We have a serverclass set up to ingest WinEventLog:Security logs for multiple servers (contains a blacklist for account names and ID's). The consumer is looking to add the WinEventLog:Directory Service logs for only (1) of the servers.
Would we be able to accomplish this by having (2) server classes assigned to the one server? Or, is there a best practice solution for this type of scenario?
Thank you in advance for any guidance.
I would create a new serverClass for WinEvenLog:Directory monitoring app/server, to reduce the complexity. One server can be part of multiple serverClass.
I would create a new serverClass for WinEvenLog:Directory monitoring app/server, to reduce the complexity. One server can be part of multiple serverClass.
Agreed. Bottom line: yes, you can have servers mapped to various serverclasses. In fact, you SHOULD do it this way to more easily manage.
Okay, that is what I was doing. I created a secondary serverclass just for WinEventLog: Directory Service and was going to add that only to the client that they want additional logs from. I believe we're saying the same thing, correct?.
I would create a new serverclass just for WInEventLog:Directory, add just that single client as it's member. Than I will create an data input app to just monitor WInEventLog:Directory and assign that app to this server class.
We've three elements here
serverClass----Member servers
|__Apps to be deployed
Okay, that;s what I was thinking...thank you for confirming.