Once you have configured your event source computer(s), the next step is to configure your event collector, in this case, the Windows Event Collector for syslog-ng PE.
|
NOTE:
The configuration file of WEC is YAML based. Note that YAML uses spaces, not tabs, for indentation. |
To configure WEC, use the following options.
For an example wec.yaml file, see WEC configuration example.
Type: | string |
Default: | N/A |
Description: The hostname, IP address, or FQDN of the server where WEC is running. It must match the Common Name of the SSL certificate.
Type: | integer |
Default: | 5986 |
Description: The port where the server running WEC is listening.
Type: | string |
Default: | N/A |
Description: The path to the file that contains the unencrypted private key of the server running WEC. The file is in PEM format.
Type: | string |
Default: | N/A |
Description: The path to the file that contains the X.509 certificate of the server running WEC. The file is in PEM format.
Type: | string |
Default: | N/A |
Description: The path to the directory that contains the trusted CA certificates in PEM format.
Type: | map |
Default: | N/A |
Description: The options to specify how to handle the internal logs of WEC:
WEC sends internal log messages to stderr. You can also optionally specify a file to send logs to (in parallel with stderr). If you are using a systemd platform and start WEC using systemctl, then stderr is redirected to systemd-journal, and this is where you will find the internal logs of WEC.
file | |
Type: | string |
Default: | N/A |
Description: The path to the file where WEC should write internal log messages. The log file is automatically created by syslog-ng PE. |
Type: | map |
Default: | N/A |
Description: The options to specify how to store the event logs that are forwarded to WEC:
queuesize | |
Type: | integer |
Default: | 10000 |
Description: The number of events that the destination memory queue can store. Note that the main purpose of queuesize is to speed up the writing of data into memory and smooth out peaks. It is recommened to use the default value for this option. For more information about flow control, see Flow control. |
Type: | map |
Default: | N/A |
Description: The options related to the subscriptions you have set up on WEC:
|
NOTE:
You can set up multiple subscriptions to events coming from the same Windows host. If an event matches more than one subscription, the event log comes in to WEC as many times as there is a match. |
name | |
Type: | string |
Default: | N/A |
Description: The unique name of the subscription in WEC. |
heartbeats | |
Type: | integer |
Default: | N/A |
Description: A value that specifies the heartbeat interval for the subscription in seconds. |
connectionretry | |
Type: | integer |
Default: | N/A |
Description: WEC attempts to reconnect to the Windows host(s) at the specified interval of time in seconds. |
batchtimeoutlimit | |||
Type: | integer | ||
Default: | N/A | ||
Description: Specifies the maximum latency allowed in delivering a batch of events (in seconds).
|
queries | |
Type: | string |
Default: | N/A |
Description: Specifies the query string for the subscription. You can:
For examples of queries, check the following Windows blog posts:
|
readexistingevents | |
Type: | true|false |
Default: | false |
Description: When the value is true, all existing events are read from the subscription event source if the subscription in question has not been read yet. When the value is false, only future (arriving) events are delivered. If the subscription has a state in the persist file, this option will have no effect. |
syslog-ng Premium Edition version 7.0.6 or newer.
To enable syslog-ng PE to read and accept Windows events, you need to configure a source called windowsevent().
To configure syslog-ng PE
Ensure that the default 5986 TCP port is accessible from WEC, as it is the Windows Event Collector that will initiate the event forwarding subscription toward the syslog-ng PE server.
Configure the windowsevent() source.
source s_wec { windowsevent(); };
The windowsevent() source takes the following options:
unix-domain-socket(): The path to the Unix domain socket to read messages from.
The default value is /opt/syslog-ng/var/run/wec.sock.
prefix(): The prefix that you wish to append to the key-value pairs.
The default value is ".windowsevent.".
If you want to send Windows event logs to SDATA, then set prefix(".SDATA."). This can be useful, for example, when you forward Windows event logs to a syslog-ng Store Box.
For more information on the windowsevent() source, see "windowsevent: Collecting Windows event logs" in the Administration Guide.
Define a complete log path in syslog-ng.conf to enable the windowsevent() source, s_wec. Otherwise, the WEC process will not run (connection refused).
For example:
source s_wec { windowsevent(); }; log { source(s_wec); destination { file("/var/log/example.log" template("$(format-json --scope dot-nv-pairs)\n") ); }; };
To start and stop the Windows Event Collector tool manually, use the following commands:
Start WEC: systemctl start syslog-ng-wec
Stop WEC: systemctl stop syslog-ng-wec
Start WEC: /etc/init.d/syslog-ng-wec start
Stop WEC: /etc/init.d/syslog-ng-wec stop
To start WEC in the foreground, execute:
wec -c /path/to/wec.yaml
The Windows Event Collector for syslog-ng PE is supported for Windows 7 or newer platforms. Starting with Windows 7, event logging is XML-based, meaning that event log messages reach WEC in XML format. When these are forwarded to the syslog-ng PE server, syslog-ng PE parses them into key-value pairs using the XML parser.
Once event log data is available in syslog-ng PE, you have the flexibility to modify and format data any way you want, using macros and rewrite rules.
Note that while event log data as processed by the WEC tool may differ from the data collected and made available by the syslog-ng Agent for Windows, the Windows Event Collector tool provides you with greater freedom and flexibility when it comes to manipulating your raw data.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy