cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JonG
Engaged Sweeper III
Have installed the trial version of lansweeper on our network and just trying to get the event viewer functionality working. Only testing it against a handful of internal machines for now using the manual ip scanning facility which is working fine for WMI data. However the event logs are getting pulled through for all of these machines regardless of the ou specified in the ADSI path in the event scanning tab. I eventually only want to import the event logs of servers and certainly will not be looking at filling the database with event data for all of my standard pcs.

Is this by design?

Jon
9 REPLIES 9
JonG
Engaged Sweeper III
Thanks for this, I will give it a try. Expect a combination of revisiting my audit policy to reduce what we are collecting and this update may be a way forward.

Do you have a list of any other changes with this beta version ? Assume I should avoid deploying it in my production environment for now. Any idea of timescales for it's release ?

Many thanks

Jon
Hemoco
Lansweeper Alumni
JonG wrote:
Do you have a list of any other changes with this beta version ?

The change in number of scanned events is the only one included in this beta installer. We created this installer by request for one specific customer.

JonG wrote:
Assume I should avoid deploying it in my production environment for now.

Updates in general should not pose any issue. We always recommend performing a database backup though before applying any updates. If you already have a test environment set up, it might be more convenient to test the update there.

JonG wrote:
Any idea of timescales for it's release ?

We are waiting to hear back from the customer whom we originally created this beta installer for. If feedback from this customer (and you) is positive, this update could be released fairly quickly, within a few weeks. (We tend to wait to release updates until more changes have accumulated.)
JonG
Engaged Sweeper III
Done a few more tests and it does appear as though every security event scan is limited to pulling in exactly 100 entries which only equates to around 3-4 minutes of logs in my case. Not sure if use of the ignore event feature would help with this figure or if the value is based on what the scanner is processing (regardless of how many are recorded in the database)

Is there any way of increasing this parameter since I do not really want to be polling for events every minute which I guess may work ?

Many thanks

Jon
Hemoco
Lansweeper Alumni
JonG wrote:
Done a few more tests and it does appear as though every security event scan is limited to pulling in exactly 100 entries which only equates to around 3-4 minutes of logs in my case.

Lansweeper does only pull 100 events at a time.

A logical solution would be to increase your Eventlog Scanning interval for the machine, but we are actually testing a beta installer that pulls 500 events at a time. If you would like to try this update, you can download it here. Instructions on upgrading your Lansweeper installation can be found on page 103 of our online documentation.
JonG
Engaged Sweeper III
Thanks for the prompt reply, that sounds great.

Done some further tests today and have enabled security log scanning (successful and unsuccessful audits). I have a report to pull out all event ID 540 security logs which are successful logons. It appears as though everytime LANSWEEPER is connecting it only pulls around 30 security events at a time and then stops, not pulling any more until the next polling interval (which I have set to every 30 mins through the event log scanning options). We have quite busy domain controllers and most AD audit events are recorded so as you can imagine hundreds of events are created but only a handful come through to Lansweeper. Also checked the event log section of the domain controller and that appears to be the same as the reports. I intend on ignoring most events but want to collect data such as logons/Logoffs/lockouts/AD changes etc and cannot really run the risk that it is only collecting a section of the data.

Is this a known limitation of the eventlog scanning feature ? I am getting no errors in the errorlog.txt file in relation to this so unsure if these results are to be expected. I do not appear to miss any system log data but this is obviously at a much lower volume.

Many thanks

Jon
Hemoco
Lansweeper Alumni
Correction: you can achieve your goal of only scanning eventlog information for certain computers by
- Setting the item wait time for "EVENTLOG" to -1 (disabled) in your configuration console. You can find item wait times under Scanning Options\Item Wait Time.
- Only submitting specific computers for Eventlog Scanning. Your Eventlog Scanning settings can be found in the configuration console under Scanning Servers\Your Server\Eventlog Scanning.

Eventlog Scanning, unlike all the other scanning methods, does not obey item wait times and will continue scanning logs for the computers submitted. (Our apologies, the representative who answered your original post was unaware of this.) So you can achieve your goal with a single Lansweeper installation.
JonG
Engaged Sweeper III
Thanks but from what I can tell I have the following work around

- Setup Lansweeper server (and possible secondary scanners linked to the same database) for my whole estate (PCs and servers). Setting the 'item wait time' to -1 for eventlog will stop event logs being pulled through for any of these systems and try and keep the database sizes/scanning time down.

- Setup a separate Lansweeper server (DB, scanner and web front end) just for servers with event log wait time left as defaults and setting the ADSI path in event scanning options to my server OU (every 30 mins or so). This will pull through all event log info just for my servers and any others that I want to target.

Shame the item wait time cannot be set at the scanner server level as well since it would have meant I could have had it all going back to the same database.

Do you know if the above would be covered by one Enterprise license ?

Thanks

Jon
JonG
Engaged Sweeper III
A bit gutted by this to be honest, was beginning to think the product had very little missing from my wishlist. I have over 4000 PCs and do not really want to enable event log scanning on all of them, only domain controllers and servers to pull out account lockouts, server errors for audit/reporting purposes. Even with event log ignore rules in place the database table is going to be massive if I do every PC along with the extra polling effort I imagine the scanning server is doing on every machine. I intend to enable the success/failure audit records which I imagine also compounds the issue.

I still intend on scanning the whole network for asset puposes to collect inventory info for PC, servers, switches, IP Phones etc.

Therefore, am I right in thinking I could setup a secondary lansweeper server instance (database, scanner and web front end) just to collect the event log data by manually adding the servers to scan via active scan OU filtering. Would these two servers still fall within the terms of the enterprise license which I intend to buy or would I need another premium licence (may have a couple of scanners for the PC scanning process hence the enterprise license for one).

Thanks

Jon
Hemoco
Lansweeper Alumni
All of the Lansweeper scanning methods (Active Scanning, Workgroup Scanning, IP Range Scanning, Scheduled Scanning, LsClient, LsPush) scan eventlog information. Eventlog Scanning is just a way to pull eventlog data more quickly, since the other scanning methods only scan periodically. Customers often enable Eventlog Scanning when they wish to send out real-time email alerts for specific events.

It is not currently possible to disable scanning of eventlog information for only certain computers. You can disable it altogether, but not for specific machines.