HomeSupercharger KBFunctionalityForwarder Analysis

3.3. Forwarder Analysis

In Supercharger, Forwarders are the computers sending (or should be sending) events to a Windows Event Collector as part of a subscription. In WEC, forwarders are referred to as “source computers”.

The most complex aspect of Windows Event Collection is ensuring that all computers that should be sending events are really doing so. Many things can potentially go wrong resulting in events not being forwarded

  • Group policy
  • Group membership
  • WinRM status on forwarders
  • Security log permissions on forwarders
  • WinRM status on collectors
  • WEC service status on collectors
  • DNS
  • Domain controller replication
  • Network
  • Kerberos tickets
  • Forwarder’s power status and physical location

This creates security, compliance and operational risks and drives up the care and feeding costs of Windows Event Collection. To help you eliminate these risks and efficiently manage WEC we’ve put a lot of work into forwarder analysis which is the foundation of WEC health monitoring in Supercharger.

Forwarder Analysis compares the current status of each source computer reported by WEC to what we expect based on the

  • relevant Subscription Policy
  • computer’s status in Active Directory
  • groups included/excluded on the subscription

Supercharger determines how many computers should actively be sending events to compute the percentage of “healthy” forwarders. If that percentage is lower than minimum defined in the relevant Subscription Policy, the subscription is classified as unhealthy and reflected in the subscription’s status color on the dashboard and is rolled up to the Collector and Domain’s health status as well. Optionally Supercharger can alert you via events logged on the manager or by email.

Supercharger provides 3 different ways to analyze forwarders called Health Assessment Basis. For the most value and greatest accuracy, we usually recommend Deterministic, but your situation may require one of the alternatives.

Deterministic

Expected Forwarder Quantity

Supercharger queries AD and enumerates each computer or computer account in the groups included/excluded on the subscription (or a subset of them using an LDAP filter).

Supercharger considers the computer’s account status and LastLogonTimeStamp to identify dormant or disabled computers which do not count.

When to Use

You use AD groups or individual computers included/excluded on the subscription’s Allowed Forwarders to define which computers should be sending events to this subscription. This is the recommended approach since it provides a quantitative way to control and measure Windows Event Collection.

Do not use this method if

  • This subscription has forwarders from other domains
  • You use group policy objects instead of group membership to control which computers should be sending events to this subscription. Deterministic health analysis will not work in this case since it will list all other computers in the group as problem forwarders. See “When to use” on Empirical

Empirical

Expected Forwarder Quantity

Supercharger queries WEC for all the computers which have ever targeted the subscription as a source, and counts those computers that are reasonably expected to still be sending events:

  • For any WEC sources that are not active sending events, Supercharger queries AD for the computer’s account status and LastLogonTimeStamp. Dormant, disabled or missing computers are factored out.
  • If the Subscription Policy has “Prune WEC Sources” enabled, Supercharger also factors out any WEC sources whose last heartbeat is too old.

Supercharger ignores the AD groups included/excluded on the subscription.

When to Use

You don’t want to base expected forwarders on the AD groups include/exclude on the subscription.

You use group policy to control which computers forwarder events to this collector. We don’t recommend this approach but we’ve seen implementations where Domain Computers is added as an included group to a subscription but then only a subset of computers is configured via Group Policy with this Collector as “target subscription manager”.

This subscription has forwarders from other domains.

Arbitrary

Expected Forwarder Quantity

An arbitrary number you specify

When to Use

For smaller subscriptions where you know the exact number of computers that should be sending events.

For large subscriptions managed on a “best effort” basis where you know roughly how many source computers exist and just want to know if active forwarders fall significantly below that number.

The number of forwarders is stable or you are willing to update it as necessary.

This subscription has forwarders from other domains.

Supercharger performs all of this in the ForwarderAnalysisCommand, which each controller (agent) runs by default every 15 minutes. (If you want to get an update without waiting, you can submit a ForwarderAnalysisCommand on demand from the Collector viewer dialog.)

Forwarder analysis determines up to 3 different statuses for each forwarder explained below. You can view Forwarder status on the Current Forwarders tab of a subscription’s viewer dialog.

Health Status

Status in the view of Supercharger taking into account the forwarder’s status in WEC and Active Directory and according to the Health Assessment Basis. This is the determining factor for computing the % of health for the subscription.

Possible values

  • Healthy – the computer is actively sending events and, if Deterministic, expected based on the included AD groups of that subscription
  • Problem – the computer is expected to be a forwarder but is not reported by WEC as active
  • Ignore – the computer is not expected as a forwarder. The only time an active source in WEC is classified as ignore is on Deterministic subscriptions for a computer which is not expected based on the included/excluded groups.

WEC Status

“Runtime status” as reported by WEC for the source
  • Active – WEC reports the source computer as actively sending events. Source’s last heartbeat is less than Heartbeat Interval on the subscription. (For workstations that are shut down outside of working hours, the Ignore No Heartbeat (Hrs) option has to be set in order for them not to be considered inactive.)
  • Inactive – WEC reports the source computer as not sending events. Last heartbeat is greater than the Heartbeat Interval on the subscription. See Last Heartbeat column on Current Forwarders tab of subscription.
  • Absent or None – This is not a status reported by WEC. Supercharger reports this status expected forwarders for which WEC has no record of ever being a source.
  • WecDisabled – The source is disabled in WEC. Only configurable by script or API.
  • Trying – This is only reported by WEC on collector initiated subscriptions.

AD Status

Status of the computer’s account and LastLogonTime stamp in Active directory
  • Active or Enabled – The computer is found in Active Directory, account is enabled and computer has recently authenticated to AD.
  • NotFound – No computer account is found in Active Directory.
  • Dormant – The computer’s LastLogonTimeStamp is null or older than Subscription Policy’s “Days Till Dormant” setting.
  • Disabled – The computer account was found in AD but it is disabled.
  • NonDomain – The computer is in the collector’s domain. This probably refers to a DNS name added to the subscription’s “Non-domain computers”
 

This page was: Helpful | Not Helpful
Subscription Policies Collectors