I found this configuration option in the agent menu, but i can't make it work fine. In theory this is reading logs directly from the .evt file, not from the windows eventing API. But i get this message in debug mode:
<131>1 febr. 18 14:43:43 10.35.176.155 McAfeeEventCollector: ERROR 1 GetData Failed to load bookmark: Could not find a part of the path 'C:\Windows\System32\winevt\Logs'.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.Directory.InternalGetFileDirectoryNames(String path, String userPathOriginal, String searchPattern, Boolean includeFiles, Boolean includeDirs, SearchOption searchOption)
at System.IO.Directory.GetFiles(String path, String searchPattern, SearchOption searchOption)
at McAfee.EventCollector.WindowsEVTPlugin.Plugin.GetData(Nullable`1& eventData)
I'm using domain admin credentials.hank you,
What do you mean? It's a Windows data source. The problem is, i need to monitor a specific RDP session event that is logged in to this specific .evt file. In Security, System or Application logs not included this message.
I try local admin, same error. For test copy events file to another directory - all work fine.
Event files locked by process
You can copy, then take logs (((