Unable to collect events from remote logfiles with Logfile Sensors

book

Article ID: 177431

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

Unable to collect events from remote logfiles with Logfile Sensors

Symptoms
You have an event collector that is trying to collect logs from a remote (network) location. Your collector logs may reflect an error such as:


"LogFilePath parameter is required and has to point to an existing directory."

and

"Error while init <Sensor name>. no valid LogFilePath parameter in sensor configuration file." and "No valid sensors in working group !"

 

Resolution

Note:  This is an unsupported solution.  If this works in the customer's environment it is dependent on the customer to maintain permissions, rights and active connections to the UNC path.  If the connections fail sporadically the Event Agent may not be able to reconnect automatically.

It is possible for a Symantec Event Collector running on one Windows computer to read log files stored on another Windows computer. However, for this to work you may change the user account used by the Symantec Event Agent service. This is necessary because the default LocalSystem account used by the Agent service does not have access to network resources.

The service must be owned by a regular Windows user account and this user account must have access rights to the Windows network share on the other computer which contains the log file(s).

Setup the Symantec Event Agent Service with a Windows User
 

    1. On the computer with the collector installed, right click My Computer, and click Manage.
    2. In Computer Management console, under Services and Applications, click Services.


       
    3. Right-click on the Symantec Event Agent Service and click Properties.
    4. Click the Log On tab.
    5. Then click the This account radial button and enter the username and password for the account you wish to use, then confirm the password.


       
    6. Click on OK.



Setup the sensor to point to the Shared logfile location

On the Symantec Security Information Manager appliance, in the collector’s logfile sensor configuration, type the UNC path to the network share containing the logfiles, in the format \\<IP address or DNS-resolvable hostname>\<share name>, e.g. \\10.0.12.114\sqllog.



Note: On a Windows 2003 Server machine, there is a special account named Network Service available, which can access network resources.






 

 


Attachments