The syslog-ng Agent for Windows 3.2 Administrator Guide

Product Marketing and Documentation Department

Copyright © 2010 BalaBit IT Security Ltd.

This guide is published under the Creative Commons Attribution-Noncommercial-No Derivative Works (by-nc-nd) 3.0 license. The latest version is always available at http://www.balabit.com/support/documentation.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)

This documentation and the product it describes are considered protected by copyright according to the applicable laws.

The syslog-ng™ name and the syslog-ng™ logo are registered trademarks of BalaBit.

The BalaBit™ name and the BalaBit™ logo are registered trademarks of BalaBit.

Linux™ is a registered trademark of Linus Torvalds.

Debian™ is a registered trademark of Software in the Public Interest Inc.

Windows™ XP, 2003 Server, Vista, and 2008 Server are registered trademarks of Microsoft Corporation.

MySQL™ is a registered trademark of MySQL AB in the United States, the European Union and other countries.

Oracle™, JD Edwards™, PeopleSoft™, and Siebel™ are registered trademarks of Oracle Corporation and/or its affiliates.

Red Hat™, Inc., Red HatEnterprise Linux™ and Red HatLinux™ are trademarks of Red Hat, Inc.

SUSE™ is a trademark of SUSE AG, a Novell business.

Solaris™ is a registered trademark of Sun Microsystems, Inc.

AIX™, AIX 5L™, AS/400™, BladeCenter™, eServer™, IBM™, the IBM™ logo, IBM System i™, IBM System i5™, IBM System x™, iSeries™, i5/OS™, Netfinity™, NetServer™, OpenPower™, OS/400™, PartnerWorld™, POWER™, ServerGuide™, ServerProven™, and xSeries™ are trademarks or registered trademarks of International Business Machines.

Alliance Log Agent for System i™ is a registered trademark of Patrick Townsend & Associates, Inc.

All other product names mentioned herein are the trademarks of their respective owners.

Some rights reserved.

DISCLAIMER

BalaBit is not responsible for any third-party Web sites mentioned in this document. BalaBit does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. BalaBit will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.

August 10, 2010

Revision History

This manual is the primary documentation of the syslog-ng Agent for Windows 3.2 application.

Table of Contents

Preface
1. Summary of contents
2. Target audience and prerequisites
3. Products covered in this guide
4. Typographical conventions
5. Contact and support information
5.1. Sales contact
5.2. Support contact
5.3. Training
6. About this document
6.1. Summary of changes
6.2. Feedback
1. Introduction
1.1. Supported operating systems
2. Installing the syslog-ng agent
2.1. Installing the syslog-ng Agent in standalone mode
2.2. Installing the syslog-ng Agent on the domain controller and the hosts of a domain
2.2.1. Installing the syslog-ng Agent on the domain controller and the hosts of a domain
2.3. Unattended installation
2.4. Upgrading syslog-ng Agent for Windows to the latest version
2.5. Upgrading syslog-ng Agent for Windows 2.x to 3.0.x
3. Configuring syslog-ng Agent for Windows
3.1. How to configure the syslog-ng Agent
3.1.1. Configuring a standalone syslog-ng Agent
3.1.2. Configuring the syslog-ng Agents of a domain
3.1.3. Using an XML-based configuration file
3.2. Configuring destinations
3.2.1. Configuring the destination logservers
3.2.2. Limiting the rate of messages
3.3. Configuring message sources
3.3.1. Eventlog sources
3.3.2. Managing file sources
3.3.3. Configuring global settings
3.3.4. Disabling sources and filters globally
3.4. Using SSL-encrypted connections with the syslog-ng agent
3.4.1. Enabling encrypted connections
3.4.2. Using mutual authentication with syslog-ng agent
3.4.3. Importing certificates with the Microsoft Management Console
3.5. Filtering messages
3.5.1. Filtering eventlog messages
3.5.2. Filtering file messages
3.6. Customizing the message format
3.6.1. Customizing messages using templates
3.6.2. Customizing eventlog messages
3.6.3. Customizing file messages
3.6.4. Customizing the timestamp used by the syslog-ng Agent
3.6.5. Macros available in the syslog-ng Agent
3.7. Controlling the syslog-ng Agent services
3.7.1. Command-line options
4. Troubleshooting syslog-ng Agent for Windows
4.1. Sending messages and CPU load
4.2. Creating core and memory dumps
4.3. Enabling debug logging in syslog-ng Agent
4.4. Logging domain update errors
5. Configuring the auditing policy on Windows
5.1. Turning on security logging on Windows XP
5.2. Turning on security logging for domain controllers
5.3. Turning on auditing on Windows 2003 Server
1. BalaBit syslog-ng Premium Edition License contract
1.1. SUBJECT OF THE LICENSE CONTRACT
1.2. DEFINITIONS
1.3. WORDS AND EXPRESSIONS
1.4. LICENSE GRANTS AND RESTRICTIONS
1.5. SUBSIDIARIES
1.6. INTELLECTUAL PROPERTY RIGHTS
1.7. TRADE MARKS
1.8. NEGLIGENT INFRINGEMENT
1.9. INTELLECTUAL PROPERTY INDEMNIFICATION
1.10. LICENSE FEE
1.11. WARRANTIES
1.12. DISCLAIMER OF WARRANTIES
1.13. LIMITATION OF LIABILITY
1.14. DURATION AND TERMINATION
1.15. AMENDMENTS
1.16. WAIVER
1.17. SEVERABILITY
1.18. NOTICES
1.19. MISCELLANEOUS
2. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License
Glossary
Index

List of Examples

3.1. Collecting the logs of multiple applications from a single folder

List of Procedures

2.1. Installing the syslog-ng Agent in standalone mode
2.2.1. Installing the syslog-ng Agent on the domain controller and the hosts of a domain
3.1.2.1. Configuring the syslog-ng Agents of the domain hosts
3.1.2.2. Configuring the syslog-ng Agents of the domain controllers
3.1.3.1. Creating an XML configuration file for the syslog-ng agent
3.2.1. Configuring the destination logservers
3.2.2. Limiting the rate of messages
3.3.1.1. Managing eventlog sources
3.3.1.2. Determining the name of a custom eventlog container
3.3.2. Managing file sources
3.3.3. Configuring global settings
3.3.4. Disabling sources and filters globally
3.4.1. Enabling encrypted connections
3.4.2.1. Configuring mutual authentication with the syslog-ng Agent for Windows
3.4.3. Importing certificates with the Microsoft Management Console
3.5.1. Filtering eventlog messages
3.5.2. Filtering file messages
3.6.1. Customizing messages using templates
3.6.2. Customizing eventlog messages
3.6.3. Customizing file messages
4.3. Enabling debug logging in syslog-ng Agent
4.4. Logging domain update errors
5.1. Turning on security logging on Windows XP
5.2. Turning on security logging for domain controllers
5.3. Turning on auditing on Windows 2003 Server

Preface

Welcome to the syslog-ng Agent for Windows Administrator Guide!

This document describes how to configure and manage syslog-ng Agent for Windows. Background information for the technology and concepts used by the product is also discussed.

[Note] Note

1. Summary of contents

Chapter 1, Introduction describes the main functionality and purpose of syslog-ng PE.

Chapter 2, Installing the syslog-ng agent describes how to install the syslog-ng Agent in various scenarios and how to upgrade to new versions.

Chapter 3, Configuring syslog-ng Agent for Windows provides detailed description on configuring and managing syslog-ng Agent for Windows.

Chapter 4, Troubleshooting syslog-ng Agent for Windows describes how to solve common errors and problems.

Chapter 5, Configuring the auditing policy on Windows provides descriptions on how to enable auditing on various Windows platforms.

Appendix 1, BalaBit syslog-ng Premium Edition License contract includes the text of the End-User License Agreement applicable to syslog-ng Agent for Windows.

Glossary provides definitions of important terms used in this guide.

Index provides cross-references to important terms used in this guide.

2. Target audience and prerequisites

This guide is intended for system administrators and consultants responsible for designing and maintaining logging solutions and log centers. It is also useful for IT decision makers looking for a tool to implement centralized logging in heterogeneous environments.

The following skills and knowledge are necessary for a successful syslog-ng administrator:

  • At least basic system administration knowledge.

  • An understanding of networks, TCP/IP protocols, and general network terminology.

  • Working knowledge of various Windows operating systems.

  • In-depth knowledge of the logging process of various platforms and applications.

  • An understanding of the legacy syslog (BSD-syslog) protocol (see RFC 3164 RFC 3164) and the new syslog (IETF-syslog) protocol standard (see RFC 5424-5428).

3. Products covered in this guide

This guide describes the use of the following syslog-ng versions:

  • syslog-ng Agent for Windows 3.2.0 and later

4. Typographical conventions

Before you start using this guide, it is important to understand the terms and typographical conventions used in the documentation. For more information on specialized terms and abbreviations used in the documentation, see the Glossary at the end of this document.

The following kinds of text formatting and icons identify special information in the document.

[Tip] Tip

Tips provide best practices and recommendations.

[Note] Note

Notes provide additional information on a topic and emphasize important facts and considerations.

[Warning] Warning

Warnings mark situations where loss of data or misconfiguration of the device is possible if the instructions are not obeyed.

Command

Commands you have to execute.

Emphasis

Reference items, additional readings.

/path/to/file

File names.

Parameters

Parameter and attribute names.

Label

GUI output messages or dialog labels.

Menu

A submenu in the menu bar.

Button

Buttons in dialog windows.

5. Contact and support information

The syslog-ng Premium Edition and syslog-ng Agent for Windows applications are developed and maintained by BalaBit IT Security Ltd. We are located in Budapest, Hungary. Our address is:


         BalaBit IT Security Ltd.
         1464 Budapest P.O. BOX 1279
         Hungary
         Tel: +36 1 371-0540
         Fax: +36 1 208-0875
         E-mail: info@balabit.com
         Web: http://www.balabit.com/
       

5.1. Sales contact

You can directly contact us with sales related topics at the e-mail address .

5.2. Support contact

To subscribe to the mailing list of the syslog-ng community, visit Syslog-ng users' and developers' mailing list.

To report bugs found in syslog-ng, visit Bugzilla.

Product support, including 7x24 online support is available in various packages. For support options, see BalaBit support packages.

Register your copy of syslog-ng Premium Edition online here. Registration is a prerequisite for all support services. E-mail and telephone support is available for registered users, please write or call us for details.

Support e-mail address: .

Support hotline: +36 1 371 0540 (available from 9 AM to 5 PM CET on weekdays)

The BalaBit Online Support System is available here and offers 24 hours technical support. This system is available only for registered users with a valid support contract and a MyBalaBit account. Sign up for MyBalaBit here.

5.3. Training

BalaBit IT Security Ltd. holds courses for advanced GNU/Linux system administrators. Our experienced system engineers give lectures on syslog-ng administration.

6. About this document

This guide is a work-in-progress document with new versions appearing periodically.

The latest version of this document can be downloaded from the BalaBit website here.

For news and update notifications about the syslog-ng documentation, visit the BalaBit Documentation Blog.

6.1. Summary of changes

6.1.1. Version 3.1 - 3.1.1

Changes in product: 

  • No changes in documentation related to product.

Changes in documentation: 

  • Missing procedure titles have been corrected.

  • Procedures have been restructured to facilitate easier understanding.

  • Latin abbreviations have been replaced in document with their English equivalents.

  • Other editorial changes.

6.1.2. Version 3.0 - 3.1

Changes in product: 

  • The contents of the guide have been updated to syslog-ng Agent for Windows 3.1.

Changes in documentation: 

  • The documentation of the syslog-ng Agent for Windows has been separated from The syslog-ng Administrator Guide.

6.2. Feedback

Any feedback is greatly appreciated. General comments, errors found in the text, and any suggestions about how to improve the documentation is welcome at .

Chapter 1. Introduction

This chapter describes how to install and configure the syslog-ng Agent on Microsoft Windows hosts.

The syslog-ng Agent for Windows is a log collector and forwarder application for the Microsoft Windows platform. It collects the log messages of the Windows-based host and forwards them to a syslog-ng server using regular or TLS-encrypted TCP connections.

The features and restrictions of the syslog-ng Agent are summarized below:

  • Reads messages from eventlog containers and log files.

  • Transfers log messages using TCP.

  • Supports TLS encryption.

  • Authenticates the server using X.509 certificates. Mutual authentication is also supported.

  • The format of eventlog messages can be customized using macros.

  • Supports multiple destinations both in parallel and fail-over modes.

  • Can be managed from a domain controller using group policies.

  • Assigns unique message IDs.

  • Only basic filtering is supported by the agent, message segmenting, parsing, and classification is not.

  • Note that the log messages on Windows come from files — either eventlog containers or custom logfiles — which are already stored on the harddisk, so the agent does not use additional disk buffering.

1.1. Supported operating systems

The syslog-ng Agent supports the following operating systems:

  • Microsoft Windows Server 2003

  • Microsoft Windows XP

  • Microsoft Windows Vista

  • Microsoft Windows Server 2008

  • Microsoft Windows 7

[Note] Note

The syslog-ng Agent for Windows application supports the XML-based eventlog used format on Microsoft Windows Vista and Microsoft Windows Server 2008, and Windows 7, and also offers full support for 64-bit operating systems.

Chapter 2. Installing the syslog-ng agent

The syslog-ng Agent for Windows application can be installed in standalone mode on independent hosts. If your hosts are members of a domain, you can install the syslog-ng agent on the domain controller and configure them globally.

[Note] Note

The syslog-ng Agent for Windows application is configured usually using its MMC snap-in (when managed globally from the domain controller). However, it is also possible to use an XML-based configuration file. For details, see Section 3.1.3, Using an XML-based configuration file.

Procedure 2.1. Installing the syslog-ng Agent in standalone mode

Purpose: 

The syslog-ng Agent for Windows application can be installed in standalone mode on independent hosts. If your hosts are members of a domain, install the syslog-ng Agent on the domain controller, as described in Section 2.2, Installing the syslog-ng Agent on the domain controller and the hosts of a domain. The syslog-ng agent requires about 10 MB hard disk space.

