Event Collector

Similar Messages

• Implement custom.js in Generic Event Collector

  Sentinel Log Manager 1.2
  Collector: Generic Event Collector
  Hello,
  sorry for this low end question, but I'm going crazy. I try to
  implement a custom.js to get some data into CustomerVar fields.
  My problem, if I start with simple code and implement the file like
  described here http://tinyurl.com/cgvtaab. If I checked my Sentinel Log
  Manager no additional data was writen to the event record. I stripped my
  code to a realy simple example, to exclude errors here:
  Collector.prototype.customInit = function() {
  this.protoEvt.CustomerVar21 = "test log";
  return true;
  Record.prototype.customPreparse = function(e) {
  return true;
  Record.prototype.customParse = function(e) {
  return true;
  The collector runs in "custom" execution mode.
  Thanks for help
  Michael
  michaelkuerschner
  michaelkuerschner's Profile: https://forums.netiq.com/member.php?userid=6939
  View this thread: https://forums.netiq.com/showthread.php?t=50155

  Hi folks,
  Couple quick things:
  1) You were absolutely correct to put your code in customInit() as you
  originally did - commenters are correct that the init code is only run
  on startup, but in this case what you're doing is modifying the static
  global protoEvt, which is the template on which all subsequent Events
  are based. If you do run through this in the debugger, then what you
  should see is that immediately after the 'curEvt = new
  Event(instance.protoEvt)' line in main.js (which should be at the bottom
  of your assembled Collector), your 'curEvt' global variable should have
  that CustomerVar21 set in it. Further, when you get to the Event.send()
  bit, the Event you are constructing should have that pre-set. You can of
  course look at the protoEvt object in the debugger as well to make sure
  that it actually was modified by your customInit().
  2) I saw that you actually did call out that you set Custom execution
  mode, but you did not mention AFAIK that you did the 'Add Auxiliary
  File' step to upload your edited custom.js into the Collector. Can we
  assume you did that?
  BTW, just a tip on the debugger: read through:
  http://www.novell.com/developer/plug...tor_debug.html
  Note the bit about scrolling to the bottom of your file to find the main
  loop - this is where all the action happens, so put your breakpoints
  there (typically).
  DCorlette
  DCorlette's Profile: https://forums.netiq.com/member.php?userid=323
  View this thread: https://forums.netiq.com/showthread.php?t=50155

• Event Collector in SAP BW 7.0?

  Hi All,
  i want to know where can i setup the event collector in SAP BW 7.0. as in BI 3.5 we can find it in Tool-> event collector in RSA1. but in BI 7.0 it is not there. can somebody point me to the right direction?
  thanks in advance,
  ALden

  Thanks, i already use the rsa1old transaction and implemented the event collector. but is there a way in BI7.0 without going to the old gui? i mean is there a new transaction or new link to it?
  thanks
  ALden

• Network Policy Server Event ID 6272 not being forwarded to Event Collector.

  Hi there
  I have configured an Event Subscription to collect events from 2 DCs that run RADIUS for network switches. It appears the events are being forwarded okay, I am getting the Security events (Logon and Logoff) on the event collector PC. However I am not getting
  any of the Network Policy Server security events (specifically Event IDs 6272), to centrally audit RADIUS logins to switches.
  The subscription is collector initiated, and I have added Network Service to the Event Log Readers Group. Is there something I am missing in the setup requirements for these events to be forwarded?
  Thank you,
  Kind regards
  Hylton

  Hi Gabriel101,
  Could you offer us more information about your environment, such as what edition server you are using, whether your AD and NPS role on the same server, whether your NPS working
  properly now, whether you can receive others security auditing.
  The related KB:
  NPS Local Log File Status
  http://technet.microsoft.com/en-us/library/cc735386(v=ws.10).aspx
  Event ID 6272 — NPS Authentication Status
  http://technet.microsoft.com/en-us/library/cc735388(v=ws.10).aspx
  I’m glad to be of help to you!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Event Collector versus process chains

  In a BW upgrade project from BW 3.1  to BI 7  we  have  all data load  processes in BW managed with old feature  "event collector".
  A very important question : this old feature will continue to manage our data loads in BI 7 or we need obligatorely to create process chains ???
  Thanks in advance
  Andreas

  Hello,
  The event collector will work, but you should migrate all to the process chains.
  Regards,
  Jorge Diogo

• Difference between process chain and event collector

  what is the difference between process chain and event collector and also plz explain about metachain.In what scenarios they are used.
  Many Thanks,

  hi,
  have a look at these help docs
  Process Chain:
  http://help.sap.com/saphelp_nw04/helpdata/en/8f/c08b3baaa59649e10000000a11402f/content.htm
  Event Collector:
  http://help.sap.com/saphelp_bw30b/helpdata/en/c1/6c0538c7cb583ae10000009b38f8cf/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/6e/192756029db54192427cf6853c77a7/content.htm
  Creating an event colector:
  http://help.sap.com/saphelp_bw30b/helpdata/en/45/253d3873130057e10000009b38f842/content.htm
  regards
  sham'm

• Process chains and event collectors

  Hi All,
  I need help in Process chains and event collectors.I joined in new project and this client using process chains and event collectors and they ask me to work on these areas.I didnt work on this as of now So please send any docs on this area and explain the procedure and technology methods behind this concept.I would really appreciate If someone can send me the full documentation on this concept as I couldnt find any  any docs on this.
  Thanks,
  Ras

  Hi Ras,
  Process chains are a sequence of processes to be performed. The are put together in a chain with the necessary dependancies (process A needs to finish before B can start) and conditions (if A and B are successful then C else send an email), and then scheduled. They usually revolve around processes related to data loading: Load, activate, roll up, compress etc.
  Please take a look at this links/threads for more info:
  http://help.sap.com/saphelp_nw04/helpdata/en/8f/c08b3baaa59649e10000000a11402f/content.htm
  process chains
  process chains
  Process chains
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/8da0cd90-0201-0010-2d9a-abab69f10045
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/19683495-0501-0010-4381-b31db6ece1e9
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/36693695-0501-0010-698a-a015c6aac9e1
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/9936e790-0201-0010-f185-89d0377639db
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/3507aa90-0201-0010-6891-d7df8c4722f7
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/263de690-0201-0010-bc9f-b65b3e7ba11c
  Process Chains
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/8da0cd90-0201-0010-2d9a-abab69f10045
  http://help.sap.com/saphelp_nw2004s/helpdata/en/8f/c08b3baaa59649e10000000a11402f/frameset.htm
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/19683495-0501-0010-4381-b31db6ece1e9
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/36693695-0501-0010-698a-a015c6aac9e1
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/9936e790-0201-0010-f185-89d0377639db
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/3507aa90-0201-0010-6891-d7df8c4722f7
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/263de690-0201-0010-bc9f-b65b3e7ba11c
  Re: Ho to make a variable mandatory or optional?
  There are lot of threads available in the SDN....go through them.....hope it really helps you in getting understand what are process chains and Events included in that.
  Assign points if it helps you.
  Regards,
  Sreedhar

• Windows Event Collector - Built-in options for load balancing and high availability ?

  Hello,
  I have a working collector. config is source initiated, and pushed by GPO.
  I would like to deploy a second collector for high availability and load balancing. What are the available options ? I have not found any guidance on TechNet articles.
  As a low cost option, is it fine to simply start using DNS round-robin with a common alias for both servers pushed as a collector name through GPO ?
  In my GPO Policy, if I individually declare both servers, events are forwarded twice, once for each server. Indeed it does cover high availability, but not really optimized.
  Thanks for your help.

  Hi,
  >>As a low cost option, is it fine to simply start using DNS round-robin with a common alias for both servers pushed as a collector name through GPO ?
  Based on the description, we can utilize DNS round robin to distribute workloads and increase fault tolerance. By default, DNS uses round robin to rotate the order of RR data returned in query answers where multiple RRs of the same type exist for a queried
  DNS domain name. This feature provides a simple method for load balancing client use of Web servers and other frequently queried multihomed computers. Besides, by default, DNS will perform round-robin rotation for all RR types.
  Regarding DNS round robin, the following article can be referred to for more information.
  Configuring round robin
  http://technet.microsoft.com/en-us/library/cc787484(v=ws.10).aspx
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Cisco IPS Events Collector?

  I use CiscoWorks VMS / Security Monitor for my cisco ips sensors. I'm very familiar with the idsalarms utility for exporting event data to an xml file. But I would like to find a solution to pulling the events off the sensors without VMS or idsalarms. Is there another command line utility or standalone software that will connect to the sensors just for saving the events to a file?

