EventLogCentral is a management platform rather than a monitoring interface โ day-to-day monitoring of collected events happens in LT Auditor MP. Day-to-day administration in EventLogCentral focuses on keeping agents healthy, configurations current, and forwarding targets active. This article covers the routine tasks administrators should perform regularly to keep EventLogCentral running smoothly.
Checking agent status:
The Clients page is the primary health dashboard for EventLogCentral. Check it regularly to confirm all expected agents are online and reporting.
- Navigate to Clients in the left navigation menu
- Review the Status column for each client:
- Online โ the agent is running and checking in normally
- Offline โ the agent has not checked in recently
- Review the Last Heartbeat column to identify agents that have not reported recently even if they show as Online
- Use the search bar to filter by group name or machine name when managing large environments
If any agent shows as Offline:
Confirm the EventLogAgent service is running on that machine:
sc query LTA_EventLogAgent
- Confirm network connectivity between the agent and the EventLogCentral server
Review the agent logs for errors:
C:\Program Files\Blue Lance 2-0\LTA_EventLogAgent\logs
Verifying effective configuration:
After making configuration changes to a group, verify that the correct configuration has been applied to individual clients:
- Navigate to Clients
- Click on the client name
- Click View Effective Configuration
- Confirm the following are correctly reflected:
- Applied audit policies
- Event log collection settings
- File audit rules
- Assigned forwarding target
Forcing a configuration sync:
By default, agents retrieve configuration updates from EventLogCentral on their next heartbeat cycle (default: every 5 minutes). If a configuration change needs to be applied immediately:
- Navigate to Clients
- Locate the relevant client
- Click the โฎ menu
- Select Force Configuration Sync
The agent will retrieve and apply the latest configuration immediately rather than waiting for the next scheduled heartbeat.
Reassigning a client to a different group:
If a machine’s role changes and it needs to be moved to a different group:
- Navigate to Clients
- Locate the client to reassign
- Click the โฎ menu
- Select Reassign Group
- Select the new group from the available list
- Confirm the reassignment
The client will receive the new group’s configuration โ including audit policies, event log settings, file audit rules, and sender assignment โ on its next heartbeat cycle.
Testing target connectivity:
Periodically confirm that all configured syslog targets are reachable to ensure event forwarding is not silently failing:
- Navigate to Targets
- For each configured target, click the โฎ menu
- Select Test Connection
- Review the test result โ confirm the target is reachable
- If a target test fails:
- Confirm the syslog server is running and accepting connections
- Confirm no firewall is blocking outbound traffic on the configured port
- Confirm the server address and port are correct in the target configuration
Reviewing configuration change history:
EventLogCentral maintains an audit log of configuration changes made to each client. Use this to review what changes have been made and when:
- Navigate to Clients
- Click the โฎ menu next to the relevant client
- Select View Audit Log
- Review the history of configuration changes with timestamps
Routine administration checklist:
| Frequency | Task |
| Daily | Check the Clients page โ confirm all expected agents are Online and Last Heartbeat timestamps are current |
| Daily | Review LT Auditor MP View for expected event flow from EventLogCentral sources |
| Weekly | Test connectivity to all configured targets |
| Weekly | Review any clients that have been Offline and investigate if unresolved |
| Monthly | Review group configurations โ confirm audit policies, event log settings, and file audit rules are still appropriate |
| Monthly | Review user accounts in Admin โ confirm access is appropriate and no stale accounts exist |
| As needed | Force Configuration Sync after urgent policy changes |
| As needed | Reassign clients to correct groups after machine role changes |
[Your administrator should assign ownership of routine administration tasks to specific team members and document the results of regular checks so the administration history is auditable.]