How to convert scheduled gathering to real-time gathering
説明
If Agent is switched from scheduled gathering to real-time gathering what should be the process?
対策
Create new repository to be used with the real-time gathering (collections). The reason new repository must be used is because there can be trouble with last gathered position between traditional and real-time gathering which use similar technology for caching but implemented differently and independently on the agent-side. It is strongly recommended to use separate repositories to avoid this type of scenario. This will ensure (for example) that data is not duplicated in the target repository.
Configure real-time collections and confirm data is populating the new repository for all machines in question. When real-time collections start forwarding events for the first time, event forwarding begins from the moment in time in which it is enabled - It will not (for example) go back to the beginning of the event log. Real-time collections also do not rely on events from the traditional agent-side cache (used in scheduled-based gathering jobs)
Allow a final scheduled gathering to take place to ensure there are no event log gaps and data is collected at least up until the point in time when real-time collections commenced. Confirm there are is no gaps in the target repositories via Repository Viewer. A brief overlap of time in both repositories will confirm no gaps exist.
Un-schedule the traditional scheduled gathering jobs.