  Hi NItesh,
  i'm suggesting to deploy another log server.
  and config remote log target to that server.
  in another way,
  you can config monitoring log recovery in Monitoring Configuration > System Operations > Log Message Recovery.
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/viewer_sys_ops.html#pgfId-1083029

• Using events in Process chain

  Hi All,
  I have below scenario:
  Now we are using event collecter and subsequent event in event collector .
  I am going to convert my loads into Process chain from Infopackage groups. My problem is I can use event1 directly in Start of process chain but how to trigger event2 using this chain. I need to trigger event2 once my PC is completed successfully. The even2 will trigger a background job to execute one ABAP program. This ABAP program triggers event1 again if it meets certain requirement.
  Hope you understood my problem.
  Thanks in advance
  Vani

  Hi,
  If I have understood properly,
  Event1(Start) --> Sequence of PC steps --> ABAP Program Process Type (To trigger Event2)  --> Event2 triggers again Event1( If meets requirement)
  What is your End of the Process Chain if it triggers again Event1?
  Why do you want to trigger events in a cyclic way?
  Regards,
  Suman

• How do we raise an event into R/3 from a BW info-package ?

  Hi friends,
  Is there a way to raise an event from a BW stand-along info-package into the R/3 system, without using Event Collector..?
  I cannot use the subsequent event option in the package itself since that will raise the event only into BW. I want it into R/3. I can probably raise an event from the package to start a process-chain and then add a step in the PC to run a pgm to raise an event into R/3.
  But I am trying to see if there is a better and simpler way without having to create a extra PC.
  I am on the BW 3.1 system.
  Any suggestions/solutions will be greatly appreciated.
  Thanks
  lz70d71

  hi, here is what you do: This addition is with respect to the previous reply
  You need an event from BW to R/3
  Step1: create a custom FM copy of BP_EVENT_RAISE  and making it rfc enable. To make a FM RFC enabled you just need to tick the radio button in the attributes of the FM.
  Step2: Create a custome z program in BW and call FM z_bp_event_raise created in ECC.
  Step3: call that program in Process chain.
  hope this helps. if you need more let me know.
  thanks
  syed

• Trouble viewing events generated by AIM-SSM-10 on SDEE Server

  Hi,
  Is there a tip that can help me view the xml file produced by the sdee-server in a more convenient fashion. See attached file for more details.
  The events are interlaced with html tags.
  thanks,
  Julie

  Julie -
  If you don't want to read XML, then you would need a script that will parse it into something that is readable.
  I would suggest installing the free IPS Manager Express and pulling events from the sensor you want to see into it.
  Then you can browse events in IME or export them in HTML or CSV format.
  Each sensor can send events traffic to up to 5 event collectors (although it will cost some processing power on the sensor to maintain additional sessions).
  - Bob

• How to verify that an event is triggered

  Hi Experts,
  I am running a BW job that is based on an event (or basically a group of events using event collector). Some times, I need to debug it to find out why the job is not triggered and it is very difficult to find out which event was not there.
  Here is my quesiton:
  Is it possible to see, some where in the system, if an event is waiting for a job? or in other words, if an event has been fired?
  Also there is one other question, if an event is fired and this event is being collected by an event collector, can we see, some where, if event collector already got one event and only 2 more are left (suppose event collector need 3 events to fire the next level event that triggers a job).
  Thank you,
  Praveen

  Hi Sidhartha, Dinesh and Ravi,
  SM37 can give me only those jobs that have either finished, cancelled or waiting for an event. The question was to see those events that are not trigger from event collector, because one of the source event is not there.
  Here is one example EV3 is triggered by Event collector only if EV1 and EV2 are there. Suppose EV2 did not come, how do I know, if EV1 is there without executing any job?
  Thank you,
  Praveen
  Toronto

• RSA ACE server SYSLOG collector, Parsing help!