To install the syslog-ng Agent in standalone mode, complete the following steps:

[Note] Note

The syslog-ng Agent for Windows requires the Microsoft .NET Framework version 2.0. This package is usually already installed on most hosts. Download the package here.

Steps: 

  1. Start the installer. Run the syslog-ng-agent-<versionnumber>-setup.exe file.

    [Note] Note

    Installing the syslog-ng Agent requires administrator privileges.

  2. Read the End User License Agreement and select I Agree.

  3. Select the destination folder where you want to install the syslog-ng Agent for Windows application, then select Next.

  4. Select Standalone mode, then click Next.

  5. Starting from version 3.0.3, the syslog-ng Agent sends only messages that are created after the agent has been installed. If you want to send old log messages to the syslog-ng server, enable the Send log messages generated before the syslog-ng Agent was installed option and click Install.

  6. The installer automatically opens the configuration interface of the syslog-ng Agent. As a minimum, you must set the IP address of the destination server, and the agent will automatically start sending eventlog messages to your central logserver from the Application, Security, and System eventlog containers.

    [Note] Note

    The installation is completed only after you close the configuration interface. For details on how to modify the configuration later, see Section 3.1.1, Configuring a standalone syslog-ng Agent.

2.2. Installing the syslog-ng Agent on the domain controller and the hosts of a domain

The syslog-ng Agent for Windows application can be installed on the domain controller and the members of a domain from the domain controller, and configured globally using group policies. The syslog-ng Agent requires about 10 MB hard disk space.

[Note] Note

Starting from version 3.0.4, the .msi version of the installer does not install the MMC configuration snap-in of the agent, therefore the .msi installer does not require the .NET framework.

Procedure 2.2.1. Installing the syslog-ng Agent on the domain controller and the hosts of a domain

[Note] Note

Starting from version 3.0.3, the syslog-ng Agent sends only messages that are created after the agent has been installed. If you want to send old log messages to the syslog-ng server, download the Orca MSI editor here, open the .msi installer of the syslog-ng Agent, select Property, and change the value of the SENDOLDMESSAGES field to yes.

Alternatively, you can also create an XML configuration file for the agent, and configure it to send the old messages. For details on using an XML-based configuration file for the installation, see Section 3.1.3, Using an XML-based configuration file.

Steps: 

  1. Download both the Microsoft Installer (.msi) version and the executable (.exe) version of the syslog-ng Agent installer to the domain controller host. Make sure to download the executable that includes the MMC snap-in module. Note that separate .msi intallers are available for 32-bit and 64-bit operating systems.

    [Note] Note

    Installing the syslog-ng Agent requires administrator privileges, but configuring the related group policies on the domain controller requires domain administrator or higher (for example enterprise administrator) privileges.

  2. Install the syslog-ng Agent application to your domain controllers using the .exe installer.

    [Note] Note

    The syslog-ng Agent for Windows requires the Microsoft .NET Framework version 2.0. This package is usually already installed on most hosts. Download the package here.

  3. Select Start > Control Panel > Administrative Tools > Active Directory Users and Computers, right-click on the Organizational Unit of the domain whose hosts you want to install the syslog-ng agent on, and select Properties.

  4. Select Group Policy, and edit the Group Policy object you want to add the syslog-ng agent configuration to. Alternatively, you can create a new group policy object as well.

  5. Select Computer Configuration, right-click on Software Settings, and select New > Package.

  6. Navigate to the syslog-ng Agent for Windows .msi installer and select Open.

  7. Select Assigned, then OK.

  8. Select Computer Configuration > syslog-ng Agent Settings and configure the syslog-ng Agent. The members of the domain will use this configuration.

  9. The syslog-ng Agent for Windows application will be automatically installed on the members of the domain when they are next rebooted. To perform the installation earlier, execute the gpupdate command on the members of the domain.

    [Note] Note

    If you do not want to install the syslog-ng Agent automatically from the domain controller, skip Steps 5-7, complete Step 8, then install the syslog-ng-agent-nosnapin-<versionnumber>-setup.exe file manually on the members of the domain. This method is useful if you do not want to install the syslog-ng Agent on every host of the domain.

2.3. Unattended installation

The syslog-ng Agent for Windows application can be installed in silent mode as well, without requiring any user interaction. The various installer options can be specified as command-line options. The following options are available:

/S

Start the installer in unattended mode. This option is required for the unattended installation.

/D=

Install the syslog-ng Agent into the specified folder.

/NOMENU

Do not add entries about syslog-ng Agent to the Start menu.

/LOCAL

Install syslog-ng Agent in standalone mode. This is the default, installation mode of the syslog-ng Agent.

/REMOTE

Install syslog-ng Agent in domain mode.

/SENDOLDMSGS=

If set to YES, the syslog-ng Agent will forward every message available in its message sources. By default, only new messages are forwarded.

/XMLCONFIG=

Use the specified XML configuration file for the configuration of syslog-ng Agent.

2.4. Upgrading syslog-ng Agent for Windows to the latest version

The exact upgrading procedure of the syslog-ng Agent for Windows application depends on how you have installed and how you manage the agent.

[Warning] Warning

When upgrading agents running in domain mode, always upgrade the agents running on the domain hosts before upgrading the agent running on the domain controllers.

The hosts of a domain (including the domain controllers) should run the same version of the syslog-ng Agent, running different versions on the hosts in neither supported nor recommended.

[Note] Note

Upgrading to syslog-ng Agent for Windows version 3.1 is supported only from syslog-ng Agent version 3.0.7.

  • If a host is running the syslog-ng agent in standalone mode, download and execute the syslog-ng-agent-<versionnumber>-setup.exe installer on the host and verify that the displayed information is correct. The agent will be automatically restarted when you close the configuration window.

  • If a domain host is running the syslog-ng agent that was installed by the domain controller from the .msi installer package, complete the steps described in Section 2.2, Installing the syslog-ng Agent on the domain controller and the hosts of a domain. The system will automatically recognize that the new package will update the syslog-ng Agent for Windows application.

  • If a domain host is running the syslog-ng agent that was installed manually from the syslog-ng-agent-nosnapin-<versionnumber>-setup.exe file, run the new syslog-ng-agent-nosnapin-<versionnumber>-setup.exe file on the host. After the installation is complete, select Start > Run and execute the gpupdate command to refresh the domain settings of the agent.

2.5. Upgrading syslog-ng Agent for Windows 2.x to 3.0.x

To upgrade the syslog-ng agent application on hosts that are not members of a domain, install the executable (.exe) version of the syslog-ng Agent for Windows installer and select Standalone mode. The installer automatically receives and converts every setting of version 2.1.x and 2.2beta, and continues to send the log messages to the configured destination. At the end of the installation, the new configuration interface is displayed, where you can start using the new features of the syslog-ng agent.

To upgrade the syslog-ng agent application on hosts that are members of a domain, install the executable (.exe) version of the syslog-ng Agent for Windows installer and select Manage syslog-ng Agent centrally using Group Policy. After that, the installer asks if you want to use the existing configuration as a Local Policy, or as a Group Policy. (Selecting both options is also possible, although seldom needed.)

If you decide to use it as a Group Policy, enter the unique name for the policy, or select it from the list of available policies. Any local settings are automatically added to the group policy, so these local settings will be applied to every computer that belongs to the selected group policy. Afterwards, the installer converts every setting of version 2.1.x and 2.2beta, and also automatically downloads any group policies that are configured on the domain controller.

[Warning] Warning

If there are any group policies for the syslog-ng agent configured on the domain controller, downloading the group policies to the clients will overwrite the local settings.

[Note] Note

Upgrading from version 2.1 is supported for the 32-bit Windows XP and Server 2003 platforms.

Chapter 3. Configuring syslog-ng Agent for Windows

3.1. How to configure the syslog-ng Agent

This section describes how to configure the syslog-ng Agent application. The exact method depends on the installation scenario and also on the configuration method (regular or XML-based) you want to use. The syslog-ng Agent for Windows application is configured usually using its MMC snap-in (when managed globally from the domain controller). However, it is also possible to use an XML-based configuration file.

3.1.1. Configuring a standalone syslog-ng Agent

In standalone mode, to configure an already installed syslog-ng Agent, select Start Menu > Programs > syslog-ng Agent for Windows > Configure syslog-ng Agent. Alternatively, select Start Menu > Run, enter gpedit.msc, then select Computer configuration > syslog-ng Agent Settings

[Warning] Warning

After modifying its configuration, you have to restart the syslog-ng Agent service for the changes to take effect. To restart the syslog-ng Agent service, select Start Menu > Run enter services.msc and restart the syslog-ng Agent service.

3.1.2. Configuring the syslog-ng Agents of a domain

This section describes how to configure the syslog-ng Agent for Windows application in domain mode.

Procedure 3.1.2.1. Configuring the syslog-ng Agents of the domain hosts

Purpose: 

To configure an already installed syslog-ng Agent from the domain controller, perform the following steps.

Steps: 

  1. On the domain controller, select Start > Control Panel > Administrative Tools > Active Directory Users and Computers.

  2. Right-click on the Organizational Unit, then select Properties > syslog-ng Agent Settings.

  3. Configure the syslog-ng Agent as needed for the domain hosts. The changes will take affect when the domain hosts update their settings from the domain controller. By default, this happens every 90 minutes, depending on your domain settings. To download the configuration earlier, execute the gpupdate command on the members of the domain.

    [Note] Note

    When the domain hosts update their settings, the syslog-ng agent will be automatically restarted to load the new settings, except when there is no difference between the old and the new settings.

Procedure 3.1.2.2. Configuring the syslog-ng Agents of the domain controllers

Purpose: 

To configure the syslog-ng Agent running on the domain controllers, perform the following steps.

Steps: 

  1. On the domain controller, select Start > Control Panel > Administrative Tools > Active Directory Users and Computers.

  2. Right-click on the Organizational Unit of the domain whose domain controllers you want to configure, then select Properties. By default, the domain controllers are in the Domain Controllers organizational unit.

  3. Select Group Policy, and edit the Group Policy object you want to add the syslog-ng agent configuration to. Alternatively, you can create a new group policy object as well.

  4. Select Computer Configuration > syslog-ng Agent Settings and configure the syslog-ng Agent. The domain controllers of the domain will use this configuration.

  5. Configure the syslog-ng Agent as needed for the domain controllers. If you have multiple domain controllers, the changes will take affect when the other domain controllers update their settings from this domain controller. By default, this happens every 5 minutes, depending on your domain settings. To download the configuration earlier, execute the gpupdate command on the domain controllers.

    [Note] Note

    When the domain controllers receive the new settings, the syslog-ng agent will be automatically restarted to load the new settings, except when there is no difference between the old and the new settings.

3.1.2.3. Domain versus local settings

Group policies for the syslog-ng Agent can be specified at different levels, for example at the domain level, at the organization unit level, at the computer level, or also as a local policy of the computer. When evaluating its configuration settings, the syslog-ng Agent follows the standard policy-inheritance methods of Windows. If the configuration of the syslog-ng Agent is specified at multiple levels (for example on the domain level and also at the computer level), then the more specific (or lower level) setting is used (that is, the computer level in the above example). If a setting is not configured at a level, the setting of the next higher level is used (for example if something is not configured on the computer level, then the setting of the organization unit — or if it is not specified in the policy of organization unit, then the setting of the domain policy — is used). If a setting is not configured in any group policy, the syslog-ng Agent checks its local policy settings, and uses the local setting if available.

3.1.3. Using an XML-based configuration file

Starting from syslog-ng Agent for Windows version 3.0.4, it is possible to specify the configuration of the agent in an XML file when installing the agent, and also when starting the agent. The configuration file must be a valid XML file that complies to the XML schema supplied with the syslog-ng Agent.

[Note] Note

By default, the XML schema file is called syslog-ng-agent-conf.xsd and is located in the installation folder of the syslog-ng agent, next to the syslog-ng-agent.exe file.

Procedure 3.1.3.1. Creating an XML configuration file for the syslog-ng agent

Steps: 

  1. Create a new configuration file, or edit the one shown in Section 3.1.3.2, Sample configuration files for the syslog-ng Agent. Use a text editor that can validate the file to the XML schema of the configuration file. One such editor is the Microsoft XML Notepad 2007 application, which is available for free under this link.

  2. When creating the configuration file, bear in mind the following points:

    • For details on the format of the XML file, see the sample file at Section 3.1.3.2, Sample configuration files for the syslog-ng Agent and XML schema (.xsd) file installed with the agent.

    • File sources, event sources, servers, and filters must have a unique index, that is, the definition of the first server should start as <Server0 Enabled="1" Index="0", the second <Server2 Enabled="1" Index="2", and so on.

    • File sources must have a unique identifier (UUID). The agent does not create these identifiers, you must enter them into the configuration file manually.

    • If you do not use throttling, remove the Throttle attribute from the destination. Setting the Throttle attribute to 0 is not accepted by the agent.

    • If you do not want the agent to send old (already existing) messages to the logserver, use the following in the configuration file: 

      <syslog-ng_Agent SendOldMessages="0">

      Note that when it starts, the agent automatically removes the SendOldMessages="0" attribute from the configuration file, but it will not resend the messages after the agent is restarted.

  3. To start the agent and use the configuration file, open a command prompt, and issue the following command: syslog-ng-agent.exe -c myconfigfile.xml -d. This command will start the agent in debug mode, and display any errors of the XML configuration file.

  4. If there are no errors in the configuration file, start the agent in normal mode: syslog-ng-agent.exe -c myconfigfile.xml.

    To use the XML file during the installation of the agent, use the same syntax with the installer: syslog-ng-agent-3.0.4-setup.exe /xmlconfig="fullpath\myconfigfile.xml". Note that the XML schema file must be in the same folder as the installer file.

    [Note] Note

    • If you are using an XML-capable agent without using an XML configuration file, and you want to switch to using an XML configuration file without reinstalling the agent, execute the syslog-ng-agent.exe -i "fullpath\myconfigfile.xml" command. The syslog-ng Agent service will be re-registered to use the XML configuration file.

    • If you want to use the .msi installer with an xml file, use the syslog-ng-agent-3.0.4-setup.msi SLNGOPTS="/xmlconfig=fullpath\myconfigfile.xml" command, or edit the installer with the Orca MSI editor, and add the SLNGOPTS="/xmlconfig=fullpath\myconfigfile.xml" to the installation parameters on the Customization tab.

