Please read architecture articles under Getting Started as well as Load Balancing Many Forwarders Across Multiple Collectors and the article on Distributed Subscriptions. They are short but will provide very important concepts.
1. Select your collectors
Make sure all the collectors you intend to load balance are shown in Supercharger. To add a collector see this article. Remember, all collectors assigned to a distributed subscription must be in the same domain.
Make sure your intended forwarders are configured for Windows Event Collection and targeted at all collectors. See “Implementing Windows Event Collection” for more details.
2. Determine Your Forwarder Superset
This is the full set of computers that will be distributed across assigned collectors. It’s either a group or an LDAP filter. You can test LDAP filters in Powershell with the Get-ADComputer cmdlet, using the LDAPFilter parameter. You will specify this information in a later step.
3. Configure the Supercharger Master Collector User Account
You need to decide whether to change the user account for the Supercharger Controller service running on the collectors – especially the master collector for the domain. This is because the master collector maintains groups in Active Directory. You will delegate the necessary permissions in the next step.
By default, the Supercharger Controller service simply runs as Local System on each collector. It’s not necessary to change this user account if you and your domain admin are willing to delegate some least privilege permissions to the computer account of the master collector for the domain.
Either way you need to know which collector is the master. Supercharger indicates the master collector with a different font on the dashboard but you can also find it on the domain’s viewer dialog.
If you wish to create a specific user account for delegating AD permissions then create that account in AD, make it a member of the local Administrators group on the master collector and then configure the Supercharger Controller service to run as that account.
Be aware that if you promote another controller that it may not have the necessary permissions to the OU. This is one reason to create an account for Supercharger and then use it for all the controllers. Or you can create a group, delegate necessary permissions to that group, and make those controllers’ computer accounts a member of the group. Of course you must always reboot a computer after changing its group membership before that takes effect.
4. Create Supercharger’s Dedicated Organizational Unit for the Domain
To manage Distributed Subscriptions Supercharger requires a dedicated Organizational Unit in Active Directory where it can create groups and manage the membership of those groups. This is an empty OU where Supercharger will create groups to manage the distributed subscriptions. Work with your AD administrator to create this OU and delegate the permissions which follow least privilege.
- Open Active Directory Users and Computers
- Select View\Advanced Features
- Create the OU and open its properties
- Grant the group or account selected in the previous step authority to create and delete groups and manage membership.
- Select the Attribute Editor tab, find the distinguishedName and copy that to your clipboard
- In Supercharger, open the domain’s viewer dialog and select the Organizational Unit tab
- Paste in the distinguished name of the OU to the OU field.
- Save your changes
Your master collector should now be able to create groups and assign forwarders as needed. If you misconfigured the above, Supercharger will log errors to help you diagnose the problem. This OU should only be used for dedicated subscriptions. Groups should not be manually created in this OU because they may be deleted by Supercharger. Supercharger uses this OU only for functions related to distributed subscriptions.
5. Create the Distributed Subscription
Open the Domain’s viewer dialog from the dashboard. Select the Distributed Subscriptions tab and create click Add.
After entering a name and description select which collectors will be part of this Distributed Subscription. Select a Managed Filter to specify which logs and events within those logs will collected. Also specify which Subscription Policy to use. For Distributed Subscriptions, Supercharger only displays Deterministic policies. Select the destination log to receive events on the Collectors. Supercharger only displays event logs found on all collectors.
Finally, specify the forwarder superset by either adding the group or LDAP filter chosen in step 2.
After you submit the new Distributed Subscription the master collector will run the CreateUpdateDistributedSubscription command followed by MaintainDistributedSubscriptionsCommand. While these commands run on the master collector other commands will execute on the other collectors. You can see what commands are running by hovering over the clock icon next to each collector name on the dashboard.
Within minutes the a new subscription should appear on each assigned collector. Please refer to the “Look for Current Forwarders” step in Create a Subscription article for more information on what to expect.
Optionally provide private feedback to help us improve this article...
Thank you for your feedback!