  Hi Board.
  I am in a very big hurry for developing a RSA ACE collector script. The
  already released RSA ACE Collector script is file based and the RSA ACE
  server can dump a CSV log report with an interval of a hour as the
  fastest possible interval. This is not at all satisfying for the
  customer which - due to the latest issue with hacking attacks on EMC's
  network both announced in the press and by letter from EMC and to their
  customers - is not at all acceptable. They need to have logic for
  pattern searches and correlation rules that can respond as close to real
  time as possible.
  We have with success and without any troubles or big efforts installed
  the SNARE agent on the RSA ACE Appliance box. We are receiving the
  events from the RSA server correctly (or we are receiving the events as
  unsupported events because the events is not parsed correctly, but all
  the needed information is there) and I have started development of a new
  Collector script based on the Generic Event Collector (Just
  doubleclicked on New Collector script in the Ant menu).
  So far I have tryed some different approaches. I know that I can totaly
  manipulate with the events received from the Source because I can
  pre-set values via the protoEvt.map file. Even further have I been able
  to set some other values in the Parse function by using the rec2Evt.map
  and then hardcode a value to the desired field by using
  rec.-input_record_field-.
  Therefor I am pretty convinced that I am on the right track.
  Now here is my question:
  Based on this copy-pasted s_RXBufferString value (IP addresses and
  host+domain values changed for protecting the customer):
  Code:
  Mar 26 05:48:12 192.168.1.100 hostname[tab]MSWinEventLog[tab]4[tab]Application[tab]14765[tab]Sat Mar 26 10:48:12 2011[tab]1011[tab]ACESERVER6.1[tab]Unknown User[tab]N/A[tab]Information[tab]hostname[tab]Devices[tab][tab][tab]Passcode accepted (Login:'jodo'; User Name:'Doe, John'; Token:'000123456789'; Group:''; Site:''; Agent Host:'remotehost.domain.com'; Server:'serverhost').[tab]14617
  *NB!* Swap out [tab] with tablulator delimiter!
  I have tryed this approach (this is the entire Parse Functiomn):
  Code:
  var ValueArray = this.s_RXBufferString.split("\\t");
  rec.msg = this.s_RXBufferString;
  var SourceInfo = ValueArray[0];
  rec.sun = ValueArray[1];
  //e.InitServiceName = ValueArray[1];
  //rec.Service = ValueArray[1];
  //e.EventTime = ValueArray[5];
  //rec.EvtTime = ValueArray[5];
  //e.VendorEventCode = ValueArray[6];
  rec.evtCode = ValueArray[6];
  e.DeviceName = ValueArray[7];
  rec.sun = ValueArray[8];
  //e.EffectiveUserID = ValueArray[8];
  //var OSInitUser = ValueArray[8];
  //e.InitHostName = ValueArray[11];
  rec.shd = ValueArray[11];
  //ValueArray[12] = ValueArray[12].ltrim();
  var AppSpecificMessage = '';
  for(var t = 12; t<count(ValueArray); t+1)
  AppSpecificMessage += ValueArray[t];
  //e.InitIP = SourceInfo.match("[0-9]+.[0-9]+.[0-9].[0-9]");
  rec.sip = this.s_RXBufferString.match("\d+\.\d+\.\d+\.\d+");
  var A = AppSpecificMessage.search('\(.+\)');
  //e.EventName = 'Debugging RSA';
  //e.EventName = AppSpecificMessage.substring(0,A-1).ltrim();
  rec.evt = AppSpecificMessage.substring(0,A-1).ltrim();
  AppSpecificMessage = AppSpecificMessage.match('\(.+\)');
  // var B = AppSpecificMessage.search(')');
  //var B = AppSpecificMessage.search(')');
  // var BaseInfo = AppSpecificMessage.substring(A+1,B-1);
  // var BaseTmpArray = BaseInfo.split(';');
  // var BaseArray = new Array();
  /*for(var i = 0; i<count(BaseTmpArray); i+1)
  var str = BaseTmpArray[i].ltrim();
  var TempAr = str.split(':');
  BaseArray.push(TempAr[1].substring(1,-1));
  /*var AgentArr = BaseArray[6].split(".");
  AgentArr.reverse();
  AgentArr.pop();
  AgentArr.reverse();
  e.InitHostDomain = AgentArr.join(".");
  //rec.InitDomain = AgentArr.join(".");
  e.InitHostDomain = "corp.ad.local";
  if (ValueArray[10] == "Information")
  rec.sev = "0";
  //e.Severity = "0";
  else if (ValueArray[10] == "Warning")
  rec.sev = "3";
  //e.Severity = "3";
  else if (ValueArray[10] == "Error")
  rec.sev = "4"
  //e.Severity = "4";
  else
  rec.sev = "1";
  //e.Severity = "1";
  //e.InitUserID = BaseArray[0];
  rec.LoginName = BaseArray[0];
  //e.InitUserName = BaseArray[1];
  rec.UserName = BaseArray[1];
  //e.customerVar35 = BaseArray[2];
  //rec.Token = BaseArray[2];
  //e.customerVar36 = BaseArray[5];
  //rec.Agent = BaseArray[5];
  instance.SEND_EVENT = true;
  // parsing logic goes here
  /*if (1==1) { // set SEND_EVENT to true if your parsing logic worked correctly
  instance.SEND_EVENT = true;
  // If you can't parse...
  //rec.sendUnsupported();
  return true;
  But it just laughs at me and wont work. It states that there is a
  parsing error: match function something with input.
  Can you please help me build a logic that will work as intended? It
  should be clear what information or which piece of the text that I try
  map to which Event fields (look at the outcommented bits right above or
  below the ones that point to a rec.something because there I have tryed
  just map the information directly).
  kkrasmussen
  kkrasmussen's Profile: http://forums.novell.com/member.php?userid=20966
  View this thread: http://forums.novell.com/showthread.php?t=435715