3.1.3.2. Sample configuration files for the syslog-ng Agent

The following is a sample configuration file with minimal settings for the syslog-ng Agent for Windows application.

<?xml version="1.0" encoding="utf-8"?>
<syslog-ng-agent-configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="c:\Program Files\syslog-ng Agent\syslog-ng-agent-conf.xsd">
  <SOFTWARE>
    <BalaBit>
      <syslog-ng_Agent WriteMinidump="1" SendOldMessages="1">
        <Local_Settings Enabled="1">
          <Destinations>
            <Network>
              <IPv4 Enabled="1" PrimaryServer="1">
                <Server Index="1" Enabled="1" ServerName="yourserver" ServerPort="514" Throttle="10000" Protocol="2" ProtocolTemplate="<${PRI}>${BSDDATE} ${HOST} ${APP_NAME}[${PROCESS_ID}]: ${MSG}"></Server>
              </IPv4>
            </Network>
          </Destinations>
          <EventSources Enabled="1" MessageTemplate="${EVENT_USERNAME}: ${EVENT_NAME} ${EVENT_SOURCE}: [${EVENT_TYPE}] ${EVENT_MSG} (EventID ${EVENT_ID})">
            <Sources Enabled="1">
              <Event Index="0" Enabled="1" Name="Application" />
              <Event Index="1" Enabled="1" Name="Security" />
              <Event Index="2" Enabled="1" Name="System" />
            </Sources>
          </EventSources>
        </Local_Settings>
      </syslog-ng_Agent>
    </BalaBit>
  </SOFTWARE>
</syslog-ng-agent-configuration>

The following is a more detailed configuration file for the syslog-ng Agent for Windows application.

<?xml version="1.0" encoding="utf-8"?>
<syslog-ng-agent-configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="c:\Program Files\syslog-ng Agent\syslog-ng-agent-conf.xsd">
  <SOFTWARE>
    <BalaBit>
      <syslog-ng_Agent WriteMinidump="1" SendOldMessages="1">
        <Local_Settings Enabled="1" RegExpIgnoreCase="0" FilterIgnoreCase="0" LogFacility="13">
          <Destinations>
            <Network>
              <IPv4 Enabled="1" PrimaryServer="0">
                <Server Index="0" Enabled="1" ServerName="server1" ServerPort="514" Throttle="100000" Protocol="2" ProtocolTemplate="<${PRI}>${BSDDATE} ${HOST} ${APP_NAME}[${PROCESS_ID}]: ${MSG}" UseSSL="0" ClientCertSubject="">
                  <FailoverServers FailoverServer0="failoverserver01" FailoverServer1="failoverserver02"></FailoverServers>
                </Server>
                <Server Index="1" Enabled="1" ServerName="server1" ServerPort="514" Throttle="100000" Protocol="1" ProtocolTemplate="<${PRI}>${BSDDATE} ${HOST} ${MSG}" UseSSL="0" ClientCertSubject="">
                  <FailoverServers FailoverServer0="failoverserver11" FailoverServer1="failoverserver12"></FailoverServers>
                </Server>
              </IPv4>
            </Network>
          </Destinations>
          <EventSources Enabled="1" MessageTemplate="${EVENT_USERNAME}: ${EVENT_NAME} ${EVENT_SOURCE}: [${EVENT_TYPE}] ${EVENT_MSG} (EventID ${EVENT_ID})">
            <Sources Enabled="1">
              <Event Index="0" Enabled="1" Name="Application" />
              <Event Index="1" Enabled="1" Name="Security" />
              <Event Index="3" Enabled="1" Name="System" />
            </Sources>
            <Filter Enabled="1">
              <Formatted_Message Enabled="1">
                <Rule Index="0" Regexp="testregexp" Enabled="1" />
                <Rule Index="1" Regexp="testregexp2" Enabled="1" />
              </Formatted_Message>
              <Computer Enabled="1">
                <Rule Index="0" Computer="mycomputername1" Enabled="1" />
                <Rule Index="1" Computer="mycomputername2" Enabled="1" />
              </Computer>
              <Type Enabled="1">
                <Rule Index="0" Type="4" Enabled="1"></Rule>
                <Rule Index="1" Type="4" Enabled="1"></Rule>
              </Type>
              <User Enabled="1">
                <Rule Index="0" Username="TESTDOMAIN\Administrator" Enabled="1" />
                <Rule Index="1" Username="NT AUTHORITY\SYSTEM" Enabled="1" />
              </User>
              <Source_EventId Enabled="1">
                <Rule Index="0" Source="EventCreate" EventId="636" Enabled="1" />
                <Rule Index="1" Source="EventCreate" EventId="637" Enabled="1" />
              </Source_EventId>
              <Source_Category Enabled="1">
                <Rule Index="0" Source="Security" Category="Object Access" Enabled="1" />
                <Rule Index="1" Source=" EventCreate" Category="" Enabled="1" />
              </Source_Category>
            </Filter>
          </EventSources>
          <FileSources MessageTemplate="$FILE_NAME: $FILE_MESSAGE" Enabled="1" LogFacility="0" LogPriority="6">
            <Sources Enabled="1">
              <File Index="0" Enabled="1" BaseDirectory="c:\windows" FileNameFilter="*.log" Recursive="0" LastModifiedFileOnly="0" id="a455e5ba-d4e9-4b85-8711-e8bf10141028" PeriodicFileCheck="0" LogFacility="5" LogPriority="5" />
              <File Index="1" Enabled="1" BaseDirectory="c:\" FileNameFilter="*.txt" Recursive="1" LastModifiedFileOnly="1" id="b455e5ba-d4e9-4b85-8711-e8bf10141038" PeriodicFileCheck="0" />
            </Sources>
            <Filter Enabled="1">
              <Formatted_Message>
                <Rule Index="0" Regexp="Verbose" Enabled="1" />
                <Rule Index="1" Regexp="Info" Enabled="1" />
              </Formatted_Message>
            </Filter>
          </FileSources>
        </Local_Settings>
      </syslog-ng_Agent>
    </BalaBit>
  </SOFTWARE>
</syslog-ng-agent-configuration>

3.2. Configuring destinations

The syslog-ng Agent for Windows application can send the log messages of the Windows host to a central log server or relay. It is possible to send the same messages to multiple servers, when each server receives the same messages; and also to configure failover servers, when the agent sends the messages to a primary server, or to a failover server if the primary becomes unavailable. If the agent loses the connection to a destination server and the reconnection fails, it will sends an eventlog message. The successful reconnection attempt is also logged. (If the server is unavailable for a long time, the agent sends a log message about the failed connection once in every ten minutes.)

Similarly to the Linux version, the agent now sends MARK messages to the server to indicate that the client host is alive but there are no log messages to send. A MARK message is sent every ten minutes.

[Warning] Warning

The syslog-ng Agent for Windows application does not support the unreliable UDP protocol. Configure your central log server to accept logs using TCP or TLS connections. If needed, adjust your firewall configuration to permit such traffic to the log server.

Procedure 3.2.1. Configuring the destination logservers

Purpose: 

To configure a new destination, complete the following steps:

Steps: 

  1. Start the configuration interface of the syslog-ng Agent for Windows application.

  2. Select syslog-ng Agent Settings > Destinations > Network, and double-click on IPv4.

  3. Select Add, and enter the hostname or the IP address of the logserver into the Server Name field. If your logserver is configured to accept messages on a non-standard port, type the port number into the Server Port field.

  4. Select the protocol used to transfer log messages and press Reset to apply the selected template. The following protocol templates are available:

    • Legacy BSD Syslog Protocol: Use the legacy BSD-syslog protocol specified in RFC3164. This option uses the following message template: <${PRI}>${BSDDATE} ${HOST} ${APP_NAME}[${PROCESS_ID}]: ${MSG}.

    • Syslog: Uses the new IETF-syslog protocol specified in RFC 5424-5428. Starting from version 3.0, syslog-ng also supports the IETF-protocol.

    • Snare compatible BSD Syslog Protocol: Sends log messages in a format compatible with the Snare log monitoring tool, using the following template: <${PRI}>${BSDDATE} ${HOST} ${MSG}.

    [Note] Note

    Selecting the syslog protocol option is identical to using the syslog driver of syslog-ng. Similarly, selecting Legacy syslog is equivalent to the tcp driver of syslog-ng.

    Changing a protocol does not automatically change the protocol template used. To use a protocol-specific template, select Reset Protocol Template after modifying the protocol. To send Snare-compatible messages, select Message Type > Snare Compatible Message Type and click Reset Message Template as well.

  5. If needed, modify the template of the messages. The format of the messages can be different for the eventlog and the file sources.

  6. If the host running syslog-ng Agent is sometimes logged in into a domain, sometimes not, then its hostname might change depending on its actual domain membership. This might cause that the hostname appearing in the syslog messages depends on the domain membership of the host. To avoid this situation, enable the Force DNS Hostname option. That way syslog-ng Agent resolves the name of its host from the DNS server, and uses the resolved FQDN in the syslog messages.

  7. If you have a backup server that can accept log messages if the primary logserver becomes unavailable, select the Failover Servers tab, click Add, and enter the hostname or the IP address of the backup logserver into the Server Name field. Repeat this step if you have more than one backup servers.

  8. If you want to send the log messages to more than on server in parallel, so that every server receives every message, repeat Steps 3-4 to add the secondary servers. Secondary servers may have failover servers as well.

    [Note] Note

    The syslog-ng Agent for Windows application considers a message received by the logserver if the primary server of the destination, or one of its failover servers receives it. To modify which server of a destination is the primary server, select syslog-ng Agent Settings > Destinations > Network > IPv4, select the server you want to be primary, and select Edit > Set Primary Server.

  9. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

Procedure 3.2.2. Limiting the rate of messages

Purpose: 

The syslog-ng Agent can control the rate of messages (message per second) sent to the central server. That way sudden message-bursts can be avoided, and the load of the server is decreased.

To limit the number of messages sent to a destination, complete the following steps:

Steps: 

  1. Start the configuration interface of the syslog-ng Agent for Windows application.

  2. Select syslog-ng Agent Settings > Destinations > Network, and double-click on IPv4.

  3. Select the destination server and select Edit. To limit the number of messages that the syslog-ng agent sends to the server per second, enter the desired limit into the Throttle field. By default (0), the syslog-ng agent does not limit the number of messages sent.

    [Note] Note

    The throttling parameter applies to the total number of messages sent, not to every source independently. The same value applies to the failover servers of the destination.

    If you are sending messages to multiple servers, then the speed of the primary server is important: if the primary server cannot accept the messages fast enough, the syslog-ng agent will reduce the number of sent messages to match the speed of the primary server, even if the secondary servers could accept messages faster. If the secondary servers cannot accept messages as fast as the primary server, then the secondary servers will lose messages; the syslog-ng agent will not slow down to wait for them.

  4. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

3.3. Configuring message sources

The syslog-ng Agent for Windows application can read messages from eventlog containers and text files. The following sections explain how to configure these message sources.

3.3.1. Eventlog sources

The syslog-ng Agent for Windows application can collect messages from the standard Windows eventlog containers, as well as from custom containers. The agent automatically forwards the messages from three standard eventlog containers (Application, Security, System). To enable or disable these sources, or to add custom eventlog containers, complete the following steps:

[Note] Note

The syslog-ng Agent for Windows sends its own log messages into the Application eventlog container.

The agent caches in the registry the ID of the last message sent to the destination server, so if the agent is not operating for a time (for example it is restarted ), then it starts reading messages from the last cached message ID, sending out all the new messages.

[Warning] Warning

If an eventlog container becomes corrupt, the agent will stop processing the event source. A log message (Eventlog file is corrupt) is sent directly to the logserver to notify about the error.

Procedure 3.3.1.1. Managing eventlog sources

Steps: 

  1. Start the configuration interface of the syslog-ng Agent for Windows application.

  2. Select syslog-ng Agent Settings > Eventlog Sources, and double-click on Event Containers.

    • To disable sending messages from an eventlog container, unselect the checkbox before the name of the container.

    • To modify the log facility associated with the messages of the container, select the container, click Edit, and select the log facility to use in the Log Facility field.

    • To add a custom container, select Add, and enter the name if the container into the Event Container Name field. If you do not know the name of the container, see Procedure 3.3.1.2, Determining the name of a custom eventlog container.

  4. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

Procedure 3.3.1.2. Determining the name of a custom eventlog container

Steps: 

  1. Open the Event Viewer application.

  2. Select the custom container you are looking for (for example DNS Server).

  3. Right click on the container and select Properties.

  4. The name of the container is the name of the file (without the extension) displayed in the Logname field (for example for C:\WINDOWS\system32\config\DnsEvent.Evt it is DnsEvent).

  5. Use this name as the name of the custom eventlog container during the procedure described in Procedure 3.3.1.1, Managing eventlog sources.

    [Note] Note

    On Windows Vista and Server 2008, some container are not real containers, but show selected messages collected from multiple containers. To forward such messages to the syslog-ng server, you have to find out which real containers are displayed in the container, and add them to the configuration of the syslog-ng Agent.

    Some containers have the %4 characters in their names. When adding these to the syslog-ng Agent, replace %4 with the / (slash) character. For example write microsoft-windows-bits-client/analytic instead of microsoft-windows-bits-client%4analyctic.

    If you are sending old messages to the server as well, the syslog-ng Agent will not send the very first message stored in the container. This is a bug in the Windows API.

Procedure 3.3.2. Managing file sources

Purpose: 

The syslog-ng Agent for Windows application can collect log messages from text files, and supports the use of wildcards (*) in filenames and foldernames to be able to follow log files that are automatically rotated. To configure file sources, complete the following steps:

Steps: 

  1. Start the configuration interface of the syslog-ng Agent for Windows application.

  2. Select syslog-ng Agent Settings > File Sources, double-click on Sources, and check the Enable option.

  3. Select Add > Browse, and select the log file or the folder containing the log files in the Base Directory field. Select or enter the name and extension of the log files in the File Name Filter field. Wildcards may be used. The syslog-ng agent will forward log messages from every file that is located in this folder and has a name that matches the filter expression.

    [Tip] Tip

    When specifying the Base Directory, you can use the environment variables of Windows, for example %WINDIR%, %SYSTEMROOT%, %PROGRAMFILES%, and so on.

    [Warning] Warning

    Note that when managing members of a domain, the selected path must be available on the domain members, for example C:\logs must be available on the client hosts and not on the domain controller.

    • To send messages from the files located in the subfolders of the folder set as Base Directory, select the Recursive option.

    • To send messages only from the file that was last modified, select the Last Modified File Only option.

      [Note] Note

      When using the Last Modified File Only option with a file source that has wildcard in the filename (for example *.log), the following will happen. When started for the first time, the agent will send the contents of every matching file to the central server, and store the position of the last message in the file with the most recent modification date. When new messages are written to this file, the agent will send only the new messages. However, if an older file is modified, the agent will resend the entire contents of this newly modified file, and store the position of the last message in this file only.

      When you use wildcards together with the Last Modified File Only option, make sure that older files will not be modified.

      If you are forwarding the logs of Internet Information Server (IIS) 5 applications, select the IIS 5.x Log option.

      [Note] Note

      If this option is not selected, the syslog-ng Agent monitors every matching file in the folder for changes, and sends new log messages from all files.

    • To send messages only from the file that was last modified of every subfolder of the Base Directory, select both the Last Modified File Only and the Recursive options.

    • To change the log facility or the log priority associated to the file source, select the desired facility or priority from the Log Facility or Log Priority fields, respectively.

      [Note] Note

      Significant changes to the settings of a file source may cause the syslog-ng Agent to resend the entire contents of the matching files. This means that log messages already sent earlier to the syslog-ng server may be resent and thus duplicated in the server logs. Configuration changes that may result in such behavior are:

      • changing the Base Directory,

      • changing filter options,

      • changing recursivity and Last Modified File Only options.

  5. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

[Note] Note

If an application writes a message into a log file without ending the line with a new-line character, saves (closes) the file, and later continues to write into the same line, then this is visible in the file as a single line, but the syslog-ng agent interprets them as two separate messages.

[Warning] Warning

If an application deletes a log file, the application must ensure that syslog-ng Agent had enough time to forward the messages from the file to the central server to avoid losing messages.

[Example] Example 3.1. Collecting the logs of multiple applications from a single folder

If two applications log into the same folder (for example C:\logs), you have to create two file sources. For example, if the name of the log files is application1-*.log and application2-*.log, respectively, then create two file sources with the C:\logs Base Directory, but with different File Name Filter: application1-*.log and application2-*.log, respectively.

If other applications log into the C:\logs folder, add a separate expression for each application.

By default, the syslog-ng agent will send every message to the server that arrives into any of the monitored log files. To send only the messages that arrive into the latest file of the source, enable the Last Modified File Only option.

Procedure 3.3.3. Configuring global settings

Purpose: 

The syslog-ng Agent for Windows application has some global settings that can apply to both eventlog and file sources. To configure the global settings, complete the following procedure:

Steps: 

  1. Start the configuration interface of the syslog-ng Agent for Windows application.

  2. Select syslog-ng Agent Settings and double-click on Global Settings.

  3. Set the default log facility associated to the messages.

  4. By default, the filters and regular expressions (see Section 3.5, Filtering messages) used in the message filters are case-sensitive. To make them case-insensitive, select the Regular Expressions Ignore Case or the Filters Ignore Case options, or both.

    [Note] Note

    The Regular Expressions Ignore Case option makes the Message Contents filter case-insensitive for both file and eventlog sources. The Filters Ignore Case option makes the Computers, Sources and Categories, and the Users filter case-insensitive.

  5. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

Procedure 3.3.4. Disabling sources and filters globally

Purpose: 

Filters and sources can be disabled globally as well. Disabling filters or sources means that the syslog-ng agent ignores the disabled settings: that is, if the file sources are disabled, the agent does not send the messages from the files to the server. For details, see the following procedure.

Steps: 

  1. Start the configuration interface of the syslog-ng Agent for Windows application.

    • To disable file sources, select syslog-ng Agent Settings, right-click on File Sources, then select Properties > Disable.

    • To disable eventlog sources, select syslog-ng Agent Settings, right-click on Eventlog Sources, then select Properties > Disable.

    • To disable file filters, select syslog-ng Agent Settings > File Sources, right-click on Filters, then select Properties > Disable.

    • To disable eventlog filters, select syslog-ng Agent Settings > Eventlog Sources, right-click on Filters, then select Properties > Disable.

  3. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

3.4. Using SSL-encrypted connections with the syslog-ng agent

When connecting to a syslog-ng server using an encrypted connection, the syslog-ng agent verifies the certificate of the server. The connection is established only if the Certificate Authority (CA) that issued the certificate of the server is available in the Certificate Store (MMC > Certificates > Computer Account > Local Computer > Trusted Root Certificates) of the Windows-based host.

[Note] Note

This certificate (sometimes also called the CACert of the server) is not the certificate of the server: it is the certificate of the CA that signed the certificate of the server.

Procedure 3.4.1. Enabling encrypted connections

Purpose: 

To enable SSL-encrypted connections to the server, complete the following steps:

Steps: 

  1. Start the configuration interface of the syslog-ng Agent for Windows application.

  2. Select syslog-ng Agent Settings > Destinations > Network, and double-click on IPv4.

  3. Select the server that accepts encrypted connections and click Edit.

  4. Select the Use SSL option.

    [Warning] Warning

    The connection can be established only if the Certificate Authority (CA) that issued the certificate of the server is available in the Certificate Store (MMC > Certificates > Computer Account > Local Computer > Trusted Root Certificates) of the Windows-based host. For details on importing certificates, see Procedure 3.4.3, Importing certificates with the Microsoft Management Console.

    [Note] Note

    The subject_alt_name parameter (or the Common Name parameter if the subject_alt_name parameter is empty) of the server's certificate must contain the hostname or the IP address (as resolved from the syslog-ng clients and relays) of the server (for example syslog-ng.example.com).

    Alternatively, the Common Name or the subject_alt_name parameter can contain a generic hostname, for example *.example.com.

    Note that if the Common Name of the certificate contains a generic hostname, do not specify a specific hostname or an IP address in the subject_alt_name parameter.

  5. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

3.4.2. Using mutual authentication with syslog-ng agent

When the syslog-ng server is configured to use mutual authentication, it requests a certificate from the syslog-ng clients. The syslog-ng Agent application can automatically show the requested certificate to the server when the connection is established, provided it is available in the Personal Certificates store (MMC > Certificates > Computer Account > Local Computer > Personal Certificates) of the Local Computer. Use the Certificate Import Wizard to import this certificate. For details, see Procedure 3.4.3, Importing certificates with the Microsoft Management Console.

[Note] Note

If a certificate revocation list (CRL) is available in the Local Computer/Personal Certificates store, the syslog-ng agent verifies that the certificate of the syslog-ng server is not on this list.

Procedure 3.4.2.1. Configuring mutual authentication with the syslog-ng Agent for Windows

Purpose: 

If the syslog-ng server requests authentication from the syslog-ng Agent, complete the following steps.

Steps: 

  1. Create certificates for the clients. By default, the syslog-ng agent will look for a certificate that contains the hostname or IP address of the central syslog-ng server in its Common Name. If you use a different Common Name, do not forget to complete Step 3 to set the Common Name of the certificate.

    The certificate must contain the private key and must be in PKCS12 format.

    [Tip] Tip

    To convert a certificate and a key from PEM format to PKCS12 you can use the following command:

    openssl pkcs12 -export -in agentcertificate.pem -inkey agentprivatekey.pem -out agentcertificatewithkey.pfx

  2. Import this certificate into the Personal Certificate store of the Local Computer using the Certificate Import Wizard. For details, see Procedure 3.4.3, Importing certificates with the Microsoft Management Console.

  3. By default, the syslog-ng agent will look for a certificate that contains the hostname or IP address of the central syslog-ng server in its Common Name. (The agent will look for the server name or address set in the Server Name field of the destination.) If the certificate of the client has a different Common Name, complete the following steps:

    1. Start the configuration interface of the syslog-ng Agent for Windows application.

    2. Select syslog-ng Agent Settings > Destinations > Network, and double-click on IPv4.

    3. Select the server that requires mutual authentication and click Edit.

    4. Select the Use SSL option, click Select, then select the certificate to use. You can also type the Common Name of the certificate into the Client Certificate Subject field.

      If you have more than one certificates with the same Common Name, alternatively, you can type the Distinguished Name (DN) of the certificate into the Client Certificate Subject field. When using the Distinguished Name, type only the elements of the name, separated with comma, starting with the country. For example US, Maryand, Pasadena, Example Inc, Sample Department, mycommonname

      [Note] Note

      A common way is to use the hostname or the IP address of the host running the syslog-ng Agent as the Common Name of the certificate (for example syslog-ng-agent1.example.com).

  4. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

Procedure 3.4.3. Importing certificates with the Microsoft Management Console

Purpose: 

To import a certificate, complete the following steps.

Steps: 

  1. Start Microsoft Management Console by executing mmc.exe (Start menu Run application).

    [Note] Note

    Running mmc.exe requires administrator privileges.

  2. Click on the Add/Remove snap-in item of the File menu.

  3. Click Add, select the Certificates module, and click Add.

  4. Select Computer account in the displayed window and click Next.

  5. Select Local computer and click Close.

  6. To import the certificate of the syslog-ng server, navigate to Console Root > Certificates > Trusted Root Certificate Authorities > Certificates.

    To import a certificate for the syslog-ng agent to perform mutual authentication, navigate to Console Root > Certificates > Personal > Certificates.

  7. Right-click on the Certificates folder and from the appearing menu select All tasks > Import. The Certificate Import Wizard will be displayed. Click Next.

    Optional step: Certificates used to authenticate the syslog-ng agent in mutual authentication include the private key. Provide the password for the private key when requested.

  8. Windows offers a suitable certificate store by default, so click Next.

  9. Click Finish on the summary window and Yes on the window that marks the successful importing of the certificate.

3.5. Filtering messages

The syslog-ng Agent for Windows application can filter log messages both in blacklist- and whitelist fashion. When using blacklisting, you can define filters, and any message that matches the filters is ignored by the agent — only messages that do not match the filters are sent to the central server. When using whitelisting, you can define filters, and the messages matching the filters are forwarded to the central server — other messages are ignored.

If you define multiple filters, the messages must match every filter. In other words, the filters are connected to each other with logical OR operations.

Different filters are available for eventlog- and file sources. When the syslog-ng Agent processes a message, it checks the relevant filters on-by-one: if it finds a filter that matches the message, the agent stops processing the message without sending it to the server.

[Note] Note

By default, all filters are case sensitive. For details on how to change this behavior, see Procedure 3.3.3, Configuring global settings.

The following types of filters are available for eventlog sources:

  • Sources and Event ID: Filter on the source (application) that created the message, and optionally on the identification number of the event. Corresponds with the EVENT_SOURCE and EVENT_ID macros.

  • Message Contents: Filter the text of the message, that is, the contents of the EVENT_MESSAGE macro.

  • Sources and Categories: Filter on the source (application) that created the message, and optionally on the category of the event. Corresponds with the EVENT_SOURCE and EVENT_CATEGORY macros. Note that leaving the category field empty equals with the none category of the Event Viewer.

  • Users: Filter on the username associated with the event. Corresponds with the EVENT_USERNAME macro.

  • Computers: Filter on the name of the computer (host) that created the event. Corresponds with the HOST macro.

  • Event Types: Filter on the type of the event. Corresponds with the EVENT_TYPE macro.

Procedure 3.5.1. Filtering eventlog messages

Purpose: 

To modify the filters used for eventlog messages, complete the following procedure:

Steps: 

  1. Start the configuration interface of the syslog-ng Agent for Windows application.

  2. Select syslog-ng Agent Settings > Eventlog Sources.

  3. On the right-hand pane right-click on Filters, then select Properties > Enable > OK.

  4. To use whitelist-filtering, select White List Filtering. By default, syslog-ng Agent uses blacklist filtering.

  5. Select syslog-ng Agent Settings > Eventlog Sources > Filters, and double-click on the type of filter you want to create.

    • To ignore messages sent by a specific application, or messages of the application with a specific event ID, double-click on Sources and Event ID, select Add, and select the name of the source (application) whose messages you want to ignore from the Source Name field. To ignore only specific messages of the application, enter the ID of the event into the Event ID field. Select Add > Apply.

    • To ignore messages that contain a specific string or text, double-click on Message Contents, enter the search term or a regular expression into the Regular Expression field, then select Add > Apply.

    • To ignore messages sent by a specific application, or messages of the application that fall into a specific category, double-click on Sources and Categories, select Add, and select the name of the application whose messages you want to ignore from the Application Name field. To ignore only those messages of the application that fall into a specific category, enter the name of the category into the Category field. Select Add > Apply.

    • To ignore messages sent by a specific user, double-click on Users, enter the name of the user into the User field, then select Add > Apply.

    • To ignore messages sent by a specific computer (host), double-click on Computers, enter the name of the user into the Computer field, then select Add > Apply.

    • Event Types: To ignore messages of a specific event-type, double-click on Event Types, select the event types to ignore, and select Ok > Apply.

      [Note] Note

      Under Windows Vista and Server 2008, Windows labels certain messages as level 3 and the Event Viewer labels such messages as warnings. This is against the official specification: level 3 should not be used; and only level 2 messages are warnings. To filter these events, you have to manually add a new event type to the registry and set its value to 3, for example HKEY_LOCAL_MACHINE\SOFTWARE\BalaBit\syslog-ng Agent\Local Settings\EventSources\Filter\Type\Rule0\Type=3

  7. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

The following types of filters are available for file sources:

  • Message Contents: Filter the text of the message, that is, the contents of the FILE_MESSAGE macro.

