Configure Windows Forwarder ---------------------------- Overview ........... The VOSS Insights Windows Forwarder configuration application provides a graphical user interface (GUI) for configuring the Forwarder. All settings are saved and retrieved from the Windows registry. The current version of the Forwarder has multiple sources of data, including Windows event logs, files and disk space, Windows Registry, Event logs, Performance counters, Windows Services, Database queries, as well as the output of various commands. The configuration application design reflects these data sources. For example, parameters for configuring the Forwarder are found in the **Forwarder** tab. The main pane of the application displays the VOSS logo. .. image:: /src/images/windows-forwarder-image10.png You can click an icon in the menu tree to edit any of the settings. .. image:: /src/images/windows-forwarder-image9.png .. note:: The GUI toolbar is activated when any screen displays a list of items (files, commands, queries). You can either use the toolbar buttons or right-click in the list to display a drop-down menu. Event Logs ............. The Event logs tab displays all the event logs available on a current system. Those logs that are selected for monitoring are checked. .. image:: /src/images/windows-forwarder-image5.png You will need to click on a specific event log in the **Check logs to monitor** list to view the selection for that log: .. image:: /src/images/windows-forwarder-image4.png For each log, one or more of the five event types can be selected by checking the appropriate box in the **Event types to monitor** list. By default, events of checked types are being monitored for all the applications in the system. You can select only those applications that have to be monitored by checking appropriate boxes in the **Select applications** list. To summarize: The Forwarder has three levels of configuration for event logs: 1. Select only those event logs that are of interest. 2. Select only specific event types for each log. 3. Select applications for each log. This granularity is intended to reduce traffic between the Forwarder and the local Arbitrator/Dashboard appliance, and make troubleshooting easier. Files ........ The Forwarder can monitor both flat files and named pipes. Each monitored file has to be added using the configuration program by clicking on an **Add** button. Files already in the system can be reconfigured by right-clicking on a specific line. The pop-up menu, which displays after right-clicking on a line, allows you to remove the file altogether or change its settings. To stop monitoring a specific file, you don't need to remove it; just uncheck the relevant checkbox. .. image:: /src/images/windows-forwarder-image7.png The same dialog box displays for both *new* and *updated* files. .. image:: /src/images/windows-forwarder-image6.png * **Logical name** - Should describe the origin of the file. Its contents are completely up to the person configuring the application. * **Monitor file with static name** - click the Browse button adjacent to the field to select the file (even though file name can be typed in). The Browse button provides the opportunity to automatically populate the field with the file name and the directory name. * **Monitor files with name pattern** - Applies to a situation where the program creates a series of traces (files) in a specific directory, with a specific naming pattern. To configure monitoring of these files, click the Browse button adjacent to the field and select one of the files (it doesn't matter which one). The system tries to find all or the instances of the files with a similar name. The resulting string should be fine tuned by the user. The permanent part of the name should be left intact and the variable part replaced by the ``\*``. On this screen you can also choose which lines from the file will be processed. The selection can be applied based on sequential line numbers (all lines, odd lines, even lines), and based on specific keywords found in the line. The first option will handle traces where each line's text description is followed by the line with a hexadecimal representation of data. The line is selected if any of the keywords in the list is found. To update the File settings, right-click on a file and select **Update File**: .. image:: /src/images/windows-forwarder-image2.png Disk Space .............. The Disk Space tab displays information about all the logical drives, along with their maximum capacity and current utilization. It allows you to set an acceptable free space limit for each device. The Forwarder raises an alarm once the limit is reached. The free space may be set as either a percent of total capacity or an explicit amount of space in megabytes. .. image:: /src/images/windows-forwarder-image1.png The last option on this screen relates to reporting absence of activity in the current file to the local monitoring appliance. There are situations when we can presume that a specific application is malfunctioning if it is not writing anything to the trace. This option would allow us to raise a red flag under these circumstances. Performance Monitoring ........................ The Performance Monitoring tab displays all performance counters currently monitored by the Forwarder. When the configuration application is first launched, the list includes all predefined counters. .. image:: /src/images/windows-forwarder-image3.png The Performance Monitoring program collects the list of all the counters available and saves them in a list that serves as a basis for adding new counters: .. image:: /src/images/windows-forwarder-image11.png Click the right-pointing arrow (**>**) to add a selected counter to the list. Click the left-pointing arrow (**<**) to remove it from the list. Commands ......... .. image:: /src/images/windows-forwarder-image12.png The image shows the dialog that displays when adding a new command or when modifying an existing command: .. image:: /src/images/windows-forwarder-image14.png Special features have been added to handle the output from commands that produce CSV file types. It is strongly recommended that you select **Send command output one line at a time** for CSV formatted files since data sent to the Arbitrator server will closely resemble the result of a SQL query. Each command must be tested