Table of Contents
- System Requirements
- Assign Service Logon As Credentials
- Server Configuration
- Agent-Based Monitoring
- Azure Relay Hybrid Connection
- Account Lockout Monitoring and Reporting
- Data Providers
- Directory Services
- Template Properties
- Batch Update Templates
- Log Management Templates
- File and Directory Monitor Templates
- Windows Monitor Templates
- Account Lockout Monitor Template
- Logon Monitor Template
- CPU Monitor Template
- Memory Monitor Template
- Disk Space Monitor Template
- SMART Monitor Template
- Process Monitor Template
- Service Monitor Template
- Performance Counter Monitor Template
- Active Directory User Monitor Template
- Active Directory User Integrity Monitor Template
- Clock Synchronization Template
- Defragment NTFS Disks Template
- Network and Application Monitor Templates
- SSL Certificate Monitor Templates
- Email Monitor Templates
- SNMP Monitor Templates
- Monitor Hierarchy
- Report Properties
- Security Reports
- Generic Log Reports
- File and Permission Reports
- Summary Reports
- Shared Views
- General Executable Properties
- Assign Actions
- Assign Directories
- Assign Disks
- Assign Shares
- Assign Files
- Assign Consolidated Logs
- Assign Event Logs
- Assign Active Directory Audit Logs
- Target Files and Sub-Directories
- Define Log Entry Columns
- Define CSV and W3C Log Entry Columns
- Active Directory User and Group Filters
- Explicitly Assigned Logs
- Report Columns
- Report Date/Time Ranges
- Report Security Event Log Filters
- SNMP Browser
- SSH Shell
- Exporting and Importing Configuration Objects
- Command Line Interface
Event Log Consolidation Template
Event Log consolidation is the process of downloading Event Log entries and saving them to a Data Provider, also known as a Log Database.
There are two methods which Event Log entries can be saved to the Log Database.
- Microsoft's WMI
- Corner Bowl's Server Manager Agent
WMI is Microsoft's premier technology for remote management often plagued with errors such as RPC_E_DISCONNECTED, RPC_E_CALL_CANCELED, The remote procedure call failed, Quota violation and many others. The upside to using WMI is it works, well mostly, out-of-the-box. The Corner Bowl Server Manager Agent resolves these issues by providing reliable Event Log entry transfers that complete approximately 12x faster than WMI. The downside to using the agent is that is must be installed on each managed server.
Server Manager comes pre-installed with a Event Log Consolidation template that downloads the Application, Security and System Event Logs. You have the option of extending this template or creating your own.
How to Configure WMI-Based Event Log Consolidation
- From the Explorer View, expand Templates | Sample Templates | Log Consolidation then right click on Event Log Consolidation and select Template Properties.
- The Template Properties view contains 7 tabs.
|By default this template downloads entries every hour and evenly distributes each download over the hour among the assigned hosts. For example, if you assign 60 hosts to this template the software will download entries form a single and different server every minute. After 60 minutes the first server will be downloaded again.|
The Options Tab
- Optionally assign a Consolidation filter to dump entries you do not want saved to the Log Database. When assigned, only entries that pass the assigned consolidation filter are saved to the Log Database.
Use the Initial number of days to download to configure the initial download. Subsequent downloads always pull from the last saved entry forward.
If you have a heavily loaded domain controller you may need to limit the initial download of the Security Event Log to one day then build the database from that point on, otherwise you may receive a Quota Violation. You also have the option of specifying 0 days. When set to 0, Server Manager downloads the last hour of entries which should resolve any Quote Violation errors.
Use the Download in batches of option to minimize WMI results sizes. This option is yet another attempt to work around Quota Violation errors.
If you are unable to resolve Quota Violation errors using the hourly batch method increase the Windows host's WMI Quota. For more information see: WMI Properties.
- Use the Clear the remote Event Log after each download to clear the actual Event Log from managed hosts once the download is complete.
- Use the Log Entry Retention Policy drop-down to select the retention policy. The retention policy is another template that defines the number of days to retain in the Primary and Archive Log Databases, for example, archive entries older than 30 days and retain entries for 150 days for a total of 180 days. Assign multiple retention policies to remove entries that match filter criteria defined in each retention policy. For more information see: Log Entry Retention Policy Template
Using the Agent
Server Manager comes pre-installed with an Agent-Based Event Log Consolidation template that requests managed servers to upload their Application, Security and System Event Logs. You have the option of extending this template or creating your own.
How to Configure Agent-Based Event Log Consolidation
For more information see: Agent Server