Microsoft System Center (MSSC) helps customers gain a unified data center management experience with out-of-the-box monitoring, provisioning, configuration, automation, protection and self-service capabilities. The System Monitor Agent can import Microsoft System Center logs into LogRhythm for analysis. This document explains how to configure the collection of Microsoft System Center logs via the LogRhythm System Monitor Agent.
Before attempting these instructions, have the following available:
- Access to the LogRhythm System Monitor Agent collecting Microsoft System Center log files
- The MSSC SQL Server database address
The recommended collection method is to use an Agent installed on the MSSC server. Using a different ODBC connections string, however, you can configure the Microsoft System Center 2012 Endpoint Protection log source for remote collection.
Configure the ODBC Driver for MSSC 2012 Endpoint Protection
LogRhythm accesses Microsoft System Center logs via an ODBC driver. Before configuring the UDLA log source in LogRhythm, the recommended driver must already be installed on the System Monitor host and configured according to the information in Configure UDLA Log Collection.
- Name. SQL Server
- Company Name. Microsoft Corporation
- Version. 2000.85.1132.00
- Date. 4/13/2008
- Download Location. Pre-installed
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. You must use a LogRhythm System Monitor to collect the logs. The agent does not need to reside on the Microsoft server, but does need to be able to establish a network ODBC connection. In addition, the host where the agent is installed needs the Microsoft SQL client drivers installed.
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
BBefore you begin, download the Microsoft System Center 2012 Endpoint Protection XML configuration file. You will import this file later to populate the UDLA configuration fields for the Log Source.
The name of the log message source is UDLA – Microsoft System Center 2012 Endpoint Protection. In addition, when configuring this log source:
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the UDLA Settings tab, enter the following:
Click Import, and then browse to and open the XML file that you downloaded from LogRhythm.
In the Connection String box, update the values for Server and Database with the SQL Server database name\instance and database name to which you want to connect.
If you are configuring remote collection, you will need to change the connection string to: DSN=<MSSC data source name>;trusted_connection=true;
- If you want to validate the current settings, click Test.
If the test fails, verify the connection settings and that all values were entered correctly.
- When the test passes, close the Test dialog box.