Centralized log archival - EventLog Analyzer distributed edition

Related Products
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADAudit Plus

Real-time Active Directory Auditing and UBA
Download | Demo
ADSelfService Plus

Self-Service Password Management
Download | Demo
Exchange Reporter Plus

Exchange Server Auditing & Reporting
Download | Demo
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo

Centralized log file archival

EventLog Analyzer's distributed edition supports centralized archival of event logs received from each host. During log archival configuration in managed servers, if the centralized archival option is enabled, the managed servers will send all their logs to the admin server. The admin server will act as a centralized repository for viewing all the logs in your network.

The steps followed by EventLog Analyzer for log archival in the distributed set up are given below:

Logs are zipped at periodic intervals and the file to be archived is transported to the admin server using Secured Shell (SSH).

The file will be received by the admin server and a confirmation message for the receipt of the file is sent by the admin server to the respective managed server.

Managed server, upon receiving the confirmation message, deletes the archive file.

Note: SSH server will be started on enabling centralized archiving.

Configuring centralized archival in the admin server:

In the admin server, select Configurations > Archive section: Archived Files.

Click Centralized Archive Settings in the Archive Files screen to configure the centralized archival settings. A File Archive Settings screen will pop up.

To enable the Centralized Archive in the distributed set up, select the Enable Centralized Archive check box. On enabling, EventLog Analyzer transfers all the files from managed server to admin server using Secure Copy (SCP). SCP is based on SSH.

Enabling the option will also start SSH server with the below configurations:

Setting	Description
Archive Location	Configure the admin server's centralized archive location in this field. The location is set to <EventLog Analyzer Admin Server Home>/archive/<Individual Managed Server's CollectorID>/ by default.
Server IP/Name	Configure the IP address of the server on which the SSH is running. It will be admin server by default.
User Name	Configure the user name of the SSH service.
Password	Configure the password of the SSH service.
Port	The default SSH port will be 22. You can configure any other port from 1024 to 65535. You can click on the Availability link to check whether the port is free or occupied by some other application.

Centralized Archive Settings in EventLog Analyzer:

Centralized log file archival

Notification Email Address: The e-mail IDs mentioned in the field will receive notification emails regarding log archival processes.

Archive Retention Period: Specify how long these archive files should be kept in the server. Once the period elapses, the files will be deleted from the EventLog Analyzer server.

Loaded Retention Period: Specify the period for which the archive files should remain loaded.

Troubleshooting tips:

If the Centralized Archive is enabled, the SSH server will start with the configured values. If the SSH server fails to start, the Centralized Archive Settings in EventLog Analyzer will display a Failed status.

If the SSH server is not getting started, it could be due to the following reasons:

The SSH server is not able to bind with the configured IP address. This is more likely to happen with a dual NIC machine. Check and configure the IP address of the correct NIC.

The archive location configured could be invalid. Configure a valid location to archive the files.