The syslog-ng 3.0 Administrator GuideDocument version: Thirteenth
|
 |
The syslog-ng 3.0 Administrator GuideDocument version: Thirteenth
|
|
The syslog-ng Agent for Windows application can send the log messages of the Windows host to a central log server or relay. It is possible to send the same messages to multiple servers, when each server receives the same messages; and also to configure failover servers, when the agent sends the messages to a primary server, or to a failover server if the primary becomes unavailable. If the agent loses the connection to a destination server and the reconnection fails, it will sends an eventlog message. The successful reconnection attempt is also logged. (If the server is unavailable for a long time, the agent sends a log message about the failed connection once in every ten minutes.)
Similarly to the Linux version, the agent now sends MARK messages to the server to indicate that the client host is alive but there are no log messages to send. A MARK message is sent every ten minutes.
To configure a new destination, complete the following steps:
Procedure 5.2.1. Configuring the destination logservers
Start the configuration interface of the syslog-ng Agent for Windows application.
Select , and double-click on .
Select , and enter the hostname or the IP address of the logserver into the Server Name field. If your logserver is configured to accept messages on a non-standard port, type the port number into the Server Port field.
Select the protocol used to transfer log messages and press to apply the selected template. The following protocol templates are available:
Legacy BSD Syslog Protocol: Use the legacy
BSD-syslog protocol specified in RFC3164. This option uses the following
message template: <${PRI}>${BSDDATE} ${HOST}
${APP_NAME}[${PROCESS_ID}]: ${MSG}.
Syslog: Uses the new IETF-syslog protocol specified in RFC 5424-5428 (see http://www.ietf.org/internet-drafts/draft-ietf-syslog-protocol-23.txt and http://www.ietf.org/internet-drafts/draft-ietf-syslog-transport-tls-11.txt. Starting from version 3.0, syslog-ng also supports the IETF-protocol.
Snare compatible BSD Syslog Protocol: Sends log
messages in a format compatible with the Snare log monitoring tool,
using the following template:
<${PRI}>${BSDDATE} ${HOST}
${MSG}.
If you have a backup server that can accept log messages if the primary logserver becomes unavailable, select the Failover Servers tab, click , and enter the hostname or the IP address of the backup logserver into the Server Name field. Repeat this step if you have more than one backup servers.
If you want to send the log messages to more than on server in parallel, so that every server receives every message, repeat Steps 3-4 to add the secondary servers. Secondary servers may have failover servers as well.
![[Note]](./note.png) |
Note |
|---|---|
The syslog-ng Agent for Windows application considers a message received by the logserver if the primary server of the destination, or one of its failover servers receives it. To modify which server of a destination is the primary server, select , select the server you want to be primary, and select . |
Select , then . To activate the changes, restart the syslog-ng Agent service.
© 2007-2010 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com