Enterprise SIEM, Centralized Log Management, Security, Compliance, Server Monitoring and Uptime Monitoring Software
Table of Contents

Event Log Consolidation Template

Event Log consolidation is the process of downloading Event Log entries and saving them to a Data Provider, also known as a Log Database.

There are two methods which Event Log entries can be saved to the Log Database.

  • Microsoft's WMI
  • Corner Bowl's Server Manager Agent

WMI is Microsoft's premier technology for remote management often plagued with errors such as RPC_E_DISCONNECTED, RPC_E_CALL_CANCELED, The remote procedure call failed, Quota violation and many others. The upside to using WMI is it works, well mostly, out-of-the-box. The Corner Bowl Server Manager Agent resolves these issues by providing reliable Event Log entry transfers that complete approximately 12x faster than WMI. The downside to using the agent is that is must be installed on each managed server.

Using WMI

Server Manager comes pre-installed with a Event Log Consolidation template that downloads the Application, Security and System Event Logs. You have the option of extending this template or creating your own.

How to Configure WMI-Based Event Log Consolidation

  • From the Explorer View, expand Templates | Sample Templates | Log Consolidation then right click on Event Log Consolidation and select Template Properties.
  • The Template Properties view contains 7 tabs.
By default this template downloads entries every hour and evenly distributes each download over the hour among the assigned hosts. For example, if you assign 60 hosts to this template the software will download entries form a single and different server every minute. After 60 minutes the first server will be downloaded again.

The Options Tab

  • Optionally assign a Consolidation filter to dump entries you do not want saved to the Log Database. When assigned, only entries that pass the assigned consolidation filter are saved to the Log Database.
  • Use the Initial number of days to download to configure the initial download. Subsequent downloads always pull from the last saved entry forward.
    If you have a heavily loaded domain controller you may need to limit the initial download of the Security Event Log to one day then build the database from that point on, otherwise you may receive a Quota Violation. You also have the option of specifying 0 days. When set to 0, Server Manager downloads the last hour of entries which should resolve any Quote Violation errors.
  • Use the Download in batches of option to minimize WMI results sizes. This option is yet another attempt to work around Quota Violation errors.
    If you are unable to resolve Quota Violation errors using the hourly batch method increase the Windows host's WMI Quota. For more information see: WMI Properties.
  • Use the Clear the remote Event Log after each download to clear the actual Event Log from managed hosts once the download is complete.
  • Use the Log Entry Retention Policy drop-down to select the retention policy. The retention policy is another template that defines the number of days to retain in the Primary and Archive Log Databases, for example, archive entries older than 30 days and retain entries for 150 days for a total of 180 days. Assign multiple retention policies to remove entries that match filter criteria defined in each retention policy. For more information see: Log Entry Retention Policy Template

Using the Agent

Server Manager comes pre-installed with an Agent-Based Event Log Consolidation template that requests managed servers to upload their Application, Security and System Event Logs. You have the option of extending this template or creating your own.

How to Configure Agent-Based Event Log Consolidation

For more information see: Agent Server

Related Topics

Log Consolidation Templates

Log Entry Retention Policy Template

Data Providers

Agent Server

WMI Properties

Log Monitor