Configuring Event Log Collection and Analytics - Honeywell DOC4000 - 7.3 - Administration & Configuration - Intergraph

DOC4000 Administration Guide

Language
English
Product
Honeywell DOC4000
Subproduct
Cyber
Search by Category
Administration & Configuration
PAS Version
7.3

DOC4000 can collect Windows event log data from your PAS Recon assets. The fields on the Configure Windows Event Log Collection window in the Admin Utility allow you to configure this event log collection.

The PAS Recon asset model writes collected Windows event log files to a folder on the DOC4000 server or data collector. DOC4000 then processes those files and stores the Windows event log data in a database. This topic describes the DOC4000 configuration parameters for Windows event log collection. For more information about loading and configuring the PAS Recon asset model, see the PAS Recon Implementation Guide.

DOC4000 caches Windows event log data to provide better performance. This cached data is refreshed each hour. Therefore, it can take up to an hour for newly processed Windows event log data to be displayed in DOC4000.

To configure event log collection:

  1. Follow the instructions in the PAS Recon Implementation Guide.

  2. In the Admin Utility, click the Windows Event Log link.

  3. If you have not created the database to store the collected Windows event log data, select the Estimated # of Computers to collect data from, and then click Create Database.

    The Create Database button is disabled if a database with the reserved name exists.

  4. Complete the following fields, and then click Save Collection.

    • Parent Path: Specify the folder where the Windows event log data files and folders should be stored. DOC4000 processes the files and folders stored in this location. If there are multiple levels of folders in the specified location, DOC4000 uses the folder structure to identify the assets and their associated event log data. If you choose to archive files, DOC4000 creates an Archive subfolder in this location and stores archived data in that folder.

    • Text Escape Characters: Specify the characters used to enclose values in the Windows event log files. The default is the double quote (). These characters can enclose values that include commas or line breaks.

    • Process Security Event Details: Specify whether to extract security information from the Windows event log. Select this option for computers configured for non-English language regions.

    • Groom Files On Success: Specify whether to delete a file once the Windows event data is successfully written to the database.

    • Groom Data From Database: Specify whether to remove data from the database to limit database size. If you check this check box, you need to specify the number of months of data to keep.

    • Keep X months of data: Specifies the number of months of data to keep in the database. This field is available only if you checked the Groom Data From Database check box. For example, if it is March 9th and this field is set to 1, DOC4000 keeps the Windows event log data since March 1. If this field is set to 3, DOC4000 keeps the Windows event log data since January 1.

  5. If you want to archive event log data, complete the following steps:

    1. Check the Enable Daily Archive check box. DOC4000 creates an Archive subfolder in the Parent Path location. Each day, DOC4000 uses the specified Filter Criteria to select data to save as a CSV file. In the Archive folder, each data owner has its own folder and in its folder is a set of monthly .zip files. Each .zip file has the CSV files for that data owner and month.

    2. If you want to filter the type of events included in the archived data, specify the criteria in the Filter Criteria field. By default, all events are included in the archive. The format of the Filter Criteria field is a T-SQL WHERE clause. For more information about this field and example criteria, click the Filter Criteria Help link.

    3. Click Save Archive.

  6. Manually start the pasWindowsEventLog service on each DOC4000 server and data collector and where Windows event logs are processed. For more information, see Defining Your Service Accounts.

You should also configure this service to start automatically on these computers.