Procedure 3.5.2. Filtering file messages

Purpose: 

To modify the filters used for file messages, complete the following procedure:

Steps: 

  1. Start the configuration interface of the syslog-ng Agent for Windows application.

  2. Select syslog-ng Agent Settings > File Sources.

  3. On the right-hand pane right-click on Filters, then select Properties > Enable.

  4. To use whitelist-filtering, select White List Filtering. By default, syslog-ng Agent uses blacklist filtering.

  5. Select syslog-ng Agent Settings > File Sources > Filters, and double-click on the type of filter you want to create.

    • To ignore messages that contain a specific string or text, double-click on Message Contents, enter the search term or a regular expression into the Regular Expression field, then select Add.

  7. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

3.6. Customizing the message format

The format of the messages received from the eventlog and the file sources can be customized using templates. You can define separate message format for the eventlog and the file sources. If you have multiple destination servers configured, you can define separate templates for each server. When creating a template to customize the message format, you can use macros, all alphanumeric characters, and the following special characters: <>,():;-+/_.

Procedure 3.6.1. Customizing messages using templates

Purpose: 

To create a template, complete the following procedure:

[Warning] Warning

These macros are available only in the syslog-ng Agent for Windows. To recognize Windows-specific elements of the log message (for example eventlog-related macros) on the syslog-ng server, you have to use parsers on the syslog-ng server. The parser must be configured to match the message format set in the syslog-ng Agent.

Steps: 

  1. Start the configuration interface of the syslog-ng Agent for Windows application.

  2. Select syslog-ng Agent Settings > Destinations > Network, and double-click on IPv4. Select your logserver, and click Edit.

  3. To change the format of messages received from eventlog sources, type the message format you want to use into the Event Message Format > Message Template field.

    To change the format of messages received from file sources, type the message format you want to use into the File Message Format > Message Template field.

    Do not forget to add the $ character before macros. For a complete list of the available macros, see Section 3.6.5, Macros available in the syslog-ng Agent.

    For example, to send the messages in the DATE HOSTNAME MESSAGE format, type Date:$DATE Hostname:$HOST Logmessage:$MESSAGE.

    Note that the $MESSAGE macro contains not only the text of the log message, but also additional information received from the message source, such as the name of the eventlog container, or the file, as set in the eventlog-specific and file-specific templates. For details on modifying the eventlog-specific and file-specific templates, see Procedure 3.6.2, Customizing eventlog messages and Procedure 3.6.2, Customizing eventlog messages.

    [Note] Note

    Templates are assigned to a single destination server, so it is possible to use different templates for different servers. However, a server and its failover servers always receive the same message.

    [Warning] Warning

    If you have more than one destination servers configured (separate servers, not in failover mode), and you want to use the same template for every server, you must manually copy the template into the configuration of each server. Template modifications are not applied automatically to every server.

    To use a Snare-compatible message format, select Message Type > Snare Compatible Message Type and click Reset Message Template.

  4. Click OK.

  5. To activate the changes, restart the syslog-ng Agent service.

Procedure 3.6.2. Customizing eventlog messages

Purpose: 

To customize the format of eventlog messages, complete the following procedure. This template is applied by the $MESSAGE macro to format messages received from the eventlog.

Steps: 

  1. Start the configuration interface of the syslog-ng Agent for Windows application.

  2. Select syslog-ng Agent Settings, right-click on Eventlog Sources and select Properties.

  3. Type the message format into the Message Template field. You can use date- and eventlog-related macros (for a list of macros, see Section 3.6.5, Macros available in the syslog-ng Agent).The message customized here is included in the server-specific templates using the MESSAGE macro.

    By default, the following is sent about file messages: ${EVENT_USERNAME}: ${EVENT_NAME} ${EVENT_SOURCE}: [${EVENT_TYPE}] ${EVENT_MSG} (EventID ${EVENT_ID}).

  4. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

Procedure 3.6.3. Customizing file messages

Purpose: 

To customize the format of file messages, complete the following procedure. This template is applied by the $MESSAGE macro to format messages received from the log files.

Steps: 

  1. Start the configuration interface of the syslog-ng Agent for Windows application.

  2. Select syslog-ng Agent Settings, right-click on File Sources and select Properties.

  3. Type the message format into the Message Template field. You can use date- and file-related macros (for a list of macros, see Section 3.6.5, Macros available in the syslog-ng Agent). The message customized here is included in the server-specific templates using the MESSAGE macro.

    By default, the following is sent about file messages: $FILE_NAME: $FILE_MESSAGE.

  4. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

3.6.4. Customizing the timestamp used by the syslog-ng Agent

The syslog-ng agent can send the syslog messages using either the ISO or the BSD timestamp format. It is recommended to use the ISO format, because it contains much more information than the BSD format.

Note that in the syslog-ng agent, the macros without prefix (for example DATE) always refer to the receiving date of the message (for example R_DATE) when it arrived into the event log container, and are included only for compatibility reasons.

[Warning] Warning

If a remote host is logging into the event log of the local host that is running syslog-ng Agent for Windows, both hosts should be in the same timezone, because the event log message does not include the timezone information of the sender host. Otherwise, the date of the messages received from the remote host will be incorrect.

3.6.5. Macros available in the syslog-ng Agent

The following sections list the available macros:

[Warning] Warning

These macros are available only in the syslog-ng Agent for Windows. To recognize Windows-specific elements of the log message (for example eventlog-related macros) on the syslog-ng server, you have to use parsers on the syslog-ng server. The parser must be configured to match the message format set in the syslog-ng Agent.

[Note] Note

Note that if you use the Syslog protocol template (meaning that messages are sent using the IETF-syslog protocol), only the message part of the log message can be customized, the structure of the headers and other information is fixed by the protocol.

By default, syslog-ng Agent uses the following format: <${PRI}>${BSDDATE} ${HOST} ${APP_NAME}[${PROCESS_ID}]: ${MESSAGE}, where $MESSAGE is ${EVENT_USERNAME}: ${EVENT_NAME} ${EVENT_SOURCE}: [${EVENT_TYPE}] ${EVENT_MSG} (EventID ${EVENT_ID}) for eventlog messages, and $FILE_NAME: $FILE_CURRENT_POSITION/$FILE_SIZE: $FILE_MESSAGE for file messages.

3.6.5.1. Protocol-related macros of the syslog-ng agent

HOST

Description:Name of the host sending the message. Hostnames are automatically converted to lowercase.

MESSAGE

Description:The content of the message, including the text of the message and any file- or event-specific macros that are set for the source.

MSG

Description:An alias for the MESSAGE macro.

PRI

Description:Priority header of the message, storing the facility and the level of the message.

3.6.5.2. Time-related macros of the syslog-ng agent

BSDDATE, R_BSDDATE, S_BSDDATE

Description: Date of the message in BSD timestamp format (month/day/hour/minute/second, each expressed in two digits). This is the original syslog time stamp without year information, for example Jun 13 15:58:00. If possible, it is recommended to use ISODATE for timestamping.

DATE

Description: An alias of the ISODATE macro.

DAY, R_DAY, S_DAY

Description: The day the message was sent.

FULLDATE, R_FULLDATE, S_FULLDATE

Description: A nonstandard format for the date of the message using the same format as DATE, but including the year as well, for example: 2006 Jun 13 15:58:00.

HOUR, R_HOUR, S_HOUR

Description: The hour of day the message was sent.

ISODATE, R_ISODATE, S_ISODATE

Description: Date of the message in the ISO 8601 compatible standard timestamp format (yyyy-mm-ddThh:mm:ss+-ZONE), for example: 2006-06-13T15:58:00.123+01:00. If possible, it is recommended to use ISODATE for timestamping. Note that the syslog-ng agent cannot produce fractions of a second (for example milliseconds) in the timestamp.

MIN, R_MIN, S_MIN

Description: The minute the message was sent.

MONTH, R_MONTH, S_MONTH

Description: The month the message was sent as a decimal value, prefixed with a zero if smaller than 10.

MONTHNAME, R_MONTHNAME, S_MONTHNAME

Description: The English name of the month the message was sent, abbreviated to three characters (for example Jan, Feb, and so on).

R_DATE

Description: Date when the message was recorded into the eventlog container.

S_DATE

Description: Date when the message was created.

SEC, R_SEC, S_SEC

Description: The second the message was sent.

TZ, R_TZ, S_TZ

Description: The name of the time zone of the host.

TZOFFSET, R_TZOFFSET, S_TZOFFSET

Description: The time-zone as hour offset from GMT; for example: -07:00. In syslog-ng 1.6.x this used to be -0700 but as ISODATE requires the colon it was added to TZOFFSET as well.

UNIXTIME, R_UNIXTIME, S_UNIXTIME

Description: Standard unix timestamp, represented as the number of seconds since 1970-01-01T00:00:00.

YEAR, R_YEAR, S_YEAR

Description: The year the message was sent.

WEEK, R_WEEK, S_WEEK

Description: The week number of the year, prefixed with a zero for the first nine week of the year. (The first Monday in the year marks the first week.)

WEEKDAY, R_WEEKDAY, S_WEEKDAY

Description: The 3-letter name of the day of week the message was sent, for example Thu.

3.6.5.3. Eventlog-related macros of the syslog-ng agent

EVENT_CATEGORY

Description: The category of the event.

EVENT_FACILITY

Description: The facility that sent the message.

EVENT_ID

Description: The identification number of the event.

EVENT_LEVEL

Description: Importance level of the message represented as a number: 6 - Success, 5 - Informational, 4- Warning, or 3 - Error).

EVENT_MESSAGE

Description: The content of the message.

EVENT_MESSAGE_XML

Description: Contains the entire message in XML format. Available only on Windows Vista and Server 2008 platforms

EVENT_MSG

Description: The content of the message. This is an alias of the EVENT_MESSAGE.

EVENT_NAME

Description: Name of the Windows event log container (for example Application or Security).

EVENT_REC_NUM

Description: The record number of the event in the event log.

EVENT_SID

Description: The security identification number of the event.

EVENT_SID_TYPE

Description: The security identification number resolved into name. One of the following: User, Group, Domain, Alias WellKnownGroup, DeletedAccount, Invalid, Unknown, Computer.

EVENT_SOURCE

Description: The application that created the message.

EVENT_TASK

Description: The task category of the event. Available only on Windows Vista and Server 2008 platforms

EVENT_TYPE

Description: The importance level of the message in text format.

EVENT_USERNAME

Description: The user running the application that created the message.

3.6.5.4. File-related macros of the syslog-ng agent

FILE_CURRENT_POSITION

Description: The position of the message from the beginning of the file in bytes.

FILE_FACILITY

Description: The facility that sent the message.

FILE_LEVEL

Description: Importance level of the message represented as a number: 6 - Success, 5 - Informational, 4- Warning, or 3 - Error).

FILE_MESSAGE

Description: The content of the message.

FILE_MSG

Description: The content of the message. This is an alias of the FILE_MESSAGE macro.

FILE_NAME

Description: Name of the log file (including its path) from where the syslog-ng Agent received the message.

FILE_SIZE

Description: The current size of the file in bytes.

3.7. Controlling the syslog-ng Agent services

During installation, syslog-ng Agent registers the syslog-ng Agent service that is started automatically when the host boots. To disable the automatic startup of the syslog-ng Agent, or manually start or stop the service, use the Start Menu > Control Panel > Administrative Tools > Services interface. The service is running with the privileges of the NT AUTHORITY\SYSTEM user.

When the syslog-ng Agent service is started or stopped, it sends a syslog message to the central log server and an eventlog message to the Application eventlog container of the host.

[Warning] Warning

If you change the timezone setting of the host while the syslog-ng Agent is running, you have to restart the syslog-ng Agent. Otherwise, it will not receive the updated timezone information and the date of the events will be incorrect.

3.7.1. Command-line options

The syslog-ng Agent for Windows application has the following command-line options:

-e

Start the syslog-ng Agent in debug mode and send the messages to the Application eventlog container.

-d

Start the syslog-ng Agent in debug mode. The debug messages can be displayed using the dbgview application (available here).

-i

Install the syslog-ng Agent service into the services list.

-r

Remove the syslog-ng Agent service from the services list.

-h

Display a help message about the command-line options.

-v

Display version information.

-t

Terminate the currently running syslog-ng Agent.

-c

Start the syslog-ng Agent using the specified XML configuration file.

To use these options, select Start > Run > cmd, navigate to the directory where the syslog-ng Agent is installed (for example cd C:\Windows\Program Files\BalaBit\syslog-ng Agent\), and execute the syslog-ng-agent.exe file with the required option.

Chapter 4. Troubleshooting syslog-ng Agent for Windows

In case you experience problems with the syslog-ng Agent for Windows application, the following points may be of help.

[Note] Note

The followings address only problems specific to the syslog-ng Agent, and assume that communication between the server and the client is otherwise possible (that is, the server is properly configured to receive messages and is available on the network, and name resolution is properly configured on the client).

  • Configuration changes do not take effect: Configuration changes take effect only after restarting the syslog-ng service or rebooting the system. Also restart the system after changing the timezone settings of the host, or importing a certificate that you want to use to authenticate the communication between the agent and the server. If the configuration of the agent has changed since the last restart, the syslog-ng Agent sends a message of the change, including the hmac-sha-1 hash of the new configuration.

    Also note that if your clients are managed from a Domain Controller, configuration changes are not instantly downloaded to the client hosts, only at the time of the next group policy update. To update the configuration of a client host earlier, open a command prompt on the client host, and issue the gpupdate /force command.

    After downloading the configuration from the Domain Controller, the syslog-ng Agent service is automatically restarted if the configuration has changed.

    [Note] Note

    Certain domain settings that may affect the syslog-ng Agent are downloaded only when the machine is rebooted. For example, moving the computer from one group policy to another requires a reboot to have effect.

  • The syslog-ng Agent does not send messages to the server: Check the Application eventlog for messages of the syslog-ng Agent. In case of connection errors and certificate problems, the syslog-ng Agent sends error messages into the eventlog. Ensure that the destination address of the server is correctly set. If you use SSL encryption, verify that the certificate of the Certificate Authority of the server and that the certificate of the client are properly imported. If there are no error messages, check the logs on your logserver: the syslog-ng Agent sends a MARK message every ten minutes even if there are no other messages to send.

  • The syslog-ng Agent sends only MARK messages to the server: Verify that you have configured the eventlog and file sources, and that they have not been disabled globally. If these settings are correct but the server still does not send any messages, temporarily disable all filters to see that they are not configured to ignore every message. When using filter, it is also recommended to check the global case-sensitivity settings.