before it is added to the configuration. To do this, click the **Test** button: .. image:: /src/images/windows-forwarder-image15.png Database Queries ................... .. image:: /src/images/windows-forwarder-image13.png The Forwarder is able to run queries against any ODBC compliant database at defined intervals, and to stream the results of the query to the Arbitrator server. To configure a query, the local system must have an ODBC driver installed and a system DSN configured. The Forwarder has been tested against multiple databases, including Microsoft SQL server, Postgres, and Intersystems Cache. Since the Forwarder is a 32 bit application it will use 32 bit drivers and related DSN-s that can be checked by executing: :: C:\Windows\SysWOW64\odbcad32.exe: .. image:: /src/images/windows-forwarder-image16.png To configure a new query, select **Add Query**, which displays a list of all existing ODBC data sources: .. image:: /src/images/windows-forwarder-image17.png Choose a data source and click **OK**. .. image:: /src/images/windows-forwarder-image18.png The system attempts to connect to the database to retrieve information about its tables and views that will be displayed on the following screen in the leftmost window. .. image:: /src/images/windows-forwarder-image19.png You can extend tables and views to see the database architecture. The tree structure will depend on the database layout and schemas (when applicable). Clicking on a table or view displays all the fields and their types: .. image:: /src/images/windows-forwarder-image20.png The SQL statement should be typed in the third window. Clicking **Run** triggers an execution of the statement and displays the result of the query. There are three options for executing the SQL query: 1) every “xxx” seconds as defined on configuration screen above 2) only once (which may be used to import large amount of data) 3) based on a schedule that can be configured  by pressing the "Schedule" button The first screen allows you to choose the schedule mode: .. image:: /src/images/windows-forwarder-image21-a.png When using a daily schedule, the query is executed starting at the date and time selected, and repeated the same time every *n* days, based on the configuration: .. image:: /src/images/windows-forwarder-image21-b.png When using a weekly schedule, the query executes on the days of the week selected: .. image:: /src/images/windows-forwarder-image22.png When using a monthly schedule, you can select months and dates of the month: .. image:: /src/images/windows-forwarder-image23.png .. image:: /src/images/windows-forwarder-image24.png .. rubric:: Modifying the query with a new database connection You may need to modify the database connection for an existing query after importing the resulting data on a machine different from the one where the query was originally configured. Since the database connection is embedded in the overall query information, a special mode was added to handle this situation: .. image:: /src/images/windows-forwarder-image25.png Selecting **Modify database connection** displays a list of available DSN-s. These are presented in the same way as if the query is being created from scratch: .. image:: /src/images/windows-forwarder-image26.png Once a DSN is selected, the application shifts to a single query view that combines SQL and scheduling data from previously existing query and new database connection: .. image:: /src/images/windows-forwarder-image27.png When saving the modified query, a list of queries will now reflect the new database information: .. image:: /src/images/windows-forwarder-image28.png Registry ........... A separate service (which runs in tandem with the Forwarder), performs registry monitoring. Registry monitoring can be enabled or disabled and you can specify what hives should be included. .. image:: /src/images/windows-forwarder-image29.png Network ............ The Forwarder can monitor all network connections providing the same information as the netstat command, including process information. Monitoring is performed based on the configuration and will include TCP and UDP connections depending on the options you select: .. image:: /src/images/windows-forwarder-image30.png Windows Services .................... The Forwarder can monitor the status of any Windows service and report it to the Arbitrator server. .. image:: /src/images/windows-forwarder-image31.png For each monitored service, you can specify the following options: .. image:: /src/images/windows-forwarder-image32.png .. image:: /src/images/windows-forwarder-image33.png Forwarder Configuration ......................... This page allows you to define connection information between the Forwarder and the local Arbitrator server. .. image:: /src/images/windows-forwarder-image34.png Although the configuration screen explicitly mentions Arbitrator (Correlation Server), the Forwarder can work with both the Arbitrator and Dashboard server. The ports will depend on which system the Forwarder will be connected to. In the case of Dashboard, it is preferable to send the data in JSON format. The latest version of the Forwarder can save data directly into the Dashboard server database, if it is configured to communicate directly with the Dashboard server. Even though the configuration dialog mentions Arbitrator (Correlation Server), you can use the Dashboard IP address. The Forwarder service will send a request to the server upon startup and upon receiving the type of the server, will change it's behavior. To be able to write data into the Dashboard/Reporting database, the Forwarder needs a locally configured system DSN pointing at the Dashboard/Reporting database. This DSN will be created by a configuration program when it's first launched after the installation. If the DSN has been configured and tested, a **Connection established** checkbox is selected, and the service will be set to create several "static" tables that will hold performance, eventlog, network, and process data. These tables are created by calling the REST APIs executed by the Dashboard/Reporting server. Each of these tables will be named following the same pattern, ``__``, for example, ``evtlog_avaya_north building``. Tables collecting the results of database queries will be named: ``Wbquery\_`` This screen also provides a way to configure traces of the Forwarder service.