  > - I'm not sure I understand why you replace the tabs with '|' just to do
  > the split; why can't you just split on tab? You can also investigate our
  > 'safesplit()' method, which understands quoted delimited strings:
  > Novell Login
  > (not sure that's necessary in this case)
  I replaced the tabs with '|' foir easier regex searchess for both
  numbers, alphanummeric and spaces in same match cases - but with the
  opportunity to index better for those searches because I did not need to
  worry about the tabs being recognised as whitespaces anymore.
  The safesplit works fine with '|' but not for this one:
  Code:
  var AppSpecificArray = AppSpecificMessage.safesplit(";");
  It reports that: "Cannot find function safesplit".
  If I change that to:
  Code:
  var AppSpecificArray = AppSpecificMessage.split(/\;/);
  It reports that: "Cannot find function split".
  > - The 'substring()' method is defined as taking two arguments:
  > from Required. The index where to start the extraction. First character
  > is at index 0
  > to Optional. The index where to stop the extraction. If omitted, it
  > extracts the rest of the string
  > Neither of those two arguments will *ever* be negative - they always
  > count from the beginning of the string. What you're really trying to do
  > is to extract the substring from the beginning +1 character, to the end
  > -2 characters, which is not how substring() works. But you *can* do
  > something like:
  > this.evt = Msg.substring(1,Msg.length - 2);
  >
  Aha I see. Thanks for the info. However, I tried the suggested this.evt
  = Msg.substring(1,Msg.length - 2); but it reports: Cannot call method
  "substring" of null. Remember that I have already testet and verified
  that I do have a value in the Msg variable.
  Here is the newest code. Please notice that I have outcommented the
  desired "result" and is just trying to get something from at least the
  part of the string that I want to parse.
  Code:
  this.msg = this.s_raw_message2;
  var TempTxt = this.s_raw_message2.replace(/\t/g,"|");
  var ValueArray = TempTxt.safesplit("|");
  var SourceInfo = ValueArray[0];
  this.evtCode = ValueArray[6];
  this.sip = TempTxt.match(/\d+\.\d+\.\d+\.\d+/);
  e.DeviceName = ValueArray[7];
  //AppSpecificMessage = TempTxt.match(/(?:\().+(?:\))/);
  var Msg = ValueArray[14].match(/(?:\|)[^\|]+(?:\()/);
  this.evt = Msg.substring(1,Msg.length - 2);
  //this.evt = Msg;
  AppSpecificMessage = ValueArray[14].match(/(?:\().+(?:\))/);
  if (ValueArray[10] == "Information")
  this.sev = "0";
  else if (ValueArray[10] == "Warning")
  this.sev = "3";
  else if (ValueArray[10] == "Error")
  this.sev = "4"
  else
  this.sev = "1";
  if(TempTxt.match(/(?:Login:\')\S+(?:')/) != false)
  //var apptemp = AppSpecificMessage.substring(1,AppSpecificMessage. length - 1);
  //var AppSpecificArray = apptemp.safesplit(";");
  var AppSpecificArray = AppSpecificMessage.safesplit(";");
  for(var c = 0; c<count(AppSpecificArray); c + 1)
  var key = AppSpecificArray[c].split(/:/);
  if (key[0] == "(Login")
  if (key[1] == "''")
  this.iuid = ValueArray[8];
  else
  this.iuid = key[1];
  //this.iuid = key[1].substring(1,key[1].length - 1);
  if (key[0] == " User Name")
  if (key[1] == "''")
  this.sun = "System";
  else
  this.sun = key[1];
  //this.sun = key[1].substring(1,key[1].length - 1);
  if (key[0] == " Agent Host")
  if (key[1] == "'')")
  this.shd = "Unknown Host Domain";
  else
  //var TempArr = key[1].substring(1,key[1].length - 1).safesplit(".");
  var TempArr = key[1].plit(/\./);
  TempArr.reverse();
  TempArr.pop();
  TempArr.reverse();
  this.shd = TempArr.join(".");
  if (key[0] == " Token")
  if (key[1] != "''")
  e.CustomerVar35 = key[1];
  //e.CustomerVar35 = key[1].substring(1,key[1].length - 1);
  else
  this.shd = "Unknown Host Domain";
  this.iuid = ValueArray[8];
  this.sun = "System";
  instance.SEND_EVENT = true;
  return true;
  kkrasmussen
  kkrasmussen's Profile: http://forums.novell.com/member.php?userid=20966
  View this thread: http://forums.novell.com/showthread.php?t=435715