  • The hostname used in the messages changes: If a host is sometimes logged in into a domain and sometimes it is not, its hostname might reflect this. To avoid this situation, select syslog-ng Agent > Destinations > IPv4 > Properties > Edit > Force DNS Hostname. This causes syslog-ng Agent to resolve its own hostname from DNS and use the resolved FQDN in the syslog messages.

  • Command-line parameters are ignored on Windows Vista and 2008 Server: Command-line parameters work only for administrators if User Account Control (UAC) is enabled. To execute syslog-ng Agent with command-line parameters, select Start > Programs > Accessories, right-click on Command prompt > Run as administrator.

    If you contact the BalaBit Support Team about a problem with the syslog-ng Agent for Windows, execute the syslog-ng-agent -V command from the command line and include every version and platform information it displays in your support request.

  • CPU load is high: See Section 4.1, Sending messages and CPU load.

  • Losing messages from eventlog containers: An eventlog container is a special file. The Agent reads this file, formats the messages and sends them to remote log server. Note that the eventlog container can be configured only to a certain size. If the container reaches that size, Windows writes the next message to the beginning of the file. As a result, if the agent is not running (or the destination server is unavailable) so long that the eventlog container is filled up, messages can be lost.

4.1. Sending messages and CPU load

The syslog-ng Agent application can send messages to the server when the Windows Scheduler provides resources to the syslog-ng Agent. When there are many unsent log messages in the log sources, and there is no other significant activity on the host, syslog-ng will start to send the messages to the server, possibly increasing the CPU load to 100%. After all messages have been sent, or if another application requires the resources, the CPU load decreases back to normal.

[Tip] Tip

To avoid the initial large load on the CPU, limit the rate of message sending temporarily. You can remove the limit after the old messages have been sent. For details, see Procedure 3.2.2, Limiting the rate of messages.

When relaying the messages from multiple sources, the syslog-ng Agent sends one message at a time from each source. That way a single source with a large log traffic does not block other log sources.

4.2. Creating core and memory dumps

In certain rare cases, you might have to create core dumps of the syslog-ng Agent to investigate a particular problem. When enabled, the syslog-ng Agent for Windows application creates core dumps automatically when it experiences an unexpected shutdown.

To enable core dumps, set the HKEY_LOCAL_MACHINE/Software/Balabit/syslog-ng Agent/WriteMinidump registry key to 1.

Core dumps are written into the installation folder of the syslog-ng Agent under the syslog-ng-agent.dmp filename. The size of a core file is typically about 40-50 MB.

Procedure 4.3. Enabling debug logging in syslog-ng Agent

Purpose: 

In case you experience problems with The syslog-ng Agent the BalaBit support team might request you to create debug logs for the application to help troubleshoot the problem. Complete the following steps:

Steps: 

  1. On the client host select Start > Run > regedit.

  2. To send the debug logs into a file, set the HKEY_LOCAL_MACHINE/Software/Balabit/syslog-ng Agent/AgentDbgLog key to 2.

    To send the debug logs to the DebugView application, set the HKEY_LOCAL_MACHINE/Software/Balabit/syslog-ng Agent/AgentDbgLog key to 1.

  3. Reproduce the error. If you requestet file output, the syslog_ng_Agent.txt file will be created in the folder where the syslog-ng Agent is installed (%PROGRAMFILES%\syslog-ng Agent\ by default).

  4. After solving the problem, delete the HKEY_LOCAL_MACHINE/Software/Balabit/syslog-ng Agent/AgentDbgLog key from the registry, otherwise the log file will grow and might consume the available hard disk space. The log file contains the log messages received and processed by the syslog-ng Agent as well.

Procedure 4.4. Logging domain update errors

Purpose: 

If the domain settings are not downloaded to a domain host, the syslog-ng Agent (starting from version 3.0.6) can create a logfile to debug why the domain settings are not updated on the client. Complete the following steps:

Steps: 

  1. On the client host select Start > Run > regedit.

  2. To send the debug logs into a file, set the HKEY_LOCAL_MACHINE/Software/Balabit/syslog-ng Agent/GpoDbgLog key to 2.

    To send the debug logs to the DebugView application, set the HKEY_LOCAL_MACHINE/Software/Balabit/syslog-ng Agent/GpoDbgLog key to 1.

  3. Select Start > Run > gpupdate to reproduce the error. If you requestet file output, the %systemroot%\system32\syslog_gpext.txt file will be created.

  4. After solving the problem, delete the HKEY_LOCAL_MACHINE/Software/Balabit/syslog-ng Agent/GpoDbgLog key from the registry, otherwise the %systemroot%\system32\syslog_gpext.txt file will grow every time when the domain settings of the client are updated.

Chapter 5. Configuring the auditing policy on Windows

This section describes how to configure the logging and auditing policy on various versions of Microsoft Windows. The syslog-ng Agent can transfer log messages only about those events that are actually logged, so the audit policy has to be configured to log the important events.

Microsoft Windows operating systems can record a range of event types, from a system-wide event such as a user logging on, to an attempt by a particular user to read a specific file. Both successful and unsuccessful attempts to perform an action can be recorded. The audit policy specifies the types of events to be audited. When such an event occurs, an entry is added to the log file of the computer.

Following is a brief overview on how to configure the audit policy on various versions of Microsoft Windows. For details, consult the documentation of your operating system, or visit Microsoft TechNet. For details on configuring the auditing and logging of various applications, like the IIS Server or the ISA Server, consult your product documentation.

Procedure 5.1. Turning on security logging on Windows XP

Purpose: 

The following procedure describes how to enable security logging on Windows XP Professional hosts.

Steps: 

[Note] Note

For details on how to remotely enable security logging for workstations, member servers, and domain controllers, see Procedure 5.2, Turning on security logging for domain controllers.

  1. Login as an administrator.

  2. Click Start, click Run, and type mmc /a.

  3. On the File menu, click Add/Remove Snap-in, and click Add.

  4. Under Snap-in, click Group Policy, and click Add.

  5. In Select Group Policy Object, select Local Computer, then click Finish, click Close, and click OK.

  6. In Console Root, select Local Computer Policy, then click Audit Policy.

  7. Right-click the attribute or event you want to audit on the details pane.

  8. Set the desired options in the Properties.

  9. Repeat Steps 7-8 for every other event you want to audit.

Procedure 5.2. Turning on security logging for domain controllers

Purpose: 

The following procedure describes how to enable security logging on a Windows XP Professional domain controller.

Steps: 

  1. Login as an administrator.

  2. Click Start, point to Programs, point to Administrative Tools, and click Active Directory Users and Computers.

  3. In the console tree, click Domain Controllers.

  4. Click Action, then click Properties.

  5. On the Group Policy tab, select the policy you want to change, and click Edit.

  6. In the Group Policy window, in the console tree, click Audit Policy.

  7. Right-click the attribute or event you want to audit on the details pane.

  8. Set the desired options in the Properties.

  9. Repeat Steps 7-8 for every other event you want to audit.

Procedure 5.3. Turning on auditing on Windows 2003 Server

Purpose: 

The following procedure describes how to configure auditing on a Windows 2003 Server host.

Steps: 

  1. Login as an administrator.

  2. Click Start, point to Programs, point to Administrative Tools, and click Domain Security Policy.

  3. In the console tree, click Local Policies, then Audit Policy.

  4. Double-click on an event and select the Define these policy settings option.

  5. Select the type of event to log: Success or Failure.

  6. Repeat Steps 4-5 for every other event you want to audit.

Appendix 1. BalaBit syslog-ng Premium Edition License contract

1.1. SUBJECT OF THE LICENSE CONTRACT

This License Contract is entered into by and between BalaBit and Licensee and sets out the terms and conditions under which Licensee and/or Licensee’s Authorized Subsidiaries may use the BalaBit syslog-ng Premium Edition product.

1.2. DEFINITIONS

In this License Contract, the following words shall have the following meanings:

Company name: BalaBit IT Security Ltd.

Registered office: H-1115 Budapest, Bártfai u. 54. Hungary

Company registration number: 01-09-687127

Tax number: HU11996468

1.3. WORDS AND EXPRESSIONS

Annexed Software

Any third party software that is a not a BalaBit Product contained in the install media of the BalaBit Product.

Authorized Subsidiary

Any subsidiary organization: (i) in which Licensee possesses more than fifty percent (50%) of the voting power and (ii) which is located within the Territory.

BalaBit Product

Any software, hardware or service Licensed, sold, or provided by BalaBit including any installation, education, support and warranty services, with the exception of the Annexed Software.

License Contract

The present BalaBit syslog-ng Premium Edition License Contract.

Product Documentation

Any documentation referring to the BalaBit syslog-ng Premium Edition or any module thereof, with special regard to the administration guide, the product description, the installation guide, user guides and manuals.

Number of Log Source Hosts

Number of all host or server computers including virtual machines, active or passive networking devices from which a BalaBit syslog-ng Premium Edition server receives log messages.

Protected Objects

The entire BalaBit syslog-ng Premium Edition software including all of its modules, all the related Product Documentation; the source code, the structure of the databases, all registered information reflecting the structure of the BalaBit syslog-ng Premium Edition and all the adaptation and copies of the Protected Objects that presently exist or that are to be developed in the future, or any product falling under the copyright of BalaBit.

BalaBit syslog-ng Premium Edition

The BalaBit Product designed for aggregate, filter, format, send or receive over network or local connection the log messages and eventlogs as defined by the Product Description.

Warranty Period

The period of twelve (12) months from the date of delivery of the BalaBit syslog-ng Premium Edition to Licensee.

Territory

The countries or areas specified above in respect of which Licensee shall be entitled to install and/or use BalaBit syslog-ng Premium Edition.

End-user Certificate

The document signed by Licensor which contains a) identification data of Licensee; b) configuration of BalaBit syslog-ng Premium Edition , maximum Number of Log Source Hosts and designation of Licensed modules thereof; c) designation of the Territory; d) declaration of the parties on accepting the terms and conditions of this License Contract; and e) declaration of Licensee that is in receipt of the install media and the hardware appliance.

1.4. LICENSE GRANTS AND RESTRICTIONS

For the BalaBit syslog-ng Premium Editionlicensed under this License Contract, BalaBit grants to Licensee a non-exclusive, non-transferable, perpetual license to use such BalaBit Product under the terms and conditions of this License Contract and the applicable End-user Certificate.

Licensee shall use the BalaBit syslog-ng Premium Editionin the in the configuration and in the quantities specified in the End-user Certificate within the Territory.

On the install media (CD-ROM) all modules of the BalaBit syslog-ng Premium Editionwill be presented, however, Licensee shall not be entitled to use any module which was not Licensed to it. Access rights to modules and maximum Number of Log Source Hosts are controlled by an “electronic key” accompanying the BalaBit syslog-ng Premium Edition.

Licensee shall be entitled to make one back-up copy of the install media containing the BalaBit syslog-ng Premium Edition.

Licensee shall make available the Protected Objects at its disposal solely to its own employees and those of the Authorized Subsidiaries.

Licensee shall take all reasonable steps to protect BalaBit’s rights with respect to the Protected Objects with special regard and care to protecting it from any unauthorized access.

Licensee shall, in 5 working days, properly answer the queries of BalaBit referring to the actual usage conditions of the BalaBit syslog-ng Premium Editionthat may differ or allegedly differs from the License conditions.

Licensee shall not modify the BalaBit syslog-ng Premium Editionin any way, with special regard to the functions inspecting the usage of the software. Licensee shall install the code permitting the usage of the BalaBit syslog-ng Premium Editionaccording to the provisions defined for it by BalaBit. Licensee may not modify or cancel such codes. Configuration settings of the BalaBit syslog-ng Premium Editionin accordance with the possibilities offered by the system shall not be construed as modification of the software.

Licensee shall only be entitled to analyze the structure of the BalaBit Products (decompilation or reverse- engineering) if concurrent operation with a software developed by a third party is necessary, and upon request to supply the information required for concurrent operation BalaBit does not provide such information within 60 days from the receipt of such a request.

These user actions are limited to parts of the BalaBit Product which are necessary for concurrent operation.Any information obtained as a result of applying the previous Section (i) cannot be used for purposes other than concurrent operation with the BalaBit Product; (ii) cannot be disclosed to third parties unless it is necessary for concurrent operation with the BalaBit Product; (iii) cannot be used for the development, production or distribution of a different software which is similar to the BalaBit Product in its form of expression, or for any other act violating copyright.

For any Annexed Software contained by the same install media as the BalaBit Product, the terms and conditions defined by its copyright owner shall be properly applied. BalaBit does not grant any License rights to any Annexed Software.

Any usage of the BalaBit syslog-ng Premium Editionexceeding the limits and restrictions defined in this License Contract shall qualify as material breach of the License Contract.

The Number of Log Source Hosts shall not exceed the amount defined in the End-user Certificate.

Licensee shall have the right to obtain and use content updates only if Licensee concludes a maintenance contract that includes such content updates, or if Licensee has otherwise separately acquired the right to obtain and use such content updates. This License Contract does not otherwise permit Licensee to obtain and use content updates.

1.5. SUBSIDIARIES

Authorized Subsidiaries may also utilize the services of the BalaBit syslog-ng Premium Editionunder the terms and conditions of this License Contract. Any Authorized Subsidiary utilizing any service of the BalaBit syslog-ng Premium Editionwill be deemed to have accepted the terms and conditions of this License Contract.

1.6. INTELLECTUAL PROPERTY RIGHTS

Licensee agrees that BalaBit owns all rights, titles, and interests related to the BalaBit syslog-ng Premium Editionand all of BalaBit's patents, trademarks, trade names, inventions, copyrights, know-how, and trade secrets relating to the design, manufacture, operation or service of the BalaBit Products.

The use by Licensee of any of these intellectual property rights is authorized only for the purposes set forth herein, and upon termination of this License Contract for any reason, such authorization shall cease.

The BalaBit Products are Licensed only for internal business purposes in every case, under the condition that such License does not convey any license, expressly or by implication, to manufacture, duplicate or otherwise copy or reproduce any of the BalaBit Products. No other rights than expressly stated herein are granted to Licensee.

