CONSOLEWORKS WINDOWS EVENT FORWARDER
START-UP GUIDE
B
EFORE
Y
OU
B
EGIN
This document assumes some things:
• You are using ConsoleWorks 4.6 or later (required), it’s currently running, and a browser displaying the ConsoleWorks GUI is open in front of you. • You want to use the secure ConsoleWorks Windows Event Forwarder
(WEF) on a Microsoft® Windows® Vista, Windows 7, Windows Server® 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 system (required).
• You have administrative access to the target Windows system (required). • An SSL certificate is installed on the ConsoleWorks server (required). For
instructions on generating and installing a certificate, see the installation guide for your site's operating system. Installation guides are available from the Help Central page in ConsoleWorks.
• You have installed the Microsoft Windows Intelligent Event Module (IEM). This IEM helps jump-start your monitoring of and responding to Windows events. It is not required, though, especially if you are
forwarding log files (from an application or database, say) rather than Event logs. For more information about the IEM, including installation and operating instructions, refer to the ConsoleWorks Help.
To access ConsoleWorks Help, press the F1 key or click the question mark
on the title bar, which is near the top-right corner of the ConsoleWorks
window:
P
REVIEW
Configuring the WEF for use with ConsoleWorks involves the following steps:1. Download the WEF (see “Step 1: Download the WEF” on page 2). 2. Install the WEF (see “Step 2: Install the WEF” on page 2).
3. Configure the WEF (see “Step 3: Configure the WEF” on page 3). 4. Start the WEF (see “Step 4: Start the ConsoleWorks WEF Server
Step 1: Download the WEF
5. Create a WEF Console (see “Step 5: Add a Windows Event Forwarder Console” on page 7).
S
TEP
1:
D
OWNLOAD
THE
WEF
1. In ConsoleWorks, on the main menu, click TOOLS > Windows Event Forwarder.
The Windows Event Forwarder page appears.
2. Click the link for downloading the WEF that corresponds to your target Windows platform.
3. When prompted to Run or Save the file, choose to run it. In fact, for any messages or prompts that appear, choose the response that confirms that you want to run the WEF.
The ConsoleWorks Windows Event Forwarder installation wizard appears.
4. Install the WEF.
S
TEP
2:
I
NSTALL
THE
WEF
1. On the ConsoleWorks Windows Event Forwarder installation wizard, follow the prompts and answer the questions.
Note
Microsoft® .NET Framework 4.0 Full is required for WEF operations. If prompted, please install .NET.
2. On the wizard’s Setup Type page, choose one of the following options: • To install the WEF in default directory, click Next.
• To install the WEF in a directory different from the default, select Custom, click Next, click Change, and then specify the directory. 3. On the Ready to Install the Program page, click Install.
The WEF installs.
4. To configure the WEF (that is, add the path from the WEF to the ConsoleWorks server) on the target systems, on the Installation Completed page, select the Launch the configuration program check box, and then click Finish.
Step 3: Configure the WEF
Tip
If the WEF installation wizard closes without launching the ConsoleWorks WEF Configuration box, click the Start icon on the target Windows system, and then search for WEF.
5. Configure the WEF.
S
TEP
3:
C
ONFIGURE
THE
WEF
On the ConsoleWorks WEF Configuration box, configure the WEF by completing one or more of the following tasks:
Tip
Ensure that the ConsoleWorks WEF Service status displays Stopped. If it does not, click Stop.
• Choose when and how the WEF starts.
• Enable or stop confirmation that messages arrived when expected. • Create or modify the Shared Secret used to establish a secure connection
between the WEF and the ConsoleWorks server. • Add, edit, or remove host or port data.
• Accept defaults and/or changes: Click OK. • Click Start.
• You might need to reopen the ConsoleWorks WEF Configuration box first.
To specify when and how the WEF starts
1. On the ConsoleWorks WEF Service Startup drop-down list, select one of the following settings:
• Automatic — The WEF starts automatically when the target system starts (or restarts).
• Manual — The WEF requires an operator to start it (see “Step 4: Start the ConsoleWorks WEF Server Service” on page 5).
Step 3: Configure the WEF
To confirm that messages arrived when expected
You can have the WEF check whether the connection request that arrived from ConsoleWorks (supposedly) is within the specified time-frame—and thus is more likely legitimate—by completing the following steps:
1. On the ConsoleWorks WEF Configuration box, select the Verify time stamp check box (or accept the default).
2. Specify the interval that the time stamp can be behind or ahead of current WEF time.
• Interval can be 1 to 44640 minutes (31 days).
• WEF time is the server time on the machine that houses the WEF. 3. Click OK or complete another task.
Tip
To not be alerted that connection requests took too long, clear the Verify time
stamp check box, and click OK.
To create a Shared Secret
1. On the ConsoleWorks WEF Configuration box, in the Shared Secret box, enter the text string that the WEF and the ConsoleWorks server use to verify each other's identity.
This string contains:
• Maximum of 44 characters • English letters and numbers • Hyphens and underscores
• No spaces or non-printing characters Tip
Remember or copy the Shared Secret. You have to use it later when you configure a WEF Console (see “Step 5: Add a Windows Event Forwarder Console” on page 7).
2. Click OK or complete another task.
Manage the hosts and ports that the WEF monitors
Step 4: Start the ConsoleWorks WEF Server Service
2. Either accept the default values (recommended) and click OK, or go to Step 3.
3. To add a host or port, or to change the current configuration, click Add.
The Add Listening Address and Port box appears. 4. Add or edit the address or port. Port is required.
• 0.0.0.0 = listen to every IPv4 address • 5178 = default port
• This port must match the Windows Event Forwarder Console's port (see “Step 5: Add a Windows Event Forwarder Console” on page 7). That port’s default value is 5178.
