When using mutual TLS-encryption with syslog-ng Agent for Windows, using certificates from the Windows Certificate Store as an authentication method is one of your options.
The syslog-ng Agent for Windows application can automatically show the requested certificate to the server when the connection is established, provided it is available in the
store of your Local Computer ( ).To import this certificate, use the Importing certificates with the Microsoft Management Console.
. For details, seeNOTE: The syslog-ng Agent for Windows application only supports this certificate import method for the Windows Certificate Store authentication method.
For more information about using mutual authentication options when using the Windows Certificate Store authentication method, see Configuring mutual authentication when using the Windows Certificate Store authentication method.
To configure using Windows Certificate Store as your authentication method,
Navigate to syslog-ng Agent Settings > Local Settings > Destinations > Add New Server > Server Property.
Enable Use TLS encryption.
Select Windows Certificate Store.
Figure 4: syslog-ng Agent Settings > Local Settings > Destinations > Add New Server > Server Property
NOTE: When using TLS-encryption on your server, consider the following:
It is not possible to configure both File-based certificates, and Windows Certificate Store as an authentication method for newly added destinations.
For imported configurations that may already be configured for Windows Certificate Store authentication method, it is possible to configure File-based certificates, but the File-based certificates authentication method overwrites the Windows Certificate Store method.
When using File-based certificate as an authentication method, uploading a CA file is required.
NOTE: When using TLS-encryption on your server, consider the following:
The syslog-ng Agent for Windows application supports using the File-based certificate as an authentication method both for TLS version 1.1 or lower, and for TLS version 1.2 or higher. One Identity recommends using this option instead of the legacy Windows Certificate Store option, which only supports TLS versions 1.1 or lower.
The syslog-ng Agent for Windows application only supports using the Windows Certificate Store as an authentication method for TLS version 1.1 or lower. One Identity does not recommend using this legacy option.
Click Select Certificate, and select the Windows Certificate of your choice.
Figure 5: syslog-ng Agent Settings > Local Settings > Destinations > Add New Server > Server Property > Select Certificate
(Optional) To configure advanced RLTP settings and to allow compression, click Advanced Options.
Figure 3. syslog-ng Agent Settings > Local Settings > Destinations > Add New Server > Server Property > Advanced Options: Allowing compression, and advanced RLTP settings
If the syslog-ng Premium Edition (syslog-ng PE) server requests authentication from the syslog-ng Agent for Windows, complete the following steps.
NOTE: When using TLS-encryption on your server, consider the following:
The syslog-ng Agent for Windows application supports using the File-based certificate as an authentication method both for TLS version 1.1 or lower, and for TLS version 1.2 or higher. One Identity recommends using this option instead of the legacy Windows Certificate Store option, which only supports TLS versions 1.1 or lower.
The syslog-ng Agent for Windows application only supports using the Windows Certificate Store as an authentication method for TLS version 1.1 or lower. One Identity does not recommend using this legacy option.
Create certificates for the clients. By default, syslog-ng Agent for Windows will look for a certificate that contains the hostname or IP address of the central syslog-ng PE server in its Common Name. If you use a different Common Name, do not forget to complete Step 3 to set the Common Name of the certificate.
The certificate must contain the private key and must be in PKCS12 format.
|
TIP:
To convert a certificate and a key from PEM format to PKCS12 you can use the following command: openssl pkcs12 -export -in agentcertificate.pem -inkey agentprivatekey.pem -out agentcertificatewithkey.pfx |
Import this certificate into the Importing certificates with the Microsoft Management Console.
store of the Local Computer using the Certificate Import Wizard. For details, see
NOTE: The syslog-ng Agent for Windows application only supports this certificate import method for the Windows Certificate Store authentication method.
By default, the syslog-ng Agent for Windows will look for a certificate that contains the hostname or IP address of the central syslog-ng PE server in its Common Name. (The agent will look for the server name or address set in the
field of the destination.) If the certificate of the client has a different Common Name, complete the following steps:Start the configuration interface of the syslog-ng Agent for Windows for Windows application.
Select syslog-ng Agent Settings > Destinations.
Right-click on the server that requires mutual authentication and select Properties.
Select the Use TLS option, click Select, then select the certificate to use. You can also type the Common Name of the certificate into the Client Certificate Subject field.
If you have more than one certificates with the same Common Name, alternatively, you can type the Distinguished Name (DN) of the certificate into the Client Certificate Subject field. When using the Distinguished Name, type only the elements of the name, separated with comma, starting with the country. For example US, Maryland, Pasadena, Example Inc, Sample Department, mycommonname
NOTE: A common way is to use the hostname or the IP address of the host running syslog-ng Agent for Windows as the Common Name of the certificate (for example syslog-ng-agent1.example.com
).
Select Apply, then OK. To activate the changes, restart the syslog-ng Agent for Windows service.
In certain cases, you may have to import your certificates for authentication with the Microsoft Management Console.
To import a certificate with the Microsoft Management Console
Start the Microsoft Management Console by running mmc.exe (Navigate to your menu, and select ).
NOTE: Running mmc.exe requires administrator privileges.
Click on the
item of the menu.Click
, select the module, and click .Select
in the displayed window and click .Select
and click .To import the CA certificate of the syslog-ng Premium Edition (syslog-ng PE) server's certificate, navigate to
.To import a certificate for syslog-ng Agent for Windows to perform mutual authentication, navigate to
.Right-click on the
folder and from the appearing menu select . The will be displayed. Click .(Optional): Certificates used to authenticate the syslog-ng Agent for Windows in mutual authentication include the private key. Provide the password for the private key when requested.
