The syslog-ng Administrator Guide

Document version: 1.0.20
Release date: April 11, 2008
Latest version available at the BalaBit Documentation Page

5.1. Installing and configuring the syslog-ng agent

To install the syslog-ng agent, complete the following steps:

Procedure 5.1. Installing the syslog-ng agent on Microsoft Windows

  1. Start the installer. Run the syslog-ng-agent-setup.exe file.

    [Note] Note

    Installing the syslog-ng agent requires administrator privileges.

  2. Select the destination folder in which to install the syslog-ng agent application, then click Install. By default, the installer selects the C:\Program Files\Syslog-NG Agent folder. The syslog-ng agent requires about 1 MB hard disk space.

  3. Configure the connection to the syslog-ng server. Enter the name (e.g., syslog-ng.example.com or the IP address of the syslog-ng server into the Server name field. Enter the port where the syslog-ng server accepts connections into the Server port field. Usually syslog-ng servers accept connections on port 514.

  4. Select the mode of the connection.

    To use unencrypted TCP connections, select Unencrypted. To use secure, SSL-encrypted connections, select Encrypted.

  5. To limit the number of messages that the syslog-ng Agent sends to the server in a second, enter the desired limit into the Throttling field. By default (0), the syslog-ng Agent does not limit the number of messages sent.

    [Note] Note

    The throttling parameter applies to the total number of messages sent, not to every source independently.

    Click Next.

  6. Select the eventlog sources. The syslog-ng agent can handle both default and custom eventlog containers. Press and hold the Control (Ctrl) key to select multiple groups, or to unselect an already selected group. The syslog-ng agent forwards messages only from the selected eventlog groups.

  7. Select the file sources.

    To select single files, click the ... button, select the file, then click Add log file.

    To select files that are regularly rotated, add an expression in the Expression field and click Add expression. See Section 5.2, “File sources and logrotation” on using wildcards in the file sources.

    [Note] Note

    The syslog-ng agent remembers the position of the last sent message from every file, and does not re-send old messages if the application is restarted.

  8. Click Next when you have added every necessary log source.

  9. If needed, customize the format of the messages sent to the central syslog-ng server. See Section 5.4, “Customizing the message format” for details. Click Save settings.

  10. After the installation has finished, click Close.

  11. Use the eventcreate command from the command prompt to create test messages in the event log. The following command creates an event in the application log: eventcreate /t information /id 100 /l application /d "Test event in application log". If you have selected the Application eventlog source when you configured the syslog-ng agent, the test message will appear in the logs of the central syslog-ng server.

    Consult the documentation of your operating system for details on using eventcreate.

    For Windows Server 2003, see

    http://technet2.microsoft.com/windowsserver/en/library/7091b848-90c3-4924-a26d-92494daac4621033.mspx?mfr=true.

    For Windows XP, see

    http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/eventcreate.mspx?mfr=true

To configure an already installed syslog-ng agent, select Start Menu > Programs > Syslog-NG Agent for Windows > Configure Syslog-NG Agent.

© 2007 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com

Prev  Up  Next
Chapter 5. Collecting logs from Windows hosts  Home | Contents  5.2. File sources and logrotation