• The port here cannot match the port (usually 5177) displayed in the Server Communication (WEF) section on the ADMIN: Server Management: Configuration page in ConsoleWorks. • To have the WEF listen on a specific address—and not any others
(a typical configuration for multiple-NIC servers)—select Custom Address, and enter the host name and port of that address. Host name and port are required.
5. Click Add.
The ConsoleWorks WEF Configuration box appears, displaying the changes.
Tip
To remove a host name and port, select the configuration of interest and click
Delete.
S
TEP
4:
S
TART
THE
C
ONSOLE
W
ORKS
WEF S
ERVER
S
ERVICE
Start the WEF by completing one of the following tasks:
• Start the WEF from the ConsoleWorks WEF Configuration box. • Start the WEF from the Windows Start menu.
• Start the WEF from the Windows Services window.
To start the WEF from the ConsoleWorks WEF
Configuration box
Step 4: Start the ConsoleWorks WEF Server Service
To start the WEF from the Windows Start menu
1. On the Windows taskbar, click the Start icon, and then, on the Windows Start menu, click ConsoleWorks WEF.
The ConsoleWorks WEF Configuration box appears.
2. If the message, ConsoleWorks WEF Service: Running, does not appear, click Start.
The ConsoleWorks WEF Service starts. Tip
If ConsoleWorks WEF does not appear on the Windows Start menu, enter
WEF in the search box, and click ConsoleWorks WEF in the results list.
To start the WEF from the Windows Services window
1. On the Windows taskbar, click the Start icon, and then
click Control Panel > Administrative Tools > Services. The Services window appears.
2. In the Name column, right-click ConsoleWorks WEF Server and click Start.
The ConsoleWorks WEF Service starts.
Automating
WEF Starts
To have the WEF start when the target system starts (or restarts), complete one of the following tasks:
To automate WEF starts from the ConsoleWorks WEF
Configuration box
1. Open the ConsoleWorks WEF Configuration box, if not already open.
2. On the ConsoleWorks WEF Service Startup drop-down list, select Automatic.
3. Click OK.
4. Restart the WEF.
Step 5: Add a Windows Event Forwarder Console
To automate WEF starts from the Windows Services
window
1. If the Services window is already open, go to Step 2; otherwise, on the Windows taskbar, click the Start icon, and then click Control Panel > Administrative Tools > Services.
The Services window appears.
2. In the Name column, right-click ConsoleWorks WEF Server and click Properties.
The ConsoleWorks WEF Server Properties box appears. 3. On the General tab, on the Startup type drop-down list, click
Automatic (Delayed Start). 4. Click OK.
5. Close the Services window.
S
TEP
5:
A
DD
A
W
INDOWS
E
VENT
F
ORWARDER
C
ONSOLE
1. In ConsoleWorks, on the main menu, click CONSOLES > Add. The CONSOLES: Add page appears.
2. Configure a Console with a Windows Event Forwarder connector type.
Tip
For more detailed information about creating and configuring a WEF Console, see the Help.
a. Name the Console.
b. On the Connector drop-down list, click Windows Event Forwarder.
c. In the Connection Details section, complete the following tasks: • In the Host IP box, type the IP address or DNS name of the
target of the connection.
• In the Port box, either accept the default value of 5178 (recommended) or type the port number of the target of the connection. This value must match the port value for the WEF (see “Step 3: Configure the WEF” on page 3).
Is It Working?
• In the Retype Shared Secret box, enter the shared secret again. • Click Save.
• Click Configure WEF.
The WEF Configuration box opens.
• Click the Event Logs tab and specify the Event logs you want monitored.
• Click the Files tab and specify the Log files you want monitored.
• Click OK.
The selected files appear in the corresponding Event Log or Directory/Log File box on the connector's Edit page.
Note
Depending on the amount of data requested, a new WEF might take a few minutes to gather and forward the requested logs and files. The files begin forwarding from the end of the file at the time you clicked OK.
I
S
I
T
W
ORKING
?
When you have set up the WEF correctly, you can observe the following things:
• The View Consoles page displays a Windows Event Forwarder Console. The Console’s status should be NORMAL.
• Other possible statuses:
• STARTING COMMUNICATION - Should only appear briefly. If this status stays, then look in the WEF logs for the reason. • GETTING LOGS - ConsoleWorks is receiving the logs and
readying them for display. Please be patient.
Is It Working?
• The Windows Event Forwarder Console’s Edit page displays the selected Event Logs and Log Files with a status of Forwarding.
• Other possible statuses:
• Adding - The item will be added but has not yet been sent to the WEF server.
• Requested - The item has been sent to the WEF server but the WEF server has not yet responded.
• Forwarding: - The item has been sent to the WEF server and the WEF server responded that it will forward that item. • Stopped: - The item is not being forwarded by the WEF server.
The Console might be disabled, the WEF server might not be running, or the WEF server can not send the item requested. • If Events have been loaded from the Microsoft Windows IEM or have been
What If It Isn’t Working?
• The Log Data page displays the Event Log’s data.
W
HAT
I
F
I
T
I
SN
’
T
W
ORKING
?
• Review the ConsoleWorks WEF Configuration box.
• Ensure that the message ConsoleWorks WEF Service: Running appears. If not, then click Start.
• If Start is not available, complete the following step.
• Ensure that the ConsoleWorks WEF Service Startup drop-down list displays Automatic or Manual.
• If it does not, select one of those choices, click OK, reopen the ConsoleWorks WEF Configuration box, if necessary, and then click Start.
• Review the View Consoles page for the status of the Windows Event Forwarder Console. The Console’s status should be NORMAL.
• If it is not, then remediate the issue. • Contact TDi Support
