RIG > File Manager. The File Manager window appears.
- Look for the Remote File System pane on the right; then navigate to one of the following properties files in the RIG installation directory:
etc\sfbModule-module.properties
- etc\lyncModule-module.properties (for Legacy)
- Right-click on the file and select Download.
- Save the file to the local destination.
- Navigate to the file.
- Right-click on the file and select Open With. Use Notepad.
- Add the following values to the file:
windows.event.error=4 windows.event.failureaudit=2 windows.event.warning=2
You can change the values, as needed.
View the following example.
Figure 4-13 properties File
- Navigate to File > Save to save the changes to the file.
- Navigate to RIG > File Manager. The File Manager window appears.
- Navigate to the correct properties file in the RIG installation directory.
- Right-click on the properties file and select Upload.S
- Browse to the updated properties file, select, and click Open. The Upload File window appears.
- To restart the RIG and apply the changes:
- Navigate to RIG > Admin > Restart.
- When the Restart message appears, click Yes.
Was this article helpful?