Once you have configured your event source computer(s), the next step is to configure your event collector, in this case, the Windows Event Collector (WEC) for syslog-ng PE.
NOTE: The configuration file of WEC is YAML based. Note that YAML uses spaces, not tabs, for indentation.
To configure WEC, use the following options.
For an example wec.yaml file, see WEC configuration example for certificate-based authentication.
server
Type: |
string |
Default: |
N/A |
Description: The hostname, IP address, or FQDN of the server where WEC is running.
NOTE: The value of the Server parameter must match the Common Name of the SSL certificate.
NOTE: If you use Kerberos authentication between WEF and WEC, set server to the FQDN of the Linux host.
port
Type: |
integer |
Default: |
5986 |
Description: The port where the server running WEC is listening.
NOTE: If you use Kerberos authentication between WEF and WEC, set port to 5985.
kerberos | keytabfile
Type: |
string |
Default: |
N/A |
Description: The path to the keytable (also called keytab) file.
Specify the path to the keytab file in the keytabfile option, as it is a mandatory option for the kerberos parameter.
For more information, see WEC configuration example for Kerberos authentication.
keyfile
Type: |
string |
Default: |
N/A |
Description: The path to the file that contains the unencrypted private key of the server running WEC. The file is in PEM format.
certfile
Type: |
string |
Default: |
N/A |
Description: The path to the file that contains the X.509 certificate of the server running WEC. The file is in PEM format.
cadir
Type: |
string |
Default: |
N/A |
Description: The path to the directory that contains the trusted CA certificates in PEM format.
log
Description: The options to specify how to handle the internal logs of WEC:
WEC sends internal log messages to stderr. You can also optionally specify a file to send logs to (in parallel with stderr). If you are using a systemd platform and start WEC using systemctl, then stderr is redirected to systemd-journal, and this is where you will find the internal logs of WEC.
level |
Type: |
debug|info |
Default: |
info |
Description: The application log level of WEC.
Possible values are:
-
debug: Information with the most details, useful when debugging WEC and diagnosing issues.
-
info: Basic information about the initialization of WEC. Following initialization, no information is displayed on screen, unless an issue occurs. |
file |
Type: |
string |
Default: |
N/A |
Description: The path to the file where WEC should write internal log messages. The log file is automatically created by syslog-ng PE.
You can send this file to syslog-ng using a file() source. |
eventdestination
Description: The options to specify how to store the event logs that are forwarded to WEC:
file |
Type: |
string |
Default: |
N/A |
Description: The path to the file where WEC should write the events received from the Windows host(s). Use this option for debug purposes only, when you wish to check what WEC is sending to syslog-ng PE.
It is possible to log both to a file and a Unix datagram socket in parallel. |
unixdatagram |
Type: |
string |
Default: |
N/A |
Description: The path to the Unix datagram socket receiving the Windows events. WEC writes the received events to the Unix datagram socket specified here. The listening socket is automatically created by syslog-ng PE.
It is possible to log both to a file and a Unix datagram socket in parallel. |
queuesize |
Type: |
integer |
Default: |
10000 |
Description: The number of events that the destination memory queue can store. Note that the main purpose of queuesize is to speed up the writing of data into memory and smooth out peaks.
It is recommened to use the default value for this option.
For more information about flow control, see Flow control. |
subscriptions
Description: The options related to the subscriptions you have set up on WEC:
NOTE: You can set up multiple subscriptions to events coming from the same Windows host. If an event matches more than one subscription, the event log comes in to WEC as many times as there is a match.
name |
Type: |
string |
Default: |
N/A |
Description: The unique name of the subscription in WEC. |
computers |
Type: |
list of strings |
Default: |
N/A |
Description: A list of strings that specifies the DNS names of the non-domain computers that are allowed to initiate subscriptions. Specifies the Windows hosts from which you want WEC to receive event logs.
The names can be specified using the * and ? wildcards, for example, "*.mydomain.com" or "*". |
contentformat |
Type: |
Events|RenderedText |
Default: |
N/A |
Description: A value that specifies the format of the returned events.
Possible values are:
One Identity recommends setting this option to RenderedText. |
heartbeats |
Type: |
integer |
Default: |
N/A |
Description: A value that specifies the heartbeat interval for the subscription in seconds. |
connectionretry |
Type: |
integer |
Default: |
N/A |
Description:WEC attempts to reconnect to the Windows host(s) at the specified interval of time in seconds. |
batchsizelimit |
Type: |
integer |
Default: |
0 (meaning that there is no limit) |
Description: Specifies the maximum number of items for batched delivery in the event subscription.
Set this value to 1 if you wish to perform tests or debugging.
NOTE: This option is not enforced on the Windows host side. Windows is handling this value only as a recommendation. The only exception is the value 1. |
batchtimeoutlimit |
Type: |
integer |
Default: |
N/A |
Description: Specifies the maximum latency allowed in delivering a batch of events (in seconds).
NOTE: This option is not enforced on the Windows host side. Windows is handling this value only as a recommendation. |
queries |
Type: |
string |
Default: |
N/A |
Description: Specifies the query string for the subscription.
You can:
-
type this value manually, or
-
copy this value from the XML tab of the Create Custom View pop-up window in Windows
For examples of queries, check the following Windows blog posts:
|
readexistingevents |
Type: |
true|false |
Default: |
false |
Description: When the value is true, all existing events are read from the subscription event source if the subscription in question has not been read yet. When the value is false, only future (arriving) events are delivered. If the subscription has a state in the persist file, this option will have no effect. |