Microsoft Windows offers a suitable certificate store by default, so click
.Click
on the summary window and on the window that marks the successful importing of the certificate.The syslog-ng Agent for Windows application can filter log messages both in blacklist- and whitelist fashion. When using blacklisting, you can define filters, and any message that matches the filters is ignored by the agent — only messages that do not match the filters are sent to the central server. When using whitelisting, you can define filters, and the messages matching the filters are forwarded to the central server — other messages are ignored. By default, blacklist filtering is used.
If you define multiple filters, the messages must match every filter. In other words, the filters are connected to each other with logical AND operations.
Different filters are available for eventlog- and file sources. When the syslog-ng Agent processes a message, it checks the relevant filters one-by-one: for example if it finds a blacklist filter that matches the message, the agent stops processing the message without sending it to the server.
|
NOTE:
By default, all filters are case sensitive. For details on how to change this behavior, see Procedure 5.7, “Configuring global settings”. |
For details on how to filter messages received from eventlog sources, see Procedure 7.1, “Filtering eventlog messages”.
For details on how to filter messages received from file sources, see Procedure 7.2, “Filtering file messages”.
For details on how to disable filtering globally, see Procedure 5.9, “Disabling sources and filters globally”.
Procedure 7.1. Filtering eventlog messages
Purpose:
The following types of filters are available for eventlog sources. Unless described otherwise, the filters match only if the same string appears in the related field of the message.
|
NOTE:
When filtering on the message source, the values of the |
Sources: Filter on the source (application) that created the message. Corresponds with the EVENT_SOURCE
macro.
Sources and Event ID: Filter on the source (application) that created the message, and optionally on the identification number of the event. Corresponds with the EVENT_SOURCE
and EVENT_ID
macros.
Message Contents: Filter the text of the message, that is, the contents of the EVENT_MESSAGE
macro. In this filter you can use regular expressions.
Sources and Categories: Filter on the source (application) that created the message, and optionally on the category of the event. Corresponds with the EVENT_SOURCE
and EVENT_CATEGORY
macros.
Users: Filter on the username associated with the event. Corresponds with the EVENT_USERNAME
macro.
Computers: Filter on the name of the computer (host) that created the event. Corresponds with the HOST
macro.
Event Types: Filter on the type of the event. Corresponds with the EVENT_TYPE
macro.
To modify the filters used for eventlog messages, complete the following procedure:
Steps:
If you want to filter on the source of the message, complete the following steps.
Start the Event Viewer application and find a message from the source that you want to filter.
Select the
tab, and right-click on the value of the field.Select
. Save the saved value somewhere, you will need it later to configure the filter in syslog-ng Agent.
|
NOTE:
It is important to use this method, because the actual value of the Source field can be longer than what the Event Viewer displays. (For example, for security messages, the displayed source is often Hovering your mouse over the value of the Source field also displays the full name of the source. |
Start the configuration interface of the syslog-ng Agent for Windows application.
To apply filters globally to every eventlog message, select
, and right-click .To apply filters only to a specific destination, select
, select the destination server, then select . Right-click .
|
NOTE:
If you want to use both global and local (server side) filtering, first global filters will be applied to the eventlog messages and then the local filters. |
Select
.To use whitelist-filtering, select
. By default, syslog-ng Agent uses blacklist filtering.On the right-hand pane, double-click on the type of filter you want to create.
To ignore messages sent by a specific application, or messages of the application with a specific event ID, double-click on
, select , and enter the name of the source (application) whose messages you want to ignore into the field. To ignore only specific messages of the application, enter the ID of the event into the field. Select .To ignore messages that contain a specific string or text, double-click on
, enter the search term or a POSIX regular expression into the field, then select .To ignore messages sent by a specific application, or messages of the application that fall into a specific category, double-click on
, select , and select the name of the application whose messages you want to ignore from the field. To ignore only those messages of the application that fall into a specific category, enter the name of the category into the field. Select .To ignore messages sent by a specific user, double-click on
, enter the name of the user into the field, then select .To ignore messages sent by a specific computer (host), double-click on
, enter the name of the user into the field, then select .Event Types: To ignore messages of a specific event-type, double-click on , select the event types to ignore, and select .
Select
, then . To activate the changes, restart the syslog-ng Agent service.Procedure 7.2. Filtering file messages
Purpose:
The following types of filters are available for file sources:
Message Contents: Filter the text of the message, that is, the contents of the FILE_MESSAGE
macro. In this filter you can use regular expressions.
File Name: Filter on the file name. Corresponds with the FILE_NAME
macro. In this filter you can use wildcards (*
, ?
). Only available for destination file filters.
To modify the filters used for file messages, complete the following procedure:
Steps:
Start the configuration interface of the syslog-ng Agent for Windows application.
To apply filters globally to every file message, select
, and right-click .To apply filters only to a specific destination, select
, select the destination server, then select . Right-click .
|
NOTE:
If you want to use both global and local (server side) filtering, first global filters will be applied to the file messages and then the local filters. |
Select
.To use whitelist-filtering, select
. By default, syslog-ng Agent uses blacklist filtering.On the right-hand pane, double-click on the type of filter you want to create.
To ignore messages that contain a specific string or text, double-click on
, enter the search term or a regular expression into the field, then select .Select
, then . To activate the changes, restart the syslog-ng Agent service.© ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center