Dell PowerStore 1200T Using the Common Event Enabler 8.x on Windows Platforms - Page 49

Managing Indexing

The Index sub-facility of CEPA is a mechanism for delivering bulk events in asynchronous mode to partner applications. The

delivery cadence is based on either a time period or a number of events. You can use this Index facility to deliver bulk events to

Splunk Enterprise or Splunk Cloud.

Topics:

•

Set up access for Splunk

Set up access for Splunk

About this task

Use the Index facility to deliver events to Splunk Enterprise or Splunk Cloud by performing the following steps.

You must add Index entries to the Microsoft Windows Registry.

NOTE:

Any time you modify the CEE section of the Registry, except for Verbose and Debug, you need to restart the EMC

CAVA service.

Steps

1.

Open a command window on the machine where CEE and the Index application are installed and type

regedit

.

2.

On the Windows Registry Editor window, navigate to:

HKEY_LOCAL_MACHINE

>

SOFTWARE

>

EMC

>

CEE

>

CEPP

>

Index

>

Configuration

a.

Double-click

Enabled

. Specify

1

to enable Index, or

0

to disable it.

b.

Double-click

Endpoint

and specify the host and port, or hosts and ports, of the instances where the Splunk consumer

application is installed, in the following format:

SplunkHEC@https://<host>:<port>

where

<host>

is the URI, IP address, or FQDN of Splunk Enterprise or Splunk Cloud. For example,

SplunkHEC@https://10.1.2.1:8088

.

When setting multiple entries, you must use a ; (semicolon) to separate the individual entries. For example,

SplunkHEC@https://10.3.4.20:8088;SplunkHEC@https://10.3.4.40:8088

.

c.

(Optional)

FeedInterval

specifies how often, in seconds, information is sent from the Index application to the Splunk

consumer application. The default is 60 seconds. The range is from 60 seconds to 600 seconds. Update this value only if

necessary.

d.

(Optional)

MaxEventsPerFeed

specifies how many events are accumulated before information is sent from the Index

application to the Splunk consumer application. The default is 100 events. The range is from 10 events to 10,000 events.

Update this value only if necessary.

3.

Navigate to

HKEY_LOCAL_MACHINE

>

SOFTWARE

>

EMC

>

CEE

>

CEPP

>

Index

>

Configuration

>

SplunkHEC

.

a.

Add a value for

Index

, which is a user-defined name for the index being used on Splunk Enterprise or Splunk Cloud. Only

one index value is allowed.

b.

Under

SplunkHEC

, create a key for the

Host server

using the URI, FQDN, or IP address of the instance (used as

<host>

in the EndPoint above) where the Splunk consumer application is installed.

c.

Under that key, create a REG_SZ value called

Token

. Copy the token value that is defined in the HTTP Event Collector

in Splunk Enterprise or Splunk Cloud to here.

NOTE:

To use multiple instances of the Splunk consumer application, you must create multiple sub keys under

SplunkHEC in the registry - one for each location - and specify a token for each instance.

4.

Restart the EMC CAVA service by using the Windows Service Control Manager.

