Chat now with support
Chat with Support

syslog-ng Premium Edition 7.0.33 - Windows Event Collector Administration Guide

WEC configuration example for certificate-based authentication

This section provides a Windows Event Collector (WEC) configuration example for using certificate-based authentication between Windows Event Forwarding (WEF) and WEC.

Example: Configuring WEC if certificate-based authentication is used

The configuration example lists the following:

  • Server, port, key, and certificate-related settings

  • Log detail level (info) and the path where the log file is created ("/opt/syslog-ng/var/wec.log")

  • Event destination-related settings that specify how the event logs are stored

  • The subscription to the specified computers ("windowsdc.mydomain.com" and "*.trusteddomain.com") in the "ExampleDefaultSubscription" domain

  • Subscriptions-related parameters (such as connectionretry: 60.0 and batchtimeoutlimit seconds): 900.000

server: "wec.mydomain"
port: 5986
keyfile: "/opt/syslog-ng/etc/server.key"
certfile: "/opt/syslog-ng/etc/server.crt"
cadir: "/opt/syslog-ng/etc/cadir"

log:
  level: "info"
  file: "/opt/syslog-ng/var/wec.log"

eventdestination:
  unixdatagram: "/opt/syslog-ng/var/run/wec.sock"

subscriptions:
  - name: "ExampleDefaultSubscription"
    computers:
      - "windowsdc.mydomain.com"
      - "*.trusteddomain.com"

    contentformat: "RenderedText"
    heartbeats: 900.000
    connectionretry: 60.0
    batchtimeoutlimit: 900.000
    queries: |
      <QueryList>
        <Query Id="0">
          <Select Path="Application">*</Select>
          <Select Path="Security">*</Select>
          <Select Path="System">*</Select>
        </Query>
      </QueryList>

For more information on the parameters and the configurable values, see Configuring Windows Event Collector.

WEC configuration example for Kerberos authentication

This section provides a Windows Event Collector (WEC) configuration example for using Kerberos authentication between Windows Event Forwarding (WEF) and WEC.

Example: Configuring WEC if Kerberos authentication is used

The configuration example lists the following:

  • The server and port parameters

  • Path where keytabfile is generated (/root/linux_service_account.keytab)

  • Log detail level (debug)

  • Subscription set to all computers ("*") in the Wec-Kerberos domain

  • Subscriptions-related parameters (such as connectionretry: 60.0 and batchtimeoutlimit: 900.000 seconds)

server: "testlinuxhost.testdomain.com"
port: 5985
kerberos:
   keytabfile: /root/linux_service_account.keytab
log:
  level: "debug"
subscriptions:
  - name: "Wec-Kerberos"
    computers:
      - "*"
    contentformat: "RenderedText"
    heartbeats: 900.000
    connectionretry: 60.0
    batchtimeoutlimit: 900.000
    queries: |
      <QueryList>
        <Query Id="0">
          <Select Path="Application">*</Select>
        </Query>
      </QueryList>

For more information on the parameters and the configurable values, see Configuring Windows Event Collector.

If WEC started successfully with Kerberos authentication, the following message is displayed in the WEC debug log:

"Kerberos AUTH succeeded"

WEC clustering in syslog-ng PE

From version 7.0.23, syslog-ng Premium Edition (syslog-ng PE) supports distributing and monitoring Windows Event Forwarder connections with a TCP-level load balancer across multiple Windows Event Collector (WEC) instances (in short, WEC clustering). While using WEC clustering in syslog-ng PE, the configuration also uses a Redis key-value database to share WEC instances' state.

NOTE: Kerberos authentication does not work in a WEC cluster deployment.

Figure 5: A schematic figure of WEC clustering

NOTE: There is no direct connection between WEC and Windows instances. Instead, the Windows machines are connected to load balancers, and the load balancers are connected to WEC instances. This also means that mutual authentication is performed between Windows hosts and load balancers, and then there is also a mutual authentication performed between load balancers and WEC instances.

Limitations

Caution:

Hazard of data loss!

In syslog-ng Premium Edition (syslog-ng PE) version 7.0.23, Redis Cluster is not supported. If you attempt to set up your configuration to enable the Redis Cluster feature, your WEC cluster will not function properly.

NOTE: The timers described the Timers on the WEC side section are not user configurable in version 7.0.23 of syslog-ng PE.

For more detailed information about WEC clustering, see the following sections:

Topics:

The working mechanism of Windows Event Collector (WEC) clustering

This section describes the principles of the working mechanism behind Windows Event Collector (WEC) clustering.

If you are new to the concept of Windows Event Collectors, see the Introduction section of this guide, or the sections following the introduction for further details.

How does WEC clustering work?

Windows Event Forwarders are connected to load balancers, and the load balancers are connected to Windows Event Collector (WEC) instances. When a WEC instance is disconnected from a load balancer, the load balancer detects the disconnected WEC instance, and forwards events to a different WEC instance. The new WEC instance can continue event requests from the last position saved by the disconnected WEC. To solve the redirection problem, you must have WEC instances that can be configured to share their states. Because it is possible for WEC instances to store their state in a Redis key-value database, syslog-ng Premium Edition (syslog-ng PE) utilizes this Redis feature and shares WEC instances' state across such a Redis key-value database when performing WEC clustering.

NOTE: The WEC clustering configuration operation is backward compatible and file-based states remain at their default as well. Converting file-based states to Redis states is also supported.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating