Return
-
Title
Troubleshooting syslog-ng WEC -
Description
This knowledge article contains information about how to troubleshoot syslog-ng WEC and Windows client machines in case of any issue. -
Resolution
Syslog-ng WEC
Syslog-ng WEC (WEC) logging facilities are configured in the wec.yaml file located by default at /opt/syslog-ng/etc/wec.yaml.
Debug logging
- If you are using a systemd platform and start WEC using systemctl, then stderr is redirected to systemd-journal.
- You can also optionally specify a file to send logs to (in parallel with stderr), that is recommended to ease troubleshooting.
- Debug logging may produce loads of messages, use it only for troubleshooting.
1. Set log 'level' to 'debug' and optionally add a log file.
log:
level: "debug"
file: "/opt/syslog-ng/var/wec.log" # optional2. Restart WEC for taking place the change.
Systemd-based systems:
systemctl restart syslog-ng-wec
SysV-based systems:
/etc/init.d/syslog-ng-wec restart
Development debug logging
- This feature provides additional information about WEC for developers.
- Use it only if One Identity Support asks because of an ongoing service request.
dev:
devdebug: trueSubscriptions
- WEC places the subscription file of every client under /opt/syslog-ng/var/wecstate directory. The filename is the Windows hostname of the client.
- Example: /opt/syslog-ng/var/wecstate/trainingdc.training.local
{"EventSource":"trainingdc.training.local","BookmarkListsIndex":{"36142154-A862-5DF6-BF9D-3D7DCB327936":{"Bookmarks":{"":{"Channel":"","RecordID":0},"Application":{"Channel":"Application","RecordID":513840183}},"Current":"Application"}}}
- Subscriptions are written to disk periodically from the memory. It can be forced by restarting WEC.
- A client subscription can be reset by removing the file.
- Debug logs contain information about subscriptions.
Windows client
- Windows Event forwarding is managed by the services Windows Remote Management and Windows Event Log.
- Check service events in Event Viewer:
Applications and Services Logs\Microsoft\Windows\Eventlog-ForwardingPlugin
Applications and Services Logs\Microsoft\Windows\Windows Remote Management- Apply Group Policy changes in a Windows domain with 'gpupdate /force'.
- Generate test events
eventcreate /T ERROR /ID 11 /L APPLICATION /D "This is an application error!"
eventcreate /T WARNING /ID 12 /L SYSTEM /D "This is just a warning in the system log"