Sender

The Sender configuration within a group assigns a syslog target to all clients in that group. This determines where EventLogAgent clients in the group forward their collected Windows Event Log and file audit data. Each group can be assigned one target, and all clients in the group forward their events to that target.

Understanding sender configuration:

Targets are created and managed centrally in the Targets section of EventLogCentral. The Sender configuration within a group simply assigns one of those pre-configured targets to the group. If no sender is assigned to a group, clients in that group use their default local configuration for forwarding.

Changes to a group’s sender assignment are applied to all clients in the group immediately — clients receive the updated forwarding configuration on their next heartbeat cycle.

Accessing sender configuration for a group:

1. In the left navigation menu, click Groups
2. Locate the group you want to configure
3. Click the ⋮ menu next to the group
4. Select Sender

Assigning a target to a group:

1. From the Sender configuration screen, select a configured target from the dropdown list
2. Click Update

All clients in the group will begin forwarding events to the selected target on their next heartbeat cycle (default: 5 minutes). Use Force Configuration Sync on individual clients from the Clients page if the change needs to be applied immediately.

Changing a group’s sender assignment:

To change the forwarding target for a group:

1. Navigate to the group’s Sender configuration
2. Select the new target from the dropdown list
3. Click Update

Changing a sender assignment redirects all future event forwarding from the group to the new target. Events already forwarded to the previous target are not affected.

Groups without a sender assigned:

If no sender is assigned to a group, clients in that group use their default local forwarding configuration. This may result in events being forwarded to an unintended destination or not forwarded at all, depending on the agent’s local configuration.

It is recommended to assign an explicit sender to every group to ensure consistent and predictable event forwarding across all clients.

Verifying sender configuration:

After assigning a sender to a group, verify that clients are forwarding events to the correct target:

1. Navigate to Clients in the left navigation menu
2. Select a client in the group
3. Click View Effective Configuration
4. Confirm the configured target matches the sender assigned to the group
5. In the LT Auditor ^MP Web UI, navigate to View and confirm events from clients in the group are appearing under the correct environment and category

Best practices:

• Assign an explicit sender to every group — do not rely on default local agent configuration for forwarding in production environments
• Use Force Configuration Sync on clients after changing a sender assignment if the change needs to take effect immediately rather than waiting for the next heartbeat
• Create a dedicated LT Auditor ^MP target in the Targets section and assign it as the sender for all groups that should forward to LT Auditor ^MP
• Verify event forwarding in the LT Auditor ^MP View module after any sender assignment change to confirm events are arriving at the correct destination
• If different groups need to forward to different destinations — for example, Domain Controllers to LT Auditor ^MP and workstations to a separate SIEM — create separate targets for each destination and assign them to the relevant groups

[Your administrator should document the sender assignment for each group and review it whenever targets are added, modified, or removed to ensure all groups are forwarding to the correct destination.]