KBI 310245 Backup Event Log To Directory Before Archiving

Version

Argent Data Consolidator 8.0A-1101-A

Date

22 Jun 2011

Summary

When it is necessary to archive or alert on Windows Event logs that constantly roll over (i.e. Security Logs), it will be necessary to “Backup Event Log To Directory Before Archiving“.

This will allow users to archive target server .EVT files to the local Argent Transfer Engine in order to consolidate the information without having to fight active event log ‘rollover‘.

Technical Background

Many users will find that if their GPO supports Object Access Auditing as well as event logs that “overwrite when needed“, users will soon have Domain Controller Security Logs that will roll over many times within an hour.

Depending on how often the Argent Data Consolidator is set to read the target event log, some events may have been overwritten by the time the Argent Transfer Engine reads the end of the log file.

Resolution

The option to “Backup Event Log to Directory Before Archiving” is found within the Argent Data Consolidator (Data Security Tab), Rules, Windows Event Logs.



Click For Full Size

This option will connect to the target machines within the monitoring group that you are running the rule against using the Argent Transfer Engine that you have set in the relator (Basic Tab).

The target server’s .EVT file will be archived to the Argent Transfer Engine UNC path specified in the rule, using the target server name, log type, and date/time stamp (i.e. Server2_security_21_JUN_2011_153022.evt).

Once the file has been successfully archived, the Argent Transfer Engine will then read the file locally, and archive/alert any relevant events specified in the Filter and/or Alert tabs of the rule.

NOTE:
Once successfully consolidated, the archived EVT file will then be transferred to the “COMPLETED” directory within same Argent Transfer Engine UNC path.

To avoid filling the disk with “COMPLETED”. EVT files, users can use the rule option “Purge Event Log After Successful Consolidation



Click For Full Size

This option does NOT affect the TARGET SERVER .EVT files. This option ONLY purges the archived .EVT files in the UNC path of the Argent Transfer Engine which it is saved to.

Things to keep in mind when you are planning to Archive the .EVT file:

  1. The path MUST be a UNC Path, not an Administrative share

    1. WRONG: \\SERVER1\D$\ARGENT_ARCHIVE
    2. RIGHT: \\SERVER1\ARGENT_ARCHIVE

  2. The correct permissions (Read/Write) must be given to the SHARE for the service account of the Argent Transfer Engine. If you are using a remote transfer engine in a different domain or DMZ, be sure the Argent Service accounts for that domain, DMZ, and Main Engine all have access to save to the share.

  3. Be sure the Transfer Engine in which you are saving the archived .EVT is the same OS version.

    1. If attempting to archive W2003 Event Logs, use a W2003 or XP Transfer Engine.
    2. W2008 will error attempting to read W2003 .EVT files

  4. When setting up Transfer Engine Archive Properties, it is best to DIRECT ARCHIVE them to the SQL database whenever possible.
    1. Within ADMINISTRATION, Transfer Engines, then DATABASE tab at bottom there are three options for Archiving Events, the SQL Archiving Options is optimal.
    2. Use “Database Engine” only when saving from remote location (DMZ, Separate Domain or site, etc)

  5. Ensure the target SQL Database your remote Transfer Engine is attempting to save to have TCP/IP and NAME Pipes network configuration ENABLED. Otherwise, no data will be archived.


Click For Full Size