• Event Forwarding Subscription Parameters

  Hello,
  You provided a good installation guide to create a source initiated subscription here: http://msdn.microsoft.com/en-us/library/windows/desktop/bb870973%28v=vs.85%29.aspx
  However, I'd like to know how it really works. Here are a few questions:
  Are the logs pulled or pushed? Is this dependent on the Subscription weather it is Normal Mode or Minimize Bandwidth/Latency ? If so, how does the source computer know to push the logs or wait until pulled?
  The XML file of a Subscription is very complex. Here is one from the msdn: 
  <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
  <SubscriptionId>SampleSISubscription</SubscriptionId>
  <SubscriptionType>SourceInitiated</SubscriptionType>
  <Description>Source Initiated Subscription Sample</Description>
  <Enabled>true</Enabled>
  <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
  <!-- Use Normal (default), Custom, MinLatency, MinBandwidth -->
  <ConfigurationMode>Custom</ConfigurationMode>
  <Delivery Mode="Push">
  <Batching>
  <MaxItems>1</MaxItems>
  <MaxLatencyTime>1000</MaxLatencyTime>
  </Batching>
  <PushSettings>
  <Heartbeat Interval="60000"/>
  </PushSettings>
  </Delivery>
  <Expires>2018-01-01T00:00:00.000Z</Expires>
  <Query>
  <![CDATA[
  <QueryList>
  <Query Path="Application">
  <Select>Event[System/EventID='999']</Select>
  </Query>
  </QueryList>
  ]]>
  </Query>
  <ReadExistingEvents>true</ReadExistingEvents>
  <TransportName>http</TransportName>
  <ContentFormat>RenderedText</ContentFormat>
  <Locale Language="en-US"/>
  <LogFile>ForwardedEvents</LogFile>
  <AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
  <AllowedSourceDomainComputers>O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)</AllowedSourceDomainComputers>
  </Subscription>
  What is meant by HeartbeatInterval and Max Latency Time?
  Next: When configuring the source computer i have to configure a Refresh time in the Policy key. (Computer Settings - Policies - Administrative Templates - Windows Components - Event Forwarding). 
  What is meant by that? when is this value being used for what?
  If I do not specify this refresh param, what is the default value?
  I really hope someone here can help me out of my confusion.
  Every Advice is appreciated

  Hi,
  Thanks for your post.
  >>What is meant by HeartbeatInterval and Max Latency Time?
  Heartbeat Interval determines how often collector will check if source is still online,
  MaxItems and MaxLatencyTime determine how source will batch items. In this example it will wait for 1 events or 1 seconds
  <MaxItems>1</MaxItems>
  <MaxLatencyTime>1000</MaxLatencyTime>
  >>Next: When configuring the source computer i have to configure a Refresh time in the Policy key. (Computer Settings - Policies - Administrative Templates - Windows Components - Event Forwarding)
  If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics.
  If you disable or do not configure this policy setting, the Event Collector computer will not be specified.
  >>when is this value being used for what? If I do not specify this refresh param, what is the default value?
  In my view, it is connection refresh time, we must set this parameter, for example,
  Use the following syntax when using the HTTPS protocol:
  Server=https://<FQDN of the collector>:5986/wsman/SubscriptionManager/WEC,Refresh=<Refresh interval in seconds>,IssuerCA=<Thumb print of the client authentication certificate>
  Meanwhile, i think you may ask in MSDN forums for technical support.
  https://social.msdn.microsoft.com/Forums/en-US/home
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]