User guide
24
<!-- Each WMI-host block specifies a Windows system to be monitored.
It is no longer possible to specify username/password in this host
specification - run ./wmi_config_credentials to add/modify hosts and
manage host credentials. Run ./wmi_config_credentials -h for help. -->
<!-- WMI-host -->
<!-- address>192.168.0.2</address -->
<!-- domain>HEADQUARTERS</domain -->
<!-- The "monitor" option below is used to specify which Win32_NTLogEvent
log files will be tracked. If "All" is specified, the WMI agent will
automatically query the host to determine which files are available,
and those files will be tracked. -->
<!-- monitor>All</monitor -->
<!-- monitor>System</monitor -->
<!-- monitor>Windows Powershell</monitor -->
<!-- monitor>Application</monitor -->
<!-- monitor>Security</monitor -->
<!-- /WMI-host -->
<WMI-host>
<address>192.168.1.65</address>
<monitor>All</monitor>
</WMI-host>
<WMI-host>
<address>192.168.1.67</address>
<monitor>All</monitor>
</WMI-host>
<WMI-host>
<address>192.168.1.70</address>
<monitor>All</monitor>
</WMI-host>
<WMI-host>
<address>192.168.1.71</address>
<monitor>All</monitor>
</WMI-host>
<WMI-host>
<address>192.168.1.72</address>
<monitor>All</monitor>
</WMI-host>
<WMI-host>
<address>192.168.1.75</address>
<monitor>All</monitor>
</WMI-host>
<!-- In addition to the Log Correlation Engine, events downloaded from the
security device can also be forwarded to one or more syslog servers.
The syslog-server keyword defines the address at which each is located. -->
<!-- syslog-server>192.168.1.20</syslog-server -->
<!-- syslog-server>192.168.1.21</syslog-server -->
<!-- When the following line is uncommented, extra debugging information
is logged. This option should be enabled only temporarily, as it may
cause the application log file to grow extremely large. Debug mode
can be toggled during runtime by sending the SIGUSR1 signal to the
lce_wmid process. -->
<!-- debug>1</debug -->