Chat now with support
Chat with Support

syslog-ng Premium Edition 6.0.21 - Administrator Guide for syslog-ng Agent for Windows

Using the Windows Certificate Store authentication method

When using mutual TLS-encryption with syslog-ng Agent for Windows, using certificates from the Windows Certificate Store as an authentication method is one of your options.

The syslog-ng Agent for Windows application can automatically show the requested certificate to the server when the connection is established, provided it is available in the Personal Certificates store of your Local Computer (MMC > Certificates > Computer Account > Local Computer > Personal Certificates).

To import this certificate, use the Certificate Import Wizard. For details, see Importing certificates with the Microsoft Management Console.

NOTE: The syslog-ng Agent for Windows application only supports this certificate import method for the Windows Certificate Store authentication method.

For more information about using mutual authentication options when using the Windows Certificate Store authentication method, see Configuring mutual authentication when using the Windows Certificate Store authentication method.

To configure using Windows Certificate Store as your authentication method,

  1. Navigate to syslog-ng Agent Settings > Local Settings > Destinations > Add New Server > Server Property.

  2. Enable Use TLS encryption.

  3. Select Windows Certificate Store.

    Figure 4: syslog-ng Agent Settings > Local Settings > Destinations > Add New Server > Server Property

    NOTE: When using TLS-encryption on your server, consider the following:

    • It is not possible to configure both File-based certificates, and Windows Certificate Store as an authentication method for newly added destinations.

    • For imported configurations that may already be configured for Windows Certificate Store authentication method, it is possible to configure File-based certificates, but the File-based certificates authentication method overwrites the Windows Certificate Store method.

    • When using File-based certificate as an authentication method, uploading a CA file is required.

    NOTE: When using TLS-encryption on your server, consider the following:

    • The syslog-ng Agent for Windows application supports using the File-based certificate as an authentication method both for TLS version 1.1 or lower, and for TLS version 1.2 or higher. One Identity recommends using this option instead of the legacy Windows Certificate Store option, which only supports TLS versions 1.1 or lower.

    • The syslog-ng Agent for Windows application only supports using the Windows Certificate Store as an authentication method for TLS version 1.1 or lower. One Identity does not recommend using this legacy option.

  4. Click Select Certificate, and select the Windows Certificate of your choice.

    Figure 5: syslog-ng Agent Settings > Local Settings > Destinations > Add New Server > Server Property > Select Certificate

  5. (Optional) To configure advanced RLTP settings and to allow compression, click Advanced Options.

    Figure 3. syslog-ng Agent Settings > Local Settings > Destinations > Add New Server > Server Property > Advanced Options: Allowing compression, and advanced RLTP settings

    Adding new server

Configuring mutual authentication when using the Windows Certificate Store authentication method

If the syslog-ng Premium Edition (syslog-ng PE) server requests authentication from the syslog-ng Agent for Windows, complete the following steps.

NOTE: When using TLS-encryption on your server, consider the following:

  • The syslog-ng Agent for Windows application supports using the File-based certificate as an authentication method both for TLS version 1.1 or lower, and for TLS version 1.2 or higher. One Identity recommends using this option instead of the legacy Windows Certificate Store option, which only supports TLS versions 1.1 or lower.

  • The syslog-ng Agent for Windows application only supports using the Windows Certificate Store as an authentication method for TLS version 1.1 or lower. One Identity does not recommend using this legacy option.

  1. Create certificates for the clients. By default, syslog-ng Agent for Windows will look for a certificate that contains the hostname or IP address of the central syslog-ng PE server in its Common Name. If you use a different Common Name, do not forget to complete Step 3 to set the Common Name of the certificate.

    The certificate must contain the private key and must be in PKCS12 format.

    TIP:

    To convert a certificate and a key from PEM format to PKCS12 you can use the following command:

    openssl pkcs12 -export -in agentcertificate.pem -inkey agentprivatekey.pem -out agentcertificatewithkey.pfx 
  2. Import this certificate into the Personal Certificate store of the Local Computer using the Certificate Import Wizard. For details, see Importing certificates with the Microsoft Management Console.

    NOTE: The syslog-ng Agent for Windows application only supports this certificate import method for the Windows Certificate Store authentication method.

  3. By default, the syslog-ng Agent for Windows will look for a certificate that contains the hostname or IP address of the central syslog-ng PE server in its Common Name. (The agent will look for the server name or address set in the Server Name field of the destination.) If the certificate of the client has a different Common Name, complete the following steps:

    1. Start the configuration interface of the syslog-ng Agent for Windows for Windows application.

    2. Select syslog-ng Agent Settings > Destinations.

    3. Right-click on the server that requires mutual authentication and select Properties.

    4. Select the Use TLS option, click Select, then select the certificate to use. You can also type the Common Name of the certificate into the Client Certificate Subject field.

      If you have more than one certificates with the same Common Name, alternatively, you can type the Distinguished Name (DN) of the certificate into the Client Certificate Subject field. When using the Distinguished Name, type only the elements of the name, separated with comma, starting with the country. For example US, Maryland, Pasadena, Example Inc, Sample Department, mycommonname

      NOTE: A common way is to use the hostname or the IP address of the host running syslog-ng Agent for Windows as the Common Name of the certificate (for example syslog-ng-agent1.example.com).

  4. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent for Windows service.

Importing certificates with the Microsoft Management Console

In certain cases, you may have to import your certificates for authentication with the Microsoft Management Console.

To import a certificate with the Microsoft Management Console

  1. Start the Microsoft Management Console by running mmc.exe (Navigate to your Start menu, and select Run application).

    NOTE: Running mmc.exe requires administrator privileges.

  2. Click on the Add/Remove snap-in item of the File menu.

  3. Click Add, select the Certificates module, and click Add.

  4. Select Computer account in the displayed window and click Next.

  5. Select Local computer and click Close.

  6. To import the CA certificate of the syslog-ng Premium Edition (syslog-ng PE) server's certificate, navigate to Console Root > Certificates > Trusted Root Certificate Authorities > Certificates.

    To import a certificate for syslog-ng Agent for Windows to perform mutual authentication, navigate to Console Root > Certificates > Personal > Certificates.

  7. Right-click on the Certificates folder and from the appearing menu select All tasks > Import. The Certificate Import Wizard will be displayed. Click Next.

    (Optional): Certificates used to authenticate the syslog-ng Agent for Windows in mutual authentication include the private key. Provide the password for the private key when requested.

  8. Microsoft Windows offers a suitable certificate store by default, so click Next.

  9. Click Finish on the summary window and Yes on the window that marks the successful importing of the certificate.

Chapter 7. Filtering messages

The syslog-ng Agent for Windows application can filter log messages both in blacklist- and whitelist fashion. When using blacklisting, you can define filters, and any message that matches the filters is ignored by the agent — only messages that do not match the filters are sent to the central server. When using whitelisting, you can define filters, and the messages matching the filters are forwarded to the central server — other messages are ignored. By default, blacklist filtering is used.

If you define multiple filters, the messages must match every filter. In other words, the filters are connected to each other with logical AND operations.

Different filters are available for eventlog- and file sources. When the syslog-ng Agent processes a message, it checks the relevant filters one-by-one: for example if it finds a blacklist filter that matches the message, the agent stops processing the message without sending it to the server.

NOTE:

By default, all filters are case sensitive. For details on how to change this behavior, see Procedure 5.7, “Configuring global settings”.

Procedure 7.1. Filtering eventlog messages

Purpose: 

The following types of filters are available for eventlog sources. Unless described otherwise, the filters match only if the same string appears in the related field of the message.

NOTE:

When filtering on the message source, the values of the Source field can be incorrect in some cases. Check the EVENT_SOURCE field of a message to avoid any problems.

  • Sources: Filter on the source (application) that created the message. Corresponds with the EVENT_SOURCE macro.

  • Sources and Event ID: Filter on the source (application) that created the message, and optionally on the identification number of the event. Corresponds with the EVENT_SOURCE and EVENT_ID macros.

  • Message Contents: Filter the text of the message, that is, the contents of the EVENT_MESSAGE macro. In this filter you can use regular expressions.

  • Sources and Categories: Filter on the source (application) that created the message, and optionally on the category of the event. Corresponds with the EVENT_SOURCE and EVENT_CATEGORY macros.

    Example 7.1. Filtering on Sources and Categories

    For example, you want to filter the following message:

    Source: Microsoft Windows security auditing
    Category: Process Creation
    New Process Name: C:\Windows\System32\SearchProtocolHost.exe

    Set the Source to Microsoft Windows security auditing, and Category to Process Creation.


  • Users: Filter on the username associated with the event. Corresponds with the EVENT_USERNAME macro.

  • Computers: Filter on the name of the computer (host) that created the event. Corresponds with the HOST macro.

  • Event Types: Filter on the type of the event. Corresponds with the EVENT_TYPE macro.

To modify the filters used for eventlog messages, complete the following procedure:

Steps: 

  1. If you want to filter on the source of the message, complete the following steps.

    1. Start the Event Viewer application and find a message from the source that you want to filter.

    2. Select the General tab, and right-click on the value of the Source field.

      Figure 7.1. Finding the name of the Event Source

      Finding the name of the Event Source

    3. Select Copy. Save the saved value somewhere, you will need it later to configure the filter in syslog-ng Agent.

      NOTE:

      It is important to use this method, because the actual value of the Source field can be longer than what the Event Viewer displays. (For example, for security messages, the displayed source is often Microsoft Windows security, while the full name of the source is Microsoft Windows security auditing. which includes the dot character at the end.)

      Hovering your mouse over the value of the Source field also displays the full name of the source.

  2. Start the configuration interface of the syslog-ng Agent for Windows application.

    • To apply filters globally to every eventlog message, select syslog-ng Agent Settings > Destinations > Global Event Filters, and right-click Global Event Filters.

    • To apply filters only to a specific destination, select syslog-ng Agent Settings > Destinations, select the destination server, then select Event Filters. Right-click Event Filters.

    NOTE:

    If you want to use both global and local (server side) filtering, first global filters will be applied to the eventlog messages and then the local filters.

  3. Select Properties > Enable > OK.

    Figure 7.2. Global event filters

    Global event filters

  4. To use whitelist-filtering, select White List Filtering. By default, syslog-ng Agent uses blacklist filtering.

  5. On the right-hand pane, double-click on the type of filter you want to create.

    • To ignore messages sent by a specific application, or messages of the application with a specific event ID, double-click on Sources and Event ID, select Add, and enter the name of the source (application) whose messages you want to ignore into the Source Name field. To ignore only specific messages of the application, enter the ID of the event into the Event ID field. Select Add > Apply.

      Figure 7.3. Sources and Event ID

      Sources and Event ID

    • To ignore messages that contain a specific string or text, double-click on Message Contents, enter the search term or a POSIX regular expression into the Regular Expression field, then select Add > Apply.

      Figure 7.4. Message Contents

      Message Contents

    • To ignore messages sent by a specific application, or messages of the application that fall into a specific category, double-click on Sources and Categories, select Add, and select the name of the application whose messages you want to ignore from the Application Name field. To ignore only those messages of the application that fall into a specific category, enter the name of the category into the Category field. Select Add > Apply.

    • To ignore messages sent by a specific user, double-click on Users, enter the name of the user into the User field, then select Add > Apply.

    • To ignore messages sent by a specific computer (host), double-click on Computers, enter the name of the user into the Computer field, then select Add > Apply.

    • Event Types: To ignore messages of a specific event-type, double-click on Event Types, select the event types to ignore, and select Ok > Apply.

      NOTE:

      Windows labels certain messages as level 3 and the Event Viewer labels such messages as warnings. This is against the official specification: level 3 should not be used, and only level 2 messages are warnings. To filter these events, you have to manually add a new event type to the registry and set its value to 3, for example HKEY_LOCAL_MACHINE\SOFTWARE\BalaBit\syslog-ng Agent\Local Settings\EventSources\Filter\Type\Rule0\Type=3

  6. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

Procedure 7.2. Filtering file messages

Purpose: 

The following types of filters are available for file sources:

  • Message Contents: Filter the text of the message, that is, the contents of the FILE_MESSAGE macro. In this filter you can use regular expressions.

  • File Name: Filter on the file name. Corresponds with the FILE_NAME macro. In this filter you can use wildcards (*, ?). Only available for destination file filters.

To modify the filters used for file messages, complete the following procedure:

Steps: 

  1. Start the configuration interface of the syslog-ng Agent for Windows application.

    • To apply filters globally to every file message, select syslog-ng Agent Settings > Destinations > Global File Filters, and right-click Global File Filters.

    • To apply filters only to a specific destination, select syslog-ng Agent Settings > Destinations, select the destination server, then select File Filters. Right-click File Filters.

    NOTE:

    If you want to use both global and local (server side) filtering, first global filters will be applied to the file messages and then the local filters.

  2. Select Properties > Enable > OK.

    Figure 7.5. Global file filters

    Global file filters

  3. To use whitelist-filtering, select White List Filtering. By default, syslog-ng Agent uses blacklist filtering.

  4. On the right-hand pane, double-click on the type of filter you want to create.

    • To ignore messages that contain a specific string or text, double-click on Message Contents, enter the search term or a regular expression into the Regular Expression field, then select Add.

  5. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating