Manualshelf

User guide

ManualsBrandsQ-See ManualsComputer equipmentRemote Client Software V 4.0.1
21222324252627282930
23
LCE WMI Monitor Agent
The LCE WMI Monitor Agent is used to automate the collection of Windows Event Logs from remote Windows systems by
using WMIC calls from the Linux system running the agent.
This facilitates the collection of Windows logs from many hosts for the purpose of event normalization/searches and
performance analysis.
Host network connections occur in parallel, and though very quick, they may cause a temporary spike in
network traffic and WMIC processes from the WMI Monitor Agent host while collection is occurring.
For performance reasons, Tenable recommends configuring no more than 100 Windows hosts per WMI
Monitor Agent.
All that needs to be done for configuration here is to specify the LCE server’s IP address, and if needed, change the
server port. A default wmi_monitor.conf configuration file is shown below:
# If using an LCE 4.x server, configure this file with the appropriate
# server information. After the first run, the client will be configured
# strictly from the Client Manager.
# If using an LCE 3.x server, replace this file with the
# wmi_monitor.conf.v3_server file, which contains full configuration
# information.
options {
# WMI Monitor log messages are written to a file named according to
# the date in the directory specified below.
log-directory /opt/wmi_monitor/
# The following section defines the IP at which the LCE server is
# located, as well as the authentication required to log in. Only
# one LCE server is currently supported. For example, use the
# following to configure an LCE server at 192.168.1.2
lce-server 192.168.1.2 {
}
# The LCE server can be configured to listen on a user-specified port.
# The setting below should match the server setting, which is 31300 by
# default.
server-port 31300
}
After the WMI Monitor Agent is installed, log into SecurityCenter or LCE Manger to download a copy of the default
wmi_monitor LCP policy file. Open the downloaded file in a text editor to configure the wmi_monitor LCP policy file, and
add the list of Windows hosts (one per WMI-host keyword) to be monitored. An example wmi_monitor LCP policy file is
shown below and should not be used in production networks without customizations.
<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<options xmlns:xi="http://www.w3.org/2003/XInclude">
<!-- WMI Monitor log messages are written to a file named according to
the date in the directory specified below. -->
<log-directory>/opt/wmi_monitor/</log-directory>