LogRhythm requires the Windows Server service to be enabled to collect Event logs. However, some deployments have a site-specific requirement to disable the service. To collect local Event logs when the Windows Server service is disabled, the [hostname] or localhost must be specified.
Remote Event log collection is NOT possible unless the Windows Server service is running.
-
On the main toolbar, click Deployment Manager.
-
Click the Log Sources tab.
-
In the lower grid, select the Action check box of the Log Entity you want, right-click it, and click Properties.
-
Click the Flat File Settings tab.
-
Fill in the File Path field. The Client Console assigns the machine name portion of the File Path based on the Log Message Source Host.
-
If the Windows host is known, the host name is used. Example: LR-0870EW-MS:System.
-
If the host name is unknown, the IP address is used. Example: 10.1.1.164:System. In this case, you must change the machine name to local or localhost because you cannot use an IP address. Example: Change 10.1.1.164:System to localhost:System. The only IP address exception is 127.0.0.1, which is mapped to localhost by the Agent. These File Path names and examples are acceptable:
-
localhost:[Event Log Name]
-
[Hostname]:[Event Log Name]
-
127.0.0.1:[Event Log Name]
-
::1:[Event Log Name]
-
-
This File Path would not be valid: [IP Address]:[Event Log Name]
-
-
Click OK.