This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there a doc showing how to monitor a Windows/AD system?

I see there are many different collectors available for different items in AD or WIndows.

I see there is the Agent Manager for Windows Agents, but I cannot quite nail down what Agents can collect vs what a Collector can collect?

I am at a point where I do not yet know WHAT I want to collect, since I do not know what I CAN collect  So first, what is available to collect (from what format? agent or collector) then I can pick and chose the elements i need I suppose.

Or start more simply:  How are the Agents different than Collectors, specifically in the context of Windows and Active Directory?

Tags:

Parents
  • 0  

    SAM will essentially collect anything that's in the Windows Event logs (and possibly other logs as well).  You install an agent (managed or unmanaged), configure a policy telling the agent what to collect.  The agent then sends these events on to a "Central Computer", which then forwards to Sentinel itself.

    Sentinel Collectors tend to be agentless whereas SAM is an agent based solution.  Windows doesn't have a native syslog client so SAM was the solution to that.

Reply
  • 0  

    SAM will essentially collect anything that's in the Windows Event logs (and possibly other logs as well).  You install an agent (managed or unmanaged), configure a policy telling the agent what to collect.  The agent then sends these events on to a "Central Computer", which then forwards to Sentinel itself.

    Sentinel Collectors tend to be agentless whereas SAM is an agent based solution.  Windows doesn't have a native syslog client so SAM was the solution to that.

Children
  • 0   in reply to   

    That is a helpful distinction.  So the SAM is mostly for Event log stuff.

    What if you want to watch file system operations?  Delete/move of files, say.  Which would be the better way?  Is there a way?

    There was a WMI collector, is that still around or is that part of the SAM do that?