Configuring Event Log Collection and Analytics - PAS ICS Integrity - 7.3 - Administration & Configuration - Intergraph

ICS Integrity Administration Guide

Language
English
Product
PAS ICS Integrity
Subproduct
ICS
Search by Category
Administration & Configuration
PAS Version
7.3

Integrity can collect Windows event log data from your PAS Recon assets. The fields on the Configure Windows Event Log Collection window in the Admin Utility allow you to configure this event log collection.

The PAS Recon asset model writes collected Windows event log files to a folder on the Integrity server or data collector. Integrity then processes those files and stores the Windows event log data in a database. This topic describes the Integrity configuration parameters for Windows event log collection. For more information about loading and configuring the PAS Recon asset model, see the PAS Recon Implementation Guide.

Integrity caches Windows event log data to provide better performance. This cached data is refreshed each hour. Therefore, it can take up to an hour for newly processed Windows event log data to be displayed in Integrity.

To configure event log collection:

  1. Follow the instructions in the PAS Recon Implementation Guide.

  2. In the Admin Utility, click the Windows Event Log link.

  3. If you have not created the database to store the collected Windows event log data, select the Estimated # of Computers to collect data from, and then click Create Database.

    The Create Database button is disabled if a database with the reserved name exists.

  4. Complete the following fields, and then click Save Collection.

    • Parent Path: Specify the folder where the Windows event log data files and folders should be stored. Integrity processes the files and folders stored in this location. If there are multiple levels of folders in the specified location, Integrity uses the folder structure to identify the assets and their associated event log data. If you choose to archive files, Integrity creates an Archive subfolder in this location and stores archived data in that folder.

    • Text Escape Characters: Specify the characters used to enclose values in the Windows event log files. The default is the double quote (). These characters can enclose values that include commas or line breaks.

    • Process Security Event Details: Specify whether to extract security information from the Windows event log. Select this option for computers configured for non-English language regions.

    • Groom Files On Success: Specify whether to delete a file once the Windows event data is successfully written to the database.

    • Groom Data From Database: Specify whether to remove data from the database to limit database size. If you check this check box, you need to specify the number of months of data to keep.

    • Keep X months of data: Specifies the number of months of data to keep in the database. This field is available only if you checked the Groom Data From Database check box. For example, if it is March 9th and this field is set to 1, Integrity keeps the Windows event log data since March 1. If this field is set to 3, Integrity keeps the Windows event log data since January 1.

  5. If you want to archive event log data, complete the following steps:

    1. Check the Enable Daily Archive check box. Integrity creates an Archive subfolder in the Parent Path location. Each day, Integrity uses the specified Filter Criteria to select data to save as a CSV file. In the Archive folder, each data owner has its own folder and in its folder is a set of monthly .zip files. Each .zip file has the CSV files for that data owner and month.

    2. If you want to filter the type of events included in the archived data, specify the criteria in the Filter Criteria field. By default, all events are included in the archive. The format of the Filter Criteria field is a T-SQL WHERE clause. For more information about this field and example criteria, click the Filter Criteria Help link.

    3. Click Save Archive.

  6. Manually start the pasWindowsEventLog service on each Integrity server and data collector and where Windows event logs are processed. For more information, see Defining Your Service Accounts.

You should also configure this service to start automatically on these computers.