截屏视频帮助

WINDOWS 7 COLLECTOR SSIM

创建时间: 19 8 月 2012 • Updated: 02 10 月 2012 | 15 条评论
sviridov 的图片
此问题已解决。 请查看解决方案。

when there will be official support?

讨论 归类至以下社区:

评论 条评论跳转至最新评论

Laurent_c 的图片

Do you mean supporting collection from a Windows 7 machine ? (if so this is including in the WinRM collector for Windows Vista/7/Win2k8)

OR installing an Agent and Collector on a Windows 7 machine ?

sviridov 的图片

with the what help of collector can collect logs from Windows7 (If the agent is installed on windows 2003)

All my posts are made by google translator!

KathyV 的图片

You can use Windows Vista collector to collect logs from Windows 7 machine. Make sure the WinRM is configured properly and the collection box and Windows 7 machine have to be in the same domain.

sviridov 的图片

me did not succeed to use the Windows Vista collector:

if you use the collector "Microsoft_Windows_Event_Collector_4.3.30_AllWin_EN", there is no description of the events

All my posts are made by google translator!

Laurent_c 的图片

The Microsoft Windows collector 4.3 is to collect event from Windows 2003 or earlier.

It is recommended to use the :

Microsoft Windows Vista & Microsoft Windows Server 2008 Event Collector v4.4.x 

As previouosly said, the requirement is to use winrm.

Laurent

Avkash K 的图片

Hi,

Refer below links, which will help you configure windows vista collector for log collection from windows 2008 as well as windows 7

Windows 2008 & 2008 R2 SSIM Integration Consolidated - (Graphical).:

https://www-secure.symantec.com/connect/articles/windows-2008-2008-r2-ssim-integration-consolidated-graphical

Installation & Troubleshooting Articles for Windows 2008 vista collector - SSIM:

https://www-secure.symantec.com/connect/articles/installation-troubleshooting-articles-windows-2008-vista-collector-ssim

Regards,

Avkash K

sviridov 的图片

I have a PC with Windows 7 (not a domain), the agent is installed on it

all made in the first article:

1. firewall is off:

2. Add user ssimtest01 id and NT Authority\Network Service into members of “Event Log Readers” group:

3. winrm get winrm/config:

4. winrm enumerate winrm/config/Listener

Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 127.0.0.1, 192.168.12.203, ::1, fe80::5efe:192.168.12.203%12

5. wevtutil gl security

C:\Windows\system32>wevtutil gl security
name: security
enabled: true
type: Admin
owningPublisher:
isolation: Custom
channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A
;;0x1;;;S-1-5-20)(A;;0x1;;;NS)
logging:
  logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx
  retention: false
  autoBackup: false
  maxSize: 20971520
publishing:
  fileMax: 1

6.SSIM Sensor Configuration for OFF BOX Collection

error in the logs:

ERROR    2012-09-21 11:46:50,888    Collectors.3301.wGroup.[workinggroup0].Sensor.[armwin7]    Thread-16    Subscription error. Details: java.io.IOException: Unauthorized access. Status: 401. It is possible you provided incorrect Kerberos configuration.
ERROR    2012-09-21 11:46:50,888    Collectors.3301.wGroup.[workinggroup0].SensorThread    Thread-16    [Sensor: armwin7]    Sensor thread failed to open device. Trying to reopen...
 

All my posts are made by google translator!

Laurent_c 的图片

Hi,

your Kerberos setting are:

Basic = False

Kerberos =True

if as you say the machine is in a workgrooup, you need to change this.

You need:

Basic = True

Kerberos = False

解决方案
sviridov 的图片

Can I install Microsoft_Vista_and_Win_2008_Svr_v4.4.11 Collector on a computer Windows 2003 for remote collect logs from Windows 7

All my posts are made by google translator!

olaf 的图片

Yes, that should work and is supported.

sviridov 的图片

I installed the collector on windows 2003 server:

in file msvista.log the following error:

ERROR 2012-10-02 10:52:54,898 Collectors.3301.wGroup.[workinggroup0].SensorThread Thread-1540 [Sensor: 2003-armwin7_2] Number of authentication errors in sensor exceeded maximum specified for this collector.
INFO 2012-10-02 10:52:54,898 Collectors.3301.wGroup.[workinggroup0].SensorThread Thread-1540 [Sensor: 2003-armwin7_2] >>> Close sensor thread...
 

All my posts are made by google translator!

olaf 的图片

Are you sure about the Monitored Host Account Name?

In last screenshot it is ssimtwst01, in earlier screenshot it is ssimtest01.

sviridov 的图片
oops, thanks
in attachment new errors
附件大小
msvista.zip 2.05 KB

All my posts are made by google translator!

olaf 的图片

Can you try the following?

Add a switch to the ses_work.properties to force the collector to see System Encoding as UTF-8.

The switch is -Dfile.encoding\=UTF-8 and you add it to the end of the System.AgentParams line.

For example:

System.AgentParams=-server -XX\:NewRatio\=3 -Xmx512m -Dnetworkaddress.cache.ttl\=300  -Dfile.encoding\=UTF-8

sviridov 的图片

Yes, it works!!!!

as it may affect the performance of other collectors?

All my posts are made by google translator!