Skip to content

Infrastructure Integration ¶

Configuration¶

Configure the agent by editing /etc/nutanix/epoch-dd-agent/conf.d/win32_event_log.yamlin the collectors. Example:

init_config:
    # The (optional) `tag_event_id` setting will add an event id tag to each
    # event sent from this check. Defaults to false.
    # tag_event_id: false

instances:
  # Each Event Log instance lets you define the type of events you want to
  # match and how to tag those events.

  -
    # By default, the local machine's event logs are captured. To capture a remote
    # machine's event logs, specify the machine name (DCOM has to be enabled on
    # the remote machine). If authentication is needed, specify a `username` and a
    # `password`.
    # host: remote_machine_name
    # username: user
    # password: pass

    # The (optional) `log_file` filter will instruct the check to only capture events
    # that belong to one of the specified LogFiles (Application, System, Setup, Security,
    # or application-specific LogFile).
    # log_file:
    #   - Security

    # The (optional) `source_name` filter will instruct the check to only capture events
    # that come from one of the specified SourceNames.
    # source_name:
    #   - Microsoft-Windows-Security-Auditing

    # The (optional) `type` filter will instruct the check to only capture events
    # that have one of the specified Types.
    # Standard values are: Critical, Error, Warning, Information, Audit Success, Audit Failure.
    # type:
    #   - Audit Failure

    # The (optional) `event_id` filter will instruct the check to only capture events
    # that have one of the specified EventCodes.
    # The event ID can be found through http://www.eventid.net/ and viewed in the
    # Windows Event Viewer.
    # event_id:
    #   - 4776
    #   - 4672

    # The (optional) `message_filters` filter will instruct the check to only capture
    # events which Message field matches all of the specified filters.
    # Use % as a wildcard. See http://msdn.microsoft.com/en-us/library/aa392263(v=vs.85).aspx
    # for more on the format for LIKE queries.
    # NOTE: Any filter that starts with "-" will be a NOT query, e.g.: '-%success%'
    # will search for events without 'success' in the message.
    # message_filters:
    #   - "-%success%"
    #   - "%SYSTEM%"

    # The (optional) `tags` parameter will instruct the check to tag the captured
    # events with the specified tags.
    # tags:
    #   - security

    # The (optional) `event_format` parameter will instruct the check to generate
    # Datadog's event bodies with the specified list of event properties.
    # If unspecified, the EventLog's `Message` or `InsertionStrings` are used by default.
    # event_format:
    #   - Logfile
    #   - SourceName
    #   - EventCode
    #   - Message
    #   - InsertionStrings
    #   - TimeGenerated
    #   - Type

  # Here are a couple basic examples:

  # The following instance will capture errors and warnings from SQL Server which
  # puts all events under the MSSQLSERVER source and tag them with #sqlserver.

  # - log_file:
  #     - Application
  #   source_name:
  #     - MSSQLSERVER
  #   type:
  #     - Warning
  #     - Error
  #   message_filters:
  #     - "%error%"
  #   tags:
  #     - sqlserver

  # This instance will capture all system errors and tag them with #system.

  # - log_file:
  #     - System
  #   type:
  #     - Error
  #   tags:
  #     - system

Check and make sure that all yaml files are valid with following command:
```
/etc/init.d/epoch-collectors configcheck
```
Restart the Agent using the following command:
```
/etc/init.d/epoch-collectors restart
```
Execute the info command to verify that the integration check has passed:
```
/etc/init.d/epoch-collectors info
```