The Windows Event Collector (WEC) acts as a log collector and forwarder tool for the Microsoft Windows platform. It collects the log messages of Windows-based hosts over HTTP or HTTPS (using TLS encryption and mutual authentication), and forwards them to a syslog-ng Premium Edition (syslog-ng PE) server. In Windows terminology, this tool allows you to define source-initiated push subscriptions, and have them forwarded to a syslog-ng PE server. For details on the limitations of WEC, see Limitations.
Unlike the syslog-ng Agent for Windows, the Windows Event Collector is a standalone tool that does not require installing additional software on the Windows-based host itself. This can be an advantage when your organization's policies restrict or do not allow the installation of third-party tools.
Another difference between the Windows Event Collector tool and syslog-ng Agent for Windows is that WEC forwards only Windows EventLog, while syslog-ng Agent forwards both Windows event logs as well as files from Windows hosts to the syslog-ng PE server.
The Windows Event Collector sits between your Windows hosts and your syslog-ng Premium Edition server, accepting log messages from the remote Windows side with WinRM and feeding them to syslog-ng Premium Edition 7.0.
Figure 1: How Windows Event Collector works in syslog-ng PE 7.0
For more information on how you can configure Windows event logs to be forwarded to your syslog-ng Premium Edition server using the WEC tool, see Configuring Windows event logs to be forwarded to the syslog-ng Premium Edition server using WEC.
You can select which authentication option you want to use between Windows Event Forwarding (WEF) and Windows Event Collector (WEC) for event forwarding. The supported authentication options are the following:
-
Certificate-based
-
Kerberos
From syslog-ng PE version 7.0.26, for event forwarding between WEF and WEC, Kerberos authentication is also supported as a Preview Feature, besides certificate-based authentication.
|
CAUTION: This is a Preview Feature, which provides an insight to planned enhancements to functionality in the product. Consider this Preview Feature a work in progress, as it may not represent the final design and functionality.
This feature has completed QA release testing, but its full impact on production systems has not been determined yet, and potential future changes in functionality and the user interface may result in compatibility issues in your current settings.
One Identity recommends the following:
-
Consider the potential risks when using this functionality in a production environment.
-
Consider the Support Policy on Product Preview Features before using this functionality in a production environment.
-
Closely and regularly keep track of official One Identity announcements about potential changes in functionality and the user interface. If these potential changes affect your configuration, check the changes you have to make in your configuration, otherwise your syslog-ng PE application may not start after upgrade.
-
Always perform tests prior to upgrades in order to avoid the risks mentioned.
However, you are welcome to try this feature and if you have any feedback, contact One Identity.
Support Policy on Product Preview Features
The One Identity Support Team will:
-
Accept and review each service request opened regarding a Preview Feature.
-
Consider all service requests relating to a Preview Features as severity level 3.
-
Provide best effort support to resolve any issues relating to a Preview Feature.
-
Work with customers to log any product defects or enhancements relating to Preview Features.
-
Not accept requests for escalations regarding Preview Features.
-
Not provide after-hours support for Preview Features. |
NOTE: WEC cannot work in different authentication modes at once: you can either configure Kerberos authentication, or certificate-based authentication.
NOTE: Kerberos authentication does not work in a WEC cluster deployment.
Configuring Windows event logs to be forwarded to the syslog-ng Premium Edition server using WEC
This section describes, at a high level, how you can configure Windows event logs to be forwarded to your syslog-ng Premium Edition server using the Windows Event Collector (WEC) tool.
The configuration procedure differs slightly according to which authentication option (certificate-based or Kerberos) you want to use between Windows Event Forwarding (WEF) and WEC.
For more information on the configuration procedure:
NOTE: WEC cannot work in different authentication modes at once: you can either configure Kerberos authentication, or certificate-based authentication.
The Windows Event Collector (WEC) is bundled into the syslog-ng PE installers from version 7.0.6 onward and is installed automatically. By installing syslog-ng PE, you also install WEC. A systemd service file is provided, however, syslog-ng-wec is not registered to start at boot.
To install the Windows Event Collector
To start syslog-ng-wec at boot, register the init script using the systemctl enable syslog-ng-wec command.
For details on how to start syslog-ng-wec manually, see Starting/stopping Windows Event Collector.