Licensee will take appropriate steps with its Authorized Subsidiaries, as BalaBit may request, to inform them of and assure compliance with the restrictions contained in the License Contract.

1.7. TRADE MARKS

BalaBit hereby grants to Licensee the non-exclusive right to use the trade marks of the BalaBit Products in the Territory in accordance with the terms and for the duration of this License Contract.

BalaBit makes no representation or warranty as to the validity or enforceability of the trade marks, nor as to whether these infringe any intellectual property rights of third parties in the Territory.

1.8. NEGLIGENT INFRINGEMENT

In case of negligent infringement of BalaBit’s rights with respect to the BalaBit syslog-ng Premium Edition, committed by violating the restrictions and limitations defined by this License Contract, Licensee shall pay liquidated damages to BalaBit. The amount of the liquidated damages shall be twice as much as the price of the BalaBit Product concerned, on BalaBit’s current Price List.

1.9. INTELLECTUAL PROPERTY INDEMNIFICATION

BalaBit shall pay all damages, costs and reasonable attorney’s fees awarded against Licensee in connection with any claim brought against Licensee to the extent that such claim is based on a claim that Licensee’s authorized use of the BalaBit Product infringes a patent, copyright, trademark or trade secret. Licensee shall notify BalaBit in writing of any such claim as soon as Licensee learns of it and shall cooperate fully with BalaBit in connection with the defense of that claim. BalaBit shall have sole control of that defense (including without limitation the right to settle the claim).

If Licensee is prohibited from using any BalaBit Product due to an infringement claim, or if BalaBit believes that any BalaBit Product is likely to become the subject of an infringement claim, BalaBit shall at its sole option, either: (i) obtain the right for Licensee to continue to use such BalaBit Product, (ii) replace or modify the BalaBit Product so as to make such BalaBit Product non-infringing and substantially comparable in functionality or (iii) refund to Licensee the amount paid for such infringing BalaBit Product and provide a pro-rated refund of any unused, prepaid maintenance fees paid by Licensee, in exchange for Licensee’s return of such BalaBit Product to BalaBit.

Notwithstanding the above, BalaBit will have no liability for any infringement claim to the extent that it is based upon: (i) modification of the BalaBit Product other than by BalaBit, (ii) use of the BalaBit Product in combination with any product not specifically authorized by BalaBit to be combined with the BalaBitProduct or (iii) use of the BalaBit Product in an unauthorized manner for which it was not designed.

1.10. LICENSE FEE

The allowed maximum Number of the Log Source Hosts, the configuration and the modules licensed shall serve as the calculation base of the License fee.

Licensee acknowledges that payment of the License fees is a condition of lawful usage.

License fees do not contain any installation or post charges.

1.11. WARRANTIES

BalaBit warrants that during the Warranty Period, the magnetic or optical media upon which the BalaBit Product is recorded will not be defective under normal use. BalaBit will replace any defective media returned to it, accompanied by a dated proof of purchase, within the Warranty Period at no charge to Licensee. Upon receipt of the allegedly defective BalaBit Product, BalaBit will at its option, deliver a replacement BalaBit Product or BalaBit's current equivalent to Licensee at no additional cost. BalaBit will bear the delivery charges to Licensee for the replacement Product.

In case of installation by BalaBit, BalaBit warrants that during the Warranty Period, the BalaBit syslog-ng Premium Edition, under normal use in the operating environment defined by BalaBit, and without unauthorized modification, will perform in substantial compliance with the Product Documentation accompanying the BalaBit Product, when used on that hardware for which it was installed, in compliance with the provisions of the user manuals and the recommendations of BalaBit. The date of the notification sent to BalaBit shall qualify as the date of the failure. Licensee shall do its best to mitigate the consequences of that failure. If, during the Warranty Period, the BalaBit Product fails to comply with this warranty, and such failure is reported by Licensee to BalaBit within the Warranty Period, BalaBit’s sole obligation and liability for breach of this warranty is, at BalaBit’s sole option, either: (i) to correct such failure, (ii) to replace the defective BalaBit Product or (iii) to refund the license fees paid by Licensee for the applicable BalaBit Product.

1.12.  DISCLAIMER OF WARRANTIES

EXCEPT AS SET OUT IN THIS LICENSE CONTRACT, BALABIT MAKES NO WARRANTIES OF ANY KIND WITH RESPECT TO THE BALABIT SYSLOG-NG PREMIUM EDITION. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, BALABIT EXCLUDES ANY OTHER WARRANTIES, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF SATISFACTORY QUALITY, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS.

1.13. LIMITATION OF LIABILITY

SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN UNION, DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES AND, THEREFORE, THE FOLLOWING LIMITATION OR EXCLUSION MAY NOT APPLY TO THIS LICENSE CONTRACT IN THOSE STATES AND COUNTRIES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET OUT IN THIS LICENSE CONTRACT FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT SHALL BALABIT BE LIABLE TO LICENSEE FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT OR SIMILAR DAMAGES OR LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE BALABIT SYSLOG-NG PREMIUM EDITION EVEN IF BALABIT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

IN NO CASE SHALL BALABIT’S TOTAL LIABILITY UNDER THIS LICENSE CONTRACT EXCEED THE FEES PAID BY LICENSEE FOR THE BALABIT SYSLOG-NG PREMIUM EDITION LICENSED UNDER THIS LICENSE CONTRACT.

1.14. DURATION AND TERMINATION

This License Contract shall come into effect on the date of signature of the End-user Certificate by the duly authorized representative of BalaBit.

Licensee may terminate the License Contract at any time by written notice sent to BalaBit and by simultaneously destroying all copies of the Protected Objects licensed under this License Contract.

BalaBit may terminate this License Contract with immediate effect by written notice to Licensee, if Licensee is in material or persistent breach of the License Contract and either that breach is incapable of remedy or Licensee shall have failed to remedy that breach within 30 days after receiving written notice requiring it to remedy that breach.

1.15. AMENDMENTS

Save as expressly provided in this License Contract, no amendment or variation of this License Contract shall be effective unless in writing and signed by a duly authorized representative of the parties to it.

1.16. WAIVER

The failure of a party to exercise or enforce any right under this License Contract shall not be deemed to be a waiver of that right nor operate to bar the exercise or enforcement of it at any time or times thereafter.

1.17. SEVERABILITY

If any part of this License Contract becomes invalid, illegal or unenforceable, the parties shall in such an event negotiate in good faith in order to agree on the terms of a mutually satisfactory provision to be substituted for the invalid, illegal or unenforceable provision which as nearly as possible validly gives effect to their intentions as expressed in this License Contract.

1.18. NOTICES

Any notice required to be given pursuant to this License Contract shall be in writing and shall be given by delivering the notice by hand, or by sending the same by prepaid first class post (airmail if to an address outside the country of posting) to the address of the relevant party set out in this License Contract or such other address as either party notifies to the other from time to time. Any notice given according to the above procedure shall be deemed to have been given at the time of delivery (if delivered by hand) and when received (if sent by post).

1.19.  MISCELLANEOUS

Headings are for convenience only and shall be ignored in interpreting this License Contract.

This License Contract and the rights granted in this License Contract may not be assigned, sublicensed or otherwise transferred in whole or in part by Licensee without BalaBit’s prior written consent. This consent shall not be unreasonably withheld or delayed.

An independent third party auditor, reasonably acceptable to BalaBit and Licensee, may upon reasonable notice to Licensee and during normal business hours, but not more often than once each year, inspect Licensee’s relevant records in order to confirm that usage of the BalaBit syslog-ng Premium Edition complies with the terms and conditions of this License Contract. BalaBit shall bear the costs of such audit. All audits shall be subject to the reasonable safety and security policies and procedures of Licensee.

This License Contract constitutes the entire agreement between the parties with regard to the subject matter hereof.

Any modification of this License Contract must be in writing and signed by both parties.

Appendix 2. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License

THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED. BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS.

  1. Definitions

    1. "Adaptation" means a work based upon the Work, or upon the Work and other pre-existing works, such as a translation, adaptation, derivative work, arrangement of music or other alterations of a literary or artistic work, or phonogram or performance and includes cinematographic adaptations or any other form in which the Work may be recast, transformed, or adapted including in any form recognizably derived from the original, except that a work that constitutes a Collection will not be considered an Adaptation for the purpose of this License. For the avoidance of doubt, where the Work is a musical work, performance or phonogram, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered an Adaptation for the purpose of this License.

    2. "Collection" means a collection of literary or artistic works, such as encyclopedias and anthologies, or performances, phonograms or broadcasts, or other works or subject matter other than works listed in Section 1(f) below, which, by reason of the selection and arrangement of their contents, constitute intellectual creations, in which the Work is included in its entirety in unmodified form along with one or more other contributions, each constituting separate and independent works in themselves, which together are assembled into a collective whole. A work that constitutes a Collection will not be considered an Adaptation (as defined above) for the purposes of this License.

    3. "Distribute" means to make available to the public the original and copies of the Work through sale or other transfer of ownership.

    4. "Licensor" means the individual, individuals, entity or entities that offer(s) the Work under the terms of this License.

    5. "Original Author" means, in the case of a literary or artistic work, the individual, individuals, entity or entities who created the Work or if no individual or entity can be identified, the publisher; and in addition (i) in the case of a performance the actors, singers, musicians, dancers, and other persons who act, sing, deliver, declaim, play in, interpret or otherwise perform literary or artistic works or expressions of folklore; (ii) in the case of a phonogram the producer being the person or legal entity who first fixes the sounds of a performance or other sounds; and, (iii) in the case of broadcasts, the organization that transmits the broadcast.

    6. "Work" means the literary and/or artistic work offered under the terms of this License including without limitation any production in the literary, scientific and artistic domain, whatever may be the mode or form of its expression including digital form, such as a book, pamphlet and other writing; a lecture, address, sermon or other work of the same nature; a dramatic or dramatico-musical work; a choreographic work or entertainment in dumb show; a musical composition with or without words; a cinematographic work to which are assimilated works expressed by a process analogous to cinematography; a work of drawing, painting, architecture, sculpture, engraving or lithography; a photographic work to which are assimilated works expressed by a process analogous to photography; a work of applied art; an illustration, map, plan, sketch or three-dimensional work relative to geography, topography, architecture or science; a performance; a broadcast; a phonogram; a compilation of data to the extent it is protected as a copyrightable work; or a work performed by a variety or circus performer to the extent it is not otherwise considered a literary or artistic work.

    7. "You" means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation.

    8. "Publicly Perform" means to perform public recitations of the Work and to communicate to the public those public recitations, by any means or process, including by wire or wireless means or public digital performances; to make available to the public Works in such a way that members of the public may access these Works from a place and at a place individually chosen by them; to perform the Work to the public by any means or process and the communication to the public of the performances of the Work, including by public digital performance; to broadcast and rebroadcast the Work by any means including signs, sounds or images.

    9. "Reproduce" means to make copies of the Work by any means including without limitation by sound or visual recordings and the right of fixation and reproducing fixations of the Work, including storage of a protected performance or phonogram in digital form or other electronic medium.

  2. Fair Dealing Rights. Nothing in this License is intended to reduce, limit, or restrict any uses free from copyright or rights arising from limitations or exceptions that are provided for in connection with the copyright protection under copyright law or other applicable laws.

  3. License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below:

    1. to Reproduce the Work, to incorporate the Work into one or more Collections, and to Reproduce the Work as incorporated in the Collections; and,

    2. to Distribute and Publicly Perform the Work including as incorporated in Collections.

    The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats, but otherwise you have no rights to make Adaptations. Subject to 8(f), all rights not expressly granted by Licensor are hereby reserved, including but not limited to the rights set forth in Section 4(d).

  4. Restrictions. The license granted in Section 3 above is expressly made subject to and limited by the following restrictions:

    1. You may Distribute or Publicly Perform the Work only under the terms of this License. You must include a copy of, or the Uniform Resource Identifier (URI) for, this License with every copy of the Work You Distribute or Publicly Perform. You may not offer or impose any terms on the Work that restrict the terms of this License or the ability of the recipient of the Work to exercise the rights granted to that recipient under the terms of the License. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties with every copy of the Work You Distribute or Publicly Perform. When You Distribute or Publicly Perform the Work, You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License. This Section 4(a) applies to the Work as incorporated in a Collection, but this does not require the Collection apart from the Work itself to be made subject to the terms of this License. If You create a Collection, upon notice from any Licensor You must, to the extent practicable, remove from the Collection any credit as required by Section 4(c), as requested.

    2. You may not exercise any of the rights granted to You in Section 3 above in any manner that is primarily intended for or directed toward commercial advantage or private monetary compensation. The exchange of the Work for other copyrighted works by means of digital file-sharing or otherwise shall not be considered to be intended for or directed toward commercial advantage or private monetary compensation, provided there is no payment of any monetary compensation in connection with the exchange of copyrighted works.

    3. If You Distribute, or Publicly Perform the Work or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (e.g., a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work. The credit required by this Section 4(c) may be implemented in any reasonable manner; provided, however, that in the case of a Collection, at a minimum such credit will appear, if a credit for all contributing authors of Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties.

    4. For the avoidance of doubt:

      1. Non-waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme cannot be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License;

      2. Waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme can be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License if Your exercise of such rights is for a purpose or use which is otherwise than noncommercial as permitted under Section 4(b) and otherwise waives the right to collect royalties through any statutory or compulsory licensing scheme; and,

      3. Voluntary License Schemes. The Licensor reserves the right to collect royalties, whether individually or, in the event that the Licensor is a member of a collecting society that administers voluntary licensing schemes, via that society, from any exercise by You of the rights granted under this License that is for a purpose or use which is otherwise than noncommercial as permitted under Section 4(b).

    5. Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable law, if You Reproduce, Distribute or Publicly Perform the Work either by itself or as part of any Collections, You must not distort, mutilate, modify or take other derogatory action in relation to the Work which would be prejudicial to the Original Author's honor or reputation.

  5. Representations, Warranties and Disclaimer UNLESS OTHERWISE MUTUALLY AGREED BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU.

  6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

  7. Termination

    1. This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Collections from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License.

