in a Windows AD environment, we plan to employ an existing Sentinel Log
Manager instance for Windows event log collection. Sentinel plugins are
available for log collection via WMI and have been installed on our test
Log Manager instance. The windows event collector architecture involves
a component called "Windows Event Collection Service" which is a service
installed on a Windows host, querying the event logs via WMI and
forwarding them to the Sentinel's connector plugin.

My question is thus:
- would I set up just one host running the Windows Event Collection
Service and let it query the event logs of other hosts via WMI remotely
- would I install the WECS on every host I want to collect logs from
and configure it to only get local events?

As apparently both configurations are possible, I would like to hear
what is "being done" in mid-sized AD environments. Are limitations or
other specifics in manageability or searchability of events to consider
with either approach?


kind regards,

djedig's Profile:
View this thread: