This section provides a Windows Event Collector (WEC) configuration example for using certificate-based authentication between Windows Event Forwarding (WEF) and WEC.
Example: Configuring WEC if certificate-based authentication is used
The configuration example lists the following:
-
Server, port, key, and certificate-related settings
-
Log detail level (info) and the path where the log file is created ("/opt/syslog-ng/var/wec.log")
-
Event destination-related settings that specify how the event logs are stored
-
The subscription to the specified computers ("windowsdc.mydomain.com" and "*.trusteddomain.com") in the "ExampleDefaultSubscription" domain
-
Subscriptions-related parameters (such as connectionretry: 60.0 and batchtimeoutlimit seconds): 900.000
server: "wec.mydomain"
port: 5986
keyfile: "/opt/syslog-ng/etc/server.key"
certfile: "/opt/syslog-ng/etc/server.crt"
cadir: "/opt/syslog-ng/etc/cadir"
log:
level: "info"
file: "/opt/syslog-ng/var/wec.log"
eventdestination:
unixdatagram: "/opt/syslog-ng/var/run/wec.sock"
subscriptions:
- name: "ExampleDefaultSubscription"
computers:
- "windowsdc.mydomain.com"
- "*.trusteddomain.com"
contentformat: "RenderedText"
heartbeats: 900.000
connectionretry: 60.0
batchtimeoutlimit: 900.000
queries: |
<QueryList>
<Query Id="0">
<Select Path="Application">*</Select>
<Select Path="Security">*</Select>
<Select Path="System">*</Select>
</Query>
</QueryList>
For more information on the parameters and the configurable values, see Configuring Windows Event Collector.
This section provides a Windows Event Collector (WEC) configuration example for using Kerberos authentication between Windows Event Forwarding (WEF) and WEC.
Example: Configuring WEC if Kerberos authentication is used
The configuration example lists the following:
-
The server and port parameters
-
Path where keytabfile is generated (/root/linux_service_account.keytab)
-
Log detail level (debug)
-
Subscription set to all computers ("*") in the Wec-Kerberos domain
-
Subscriptions-related parameters (such as connectionretry: 60.0 and batchtimeoutlimit: 900.000 seconds)
server: "testlinuxhost.testdomain.com"
port: 5985
kerberos:
keytabfile: /root/linux_service_account.keytab
log:
level: "debug"
subscriptions:
- name: "Wec-Kerberos"
computers:
- "*"
contentformat: "RenderedText"
heartbeats: 900.000
connectionretry: 60.0
batchtimeoutlimit: 900.000
queries: |
<QueryList>
<Query Id="0">
<Select Path="Application">*</Select>
</Query>
</QueryList>
For more information on the parameters and the configurable values, see Configuring Windows Event Collector.
If WEC started successfully with Kerberos authentication, the following message is displayed in the WEC debug log:
"Kerberos AUTH succeeded"
WEC clustering in syslog-ng PE
From version 7.0.23, syslog-ng Premium Edition (syslog-ng PE) supports distributing and monitoring Windows Event Forwarder connections with a TCP-level load balancer across multiple Windows Event Collector (WEC) instances (in short, WEC clustering). While using WEC clustering in syslog-ng PE, the configuration also uses a Redis key-value database to share WEC instances' state.
NOTE: Kerberos authentication does not work in a WEC cluster deployment.
Figure 5: A schematic figure of WEC clustering
NOTE: There is no direct connection between WEC and Windows instances. Instead, the Windows machines are connected to load balancers, and the load balancers are connected to WEC instances. This also means that mutual authentication is performed between Windows hosts and load balancers, and then there is also a mutual authentication performed between load balancers and WEC instances.
Limitations
|
Caution:
Hazard of data loss!
In syslog-ng Premium Edition (syslog-ng PE) version 7.0.23, Redis Cluster is not supported. If you attempt to set up your configuration to enable the Redis Cluster feature, your WEC cluster will not function properly. |
NOTE: The timers described the Timers on the WEC side section are not user configurable in version 7.0.23 of syslog-ng PE.
For more detailed information about WEC clustering, see the following sections:
Topics:
This section describes the principles of the working mechanism behind Windows Event Collector (WEC) clustering.
If you are new to the concept of Windows Event Collectors, see the Introduction section of this guide, or the sections following the introduction for further details.
How does WEC clustering work?
Windows Event Forwarders are connected to load balancers, and the load balancers are connected to Windows Event Collector (WEC) instances. When a WEC instance is disconnected from a load balancer, the load balancer detects the disconnected WEC instance, and forwards events to a different WEC instance. The new WEC instance can continue event requests from the last position saved by the disconnected WEC. To solve the redirection problem, you must have WEC instances that can be configured to share their states. Because it is possible for WEC instances to store their state in a Redis key-value database, syslog-ng Premium Edition (syslog-ng PE) utilizes this Redis feature and shares WEC instances' state across such a Redis key-value database when performing WEC clustering.