    2. Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above.

  8. Miscellaneous

    1. Each time You Distribute or Publicly Perform the Work or a Collection, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License.

    2. If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable.

    3. No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent.

    4. This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of the Licensor and You.

    5. The rights granted under, and the subject matter referenced, in this License were drafted utilizing the terminology of the Berne Convention for the Protection of Literary and Artistic Works (as amended on September 28, 1979), the Rome Convention of 1961, the WIPO Copyright Treaty of 1996, the WIPO Performances and Phonograms Treaty of 1996 and the Universal Copyright Convention (as revised on July 24, 1971). These rights and subject matter take effect in the relevant jurisdiction in which the License terms are sought to be enforced according to the corresponding provisions of the implementation of those treaty provisions in the applicable national law. If the standard suite of rights granted under applicable copyright law includes additional rights not granted under this License, such additional rights are deemed to be included in the License; this License is not intended to restrict the license of any rights under applicable law.

Glossary

alias IP

An additional IP address assigned to an interface that already has an IP address. The normal and alias IP addresses both refer to the same physical interface.

authentication

The process of verifying the authenticity of a user or client before allowing access to a network system or service.

auditing policy

The auditing policy determines which events are logged on host running Microsoft Windows operating systems.

BSD-syslog protocol

The old syslog protocol standard described in RFC 3164. Sometimes also referred to as the legacy-syslog protocol.

CA

A Certificate Authority (CA) is an institute that issues certificates.

certificate

A certificate is a file that uniquely identifies its owner. Certificates contains information identifying the owner of the certificate, a public key itself, the expiration date of the certificate, the name of the CA that signed the certificate, and some other data.

client mode

In client mode, syslog-ng collects the local logs generated by the host and forwards them through a network connection to the central syslog-ng server or to a relay.

destination

A named collection of configured destination drivers.

destination driver

A communication method used to send log messages.

destination, network

A destination that sends log messages to a remote host (i.e., a syslog-ng relay or server) using a network connection.

destination, local

A destination that transfers log messages within the host, e.g., writes them to a file, or passes them to a log analyzing application.

disk buffer

The Premium Edition of syslog-ng can store messages on the local hard disk if the central log server or the network connection to the server becomes unavailable.

disk queue

See disk buffer.

domain name

The name of a network, e.g.: balabit.com.

embedded log statement

A log statement that is included in another log statement to create a complex log path.

filter

An expression to select messages.

gateway

A device that connect two or more parts of the network, e.g.: your local intranet and the external network (the Internet). Gateways act as entrances into other networks.

high availability

High availability uses a second syslog-ng server unit to ensure that the logs are received even if the first unit breaks down.

host

A computer connected to the network.

hostname

A name that identifies a host on the network.

IETF-syslog protocol

The syslog-protocol standard developed by the Internet Engineering Task Force (IETF), described in RFC 5424-5428.

key pair

A private key and its related public key. The private key is known only to the owner; the public key can be freely distributed. Information encrypted with the private key can only be decrypted using the public key.

license

The syslog-ng license determines the number of distinct hosts (clients and relays) that can connect to the syslog-ng server.

log path

A combination of sources, filters, parsers, rewrite rules, and destinations: syslog-ng examines all messages arriving to the sources of the logpath and sends the messages matching all filters to the defined destinations.

logstore

A binary logfile format that can encrypt, compress, and timestamp log messages.

LSH

See log source host.

log source host

A host or network device (including syslog-ng clients and relays) that sends logs to the syslog-ng server. Log source hosts can be servers, routers, desktop computers, or other devices capable of sending syslog messages or running syslog-ng.

log statement

See log path.

name server

A network computer storing the IP addresses corresponding to domain names.

Oracle Instant Client

The Oracle Instant Client is a small set of libraries, which allow you to connect to an Oracle Database. A subset of the full Oracle Client, it requires minimal installation but has full functionality.

output buffer

A part of the memory of the host where syslog-ng stores outgoing log messages if the destination cannot accept the messages immediately.

output queue

Messages from the output queue are sent to the target syslog-ng server. The syslog-ng application puts the outgoing messages directly into the output queue, unless the output queue is full. The output queue can hold 64 messages, this is a fixed value and cannot be modified.

overflow queue

See output buffer.

parser

A set of rules to segment messages into named fields or columns.

ping

A command that sends a message from a host to another host over a network to test connectivity and packet loss.

port

A number ranging from 1 to 65535 that identifies the destination application of the transmitted data. E.g.: SSH commonly uses port 22, web servers (HTTP) use port 80, etc.

Public-key authentication

An authentication method that uses encryption key pairs to verify the identity of a user or a client.

regular expression

A regular expression is a string that describes or matches a set of strings. The syslog-ng application supports extended regular expressions (also called POSIX modern regular expressions).

relay mode

In relay mode, syslog-ng receives logs through the network from syslog-ng clients and forwards them to the central syslog-ng server using a network connection.

rewrite rule

A set of rules to modify selected elements of a log message.

template

A user-defined structure that can be used to restructure log messages or automatically generate file names.

server mode

In server mode, syslog-ng acts as a central log-collecting server. It receives messages from syslog-ng clients and relays over the network, and stores them locally in files, or passes them to other applications, e.g., log analyzers.

source

A named collection of configured source drivers.

source, network

A source that receives log messages from a remote host using a network connection. The following sources are network sources: tcp(), tcp6(), udp(), udp6().

source, local

A source that receives log messages from within the host, e.g., from a file.

source driver

A communication method used to receive log messages.

SSL

See TLS.

syslog-ng

The syslog-ng application is a flexible and highly scalable system logging application, typically used to manage log messages and implement centralized logging.

syslog-ng agent

The syslog-ng agent for Windows is a log collector and forwarder application for the Microsoft Windows platform. It collects the log messages of the Windows-based host and forwards them to a syslog-ng server using regular or SSL-encrypted TCP connections.

syslog-ng client

A host running syslog-ng in client mode.

syslog-ng Premium Edition

The syslog-ng Premium Edition is the commercial version of the open-source application. It offers additional features, like encrypted message transfer and an agent for Microsoft Windows platforms.

syslog-ng relay

A host running syslog-ng in relay mode.

syslog-ng server

A host running syslog-ng in server mode.

TLS

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols which provide secure communications on the Internet. The syslog-ng Premium Edition application can encrypt the communication between the clients and the server using TLS to prevent unauthorized access to sensitive log messages.

traceroute

A command that shows all routing steps (the path of a message) between two hosts.

unix domain socket

A Unix domain socket (UDS) or IPC socket (inter-procedure call socket) is a virtual socket, used for inter-process communication.

Index

Symbols

$DAY, $R_DAY, $S_DAY, DAY, R_DAY, S_DAY
$FULLDATE, $R_FULLDATE, $S_FULLDATE, FULLDATE, R_FULLDATE, S_FULLDATE
$HOUR, $R_HOUR, $S_HOUR, HOUR, R_HOUR, S_HOUR
$MIN, $R_MIN, $S_MIN, MIN, R_MIN, S_MIN
$MONTH, $R_MONTH, $S_MONTH, MONTH, R_MONTH, S_MONTH
$SEC, $R_SEC, $S_SEC, SEC, R_SEC, S_SEC
$TZOFFSET, $R_TZOFFSET, $S_TZOFFSET, TZOFFSET, R_TZOFFSET, S_TZOFFSET
$UNIXTIME, $R_UNIXTIME, $S_UNIXTIME, UNIXTIME, R_UNIXTIME, S_UNIXTIME
$WEEK, $R_WEEK, $S_WEEK, WEEK, R_WEEK, S_WEEK
$WEEKDAY, $R_WEEKDAY, $S_WEEKDAY, WEEKDAY, R_WEEKDAY, S_WEEKDAY
$YEAR, $R_YEAR, $S_YEAR, YEAR, R_YEAR, S_YEAR

A

auditing policy, Configuring the auditing policy on Windows
configuring on Windows 2003 Server, Configuring the auditing policy on Windows
configuring on Windows XP, Configuring the auditing policy on Windows
authentication
syslog-ng agent, Using SSL-encrypted connections with the syslog-ng agent

B

BSDDATE, R_BSDDATE, S_BSDDATE, BSDDATE, R_BSDDATE, S_BSDDATE

C

certificate revocation lists
syslog-ng agent, Using mutual authentication with syslog-ng agent
certificates, Using SSL-encrypted connections with the syslog-ng agent
importing on Windows, Using SSL-encrypted connections with the syslog-ng agent
client authentication
syslog-ng agent, Using mutual authentication with syslog-ng agent
client-side failover
syslog-ng agent, Configuring destinations
configuring syslog-ng
on Windows, Introduction
syslog-ng agent, Configuring a standalone syslog-ng Agent
CRL
syslog-ng agent, Using mutual authentication with syslog-ng agent

D

DATE, DATE
DAY, R_DAY, S_DAY, DAY, R_DAY, S_DAY
destinations
syslog-ng agent, Configuring destinations
disk buffer
on Windows, Introduction

E

eventlog
remote logging, Customizing the timestamp used by the syslog-ng Agent

F

formatting messages, Configuring destinations
FULLDATE, R_FULLDATE, S_FULLDATE, FULLDATE, R_FULLDATE, S_FULLDATE

H

hostname in the messages, Configuring destinations
hostname resolution, Configuring destinations
HOUR, R_HOUR, S_HOUR, HOUR, R_HOUR, S_HOUR

I

importing certificates, Using SSL-encrypted connections with the syslog-ng agent
inheriting settings on Windows, Domain versus local settings
installing syslog-ng
on Windows, Installing the syslog-ng agent
syslog-ng agent on domain controllers, Installing the syslog-ng agent
ISODATE, R_ISODATE, S_ISODATE, ISODATE, R_ISODATE, S_ISODATE

L

losing messages
from eventlog containers, Troubleshooting syslog-ng Agent for Windows

M

macros
date and time, Time-related macros of the syslog-ng agent
eventlog sources, Eventlog-related macros of the syslog-ng agent
file sources, File-related macros of the syslog-ng agent
protocol, Protocol-related macros of the syslog-ng agent
syslog-ng agent, Protocol-related macros of the syslog-ng agent, Time-related macros of the syslog-ng agent, Eventlog-related macros of the syslog-ng agent, File-related macros of the syslog-ng agent
message filtering
syslog-ng agent, Filtering messages
message format, Configuring destinations
syslog-ng agent, Customizing the message format
message rate
on Windows, Configuring destinations
message template, Configuring destinations
MIN, R_MIN, S_MIN, MIN, R_MIN, S_MIN
MONTH, R_MONTH, S_MONTH, MONTH, R_MONTH, S_MONTH
MONTHNAME, R_MONTHNAME, S_MONTHNAME, MONTHNAME, R_MONTHNAME, S_MONTHNAME
mutual authentication
syslog-ng agent, Using mutual authentication with syslog-ng agent

R

R_DATE, R_DATE

S

SEC, R_SEC, S_SEC, SEC, R_SEC, S_SEC
snare, Configuring destinations, Customizing the message format
sources
eventlog, Eventlog sources
windows log files, Configuring message sources
supported operating systems, Supported operating systems
syslog-ng Agent, Introduction
configuration file, Using an XML-based configuration file
creating core dumps, Creating core and memory dumps
inheriting settings, Domain versus local settings
timezone, Controlling the syslog-ng Agent services
troubleshooting, Troubleshooting syslog-ng Agent for Windows, Creating core and memory dumps
XML, Using an XML-based configuration file
syslog-ng agent
certificate revocation lists, Using mutual authentication with syslog-ng agent
client authentication, Using mutual authentication with syslog-ng agent
client-side failover, Configuring destinations
configuring domain controllers, Configuring the syslog-ng Agents of a domain
configuring domain hosts, Configuring the syslog-ng Agents of a domain
configuring the logserver, Configuring destinations
CRL, Using mutual authentication with syslog-ng agent
default message format, Macros available in the syslog-ng Agent
destinations, Configuring destinations
disabling sources and filters, Configuring message sources
eventlog sources, Eventlog sources
failover servers, Configuring destinations
file sources, Configuring message sources
filtering messages, Filtering messages
importing certificates, Using SSL-encrypted connections with the syslog-ng agent
installing, Installing the syslog-ng agent
installing the agent from the domain controller, Installing the syslog-ng Agent on the domain controller and the hosts of a domain
installing the agent in standalone mode, Installing the syslog-ng agent
message format, Customizing the message format
mutual authentication, Using mutual authentication with syslog-ng agent
throttle, Configuring destinations
timestamp, Customizing the timestamp used by the syslog-ng Agent
upgrading, Upgrading syslog-ng Agent for Windows to the latest version
upgrading to 3.0, Upgrading syslog-ng Agent for Windows 2.x to 3.0.x
upgrading to 3.1, Upgrading syslog-ng Agent for Windows to the latest version
S_DATE, S_DATE

T

throttle
on Windows, Configuring destinations
timestamp
syslog-ng agent, Customizing the timestamp used by the syslog-ng Agent
timezone
Windows, Customizing the timestamp used by the syslog-ng Agent, Controlling the syslog-ng Agent services
TLS
syslog-ng agent, Using SSL-encrypted connections with the syslog-ng agent
troubleshooting
syslog-ng Agent, Troubleshooting syslog-ng Agent for Windows
TZ, R_TZ, S_TZ, TZ, R_TZ, S_TZ
TZOFFSET, R_TZOFFSET, S_TZOFFSET, TZOFFSET, R_TZOFFSET, S_TZOFFSET

U

UNIXTIME, R_UNIXTIME, S_UNIXTIME, UNIXTIME, R_UNIXTIME, S_UNIXTIME

W

WEEK, R_WEEK, S_WEEK, WEEK, R_WEEK, S_WEEK
WEEKDAY, R_WEEKDAY, S_WEEKDAY, WEEKDAY, R_WEEKDAY, S_WEEKDAY
Windows auditing policy, Configuring the auditing policy on Windows
configuring on Windows 2003 Server, Configuring the auditing policy on Windows
configuring on Windows XP, Configuring the auditing policy on Windows

Y

YEAR, R_YEAR, S_YEAR, YEAR, R_YEAR, S_YEAR