9

Managing Indexing

49

Section	Page
Dell CEE Using the Common Event Enabler on Windows Platforms	1
Contents	3
Preface	7
Introduction	8
About CEE	8
System requirements	9
AntiVirus partners	9
Support for third-party applications	10
Restrictions	10
Related information	11
Installing Third-Party Application Antivirus Engines	12
Installation overview	12
Computer Associates eTrust	13
F-Secure AntiVirus	14
Kaspersky Anti-Virus	15
McAfee VirusScan	18
McAfee Endpoint Security Threat Prevention	19
Microsoft Forefront Endpoint Protection 2010	19
Microsoft System Center 2012 Endpoint Protection	20
Sophos Anti-Virus	20
Symantec Endpoint Protection	22
Set Symantec Endpoint Protection options	22
Set Windows Service Control Manager options	23
Symantec Protection Engine	23
Setting exclusions	23
Setting container handling policies	24
Modifying LimitChoiceStop settings	24
Trend Micro ServerProtect	24
Install Trend Micro ServerProtect	25
Installing the Common Event Enabler Framework	27
Install CEE	27
Verifying the CEE installation package	28
Complete the CEE installation for Windows Server	28
Uninstall CEE	29
Configuring the Domain User Account	30
Domain user account overview	30
Determine the interface name on the Data Mover	31
Create a domain user account	32
Create with Active Directory on a Windows Server	32
Create from User Manager for Domains	32
Create a local group on each Data Mover or NAS server	33
Assign the EMC virus-checking right to the group	33
Assign local administrative rights to the AV user	34
Managing CAVA	36
(Optional) Install EMC Unity/VNX/VNXe NAS Management snap-in	36
Display virus-checking information	36
Audit virus-checking information	37
Start, stop, and restart CAVA	38
Perform a full file system scan	38
Verify the status of a file system scan	39
Stop a file system scan	39
Enable scan-on-first-read	39
Update virus definition files	40
Turn off the AV engine	40
Turn on the AV engine	40
Manage CAVA thread usage	41
Adjust the maxVCThreads parameter	41
View the application log file from a Windows Server	42
Enable automatic virus detection notification	42
Customize virus-checking notification	42
Customize notification messages	43
Managing the Registry and AV Drivers	45
EMC CAVA configuration Registry entries	45
EMC AV driver Registry entry	45
Manage the EMC AV driver	45
Managing VCAPS	47
Set up access	47
Managing CEE for RabbitMQ	48
Set up CEE for RabbitMQ	48
Managing Indexing	49
Set up access for Splunk	49
Monitoring and Sizing the Antivirus Agent	51
Install the CAVA Calculator	51
Start the CAVA Calculator	52
Uninstall the CAVA Calculator	52
Configure the sizing tool	52
Enable the sizing tool	53
Manually compile the cava.mof file	53
Create the cavamon.dat file	53
Start the sizing tool	54
Size the antivirus agent	54
(Optional) Gather AV statistics with cavamon.vbs	54
Third-Party Consumer Applications	55
Overview	55
Set up consumer application access	55
Troubleshooting	57
Dell E-Lab Interoperability Navigator	57
Error messages	57
Known problems	57
Training and Professional Services	58
Unity and VNX CAVA Information	59
CAVA concepts	59
CAVA restrictions and limitations	59
CAVA and Data Mover or NAS server	60
User interface choices	60
CAVA features	60
Load balancing and fault tolerance	61
Updating virus definition files	61
Scan-on-first-read	61
Scan on write	61
Scanning after definition file update (manual process)	61
Virus-checking continuation	61
CAVA sizing tool	62
CAVA Calculator	63
Virus-checking client	63
Configuring viruschecker.conf	64
Create and edit viruschecker.conf	64
Define AV machine IP addresses in viruschecker.conf	65
Send viruschecker.conf to the Data Mover	65
(Optional) Define VC scanning criteria	66
viruschecker.conf parameters	66
Managing the VC Client	70
Start the VC client	70
Stop the VC client	71
Update the viruschecker.conf file	71
Verify the installation	72
Unity and VNX CEPA Information	73
CEPA concepts	73
CEPA restrictions and limitations	73
Overview of the cepp.conf file	74
Create the cepp.conf file	75
Edit the cepp.conf file	78
Assign rights in Windows Server	78
Assign rights for third-party applications	79
Start the CEPA facility	79
Verify the CEPA status	79
Stop the CEPA facility	80
Display the CEPA facility properties	80
Display the CEPA facility statistics	81
Display detailed information for a CEPA pool	81
Index	82
A	82
B	82
C	82
D	82
E	82
F	82
H	83
I	83
K	83
L	83
M	83
N	83
P	83
R	83
S	83
T	84
U	84
V	84

Dell PowerStore 1200T Using the Common Event Enabler 8.x on Windows Platforms - Page 49

Managing Indexing, Set up access for Splunk

Page 49 highlights