ProfessorThis could be run as a data source using Powershell to grab and parse new events from a documented starting index/time. I don't have time to write it just now as I'm still implementing our environment and getting it tuned up... but here's some quick pseudo code for it:
DataSource every 3 minutes:
- read state file (txt on collector - named by resource ID or name)
- - last line is time stamp + last event index number reetreived
- get-eventlog from recovered index forward (filter this on the host side)
- filter by Event ID on the collector (in the script)
- return the apropriate data to LM
- write last sampled event index to the state file
lather, rinse, repeat...
The dataSource gives you the ability to schedule a script, appliesTo a collector for the environment you're targeting allows you to access that Powershell remote environment and has a \\Collector\C$\Temp you can write to for the state files.
