The syslog-ng Agent for Windows 6 LTS Administrator Guide

Copyright © 2017 Balabit SA. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Balabit.

This documentation and the product it describes are considered protected by copyright according to the applicable laws.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (https://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)

AIX™, AIX 5L™, AS/400™, BladeCenter™, eServer™, IBM™, the IBM™ logo, IBM System i™, IBM System i5™, IBM System x™, iSeries™, i5/OS™, Netfinity™, NetServer™, OpenPower™, OS/400™, PartnerWorld™, POWER™, ServerGuide™, ServerProven™, and xSeries™ are trademarks or registered trademarks of International Business Machines.

Alliance Log Agent for System i™ is a registered trademark of Patrick Townsend & Associates, Inc.

The Balabit™ name and the Balabit™ logo are registered trademarks of Balabit SA.

Debian™ is a registered trademark of Software in the Public Interest Inc.

Hadoop™ and the Hadoop elephant logo are trademarks of the Apache Software Foundation.

Linux™ is a registered trademark of Linus Torvalds.

MapR™, is a trademark of MapR Technologies, Inc.

Elasticsearch™ and Kibana™ is a trademark of Elasticsearch BV, registered in the U.S. and in other countries.

Apache Kafka and the Apache Kafka Logo are trademarks of the Apache Software Foundation.

MySQL™ is a registered trademark of Oracle and/or its affiliates.

Oracle™, JD Edwards™, PeopleSoft™, and Siebel™ are registered trademarks of Oracle Corporation and/or its affiliates.

Red Hat™, Inc., Red HatEnterprise Linux™ and Red HatLinux™ are trademarks of Red Hat, Inc.

SUSE™ is a trademark of SUSE AG, a Novell business.

Solaris™ is a registered trademark of Oracle and/or its affiliates.

Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries.

The syslog-ng™ name and the syslog-ng™ logo are registered trademarks of Balabit.

Windows™ 95, 98, ME, 2000, XP, Server 2003, Vista, Server 2008, 7, 8, and Server 2012 are registered trademarks of Microsoft Corporation.

For details on FIPS-compliance, see this page.

All other product names mentioned herein are the trademarks of their respective owners.

DISCLAIMER. Balabit is not responsible for any third-party websites mentioned in this document. Balabit does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. Balabit will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.

October 02, 2017

This manual is the primary documentation of the syslog-ng Agent for Windows 6 LTS application.


Table of Contents

Preface
1. Summary of contents
2. Target audience and prerequisites
3. Products covered in this guide
4. Typographical conventions
5. Contact and support information
5.1. Sales contact
5.2. Support contact
5.3. Training
6. About this document
6.1. Summary of changes
6.2. Feedback
1. Introduction
1.1. Supported operating systems
2. Installing the syslog-ng Agent
2.1. Installing the syslog-ng Agent in standalone mode
2.2. Installing the syslog-ng Agent on the domain controller and the hosts of a domain
2.2.1. Installing the syslog-ng Agent on the domain controller and the hosts of a domain
2.3. Silent installation
2.4. Installing the MSI package of syslog-ng Agent into a custom folder
2.5. Upgrading syslog-ng Agent for Windows to the latest version
2.6. Uninstalling syslog-ng Agent
2.7. Uninstalling syslog-ng Agent in silent mode
3. How to configure the syslog-ng Agent
3.1. Configuring a standalone syslog-ng Agent
3.2. Configuring the syslog-ng Agents of a domain
3.2.1. Configuring the syslog-ng Agents of the domain hosts
3.2.2. Configuring the syslog-ng Agents of the domain controllers
3.2.3. Domain versus local settings
3.3. Using an XML-based configuration file
3.3.1. Creating an XML configuration file for the syslog-ng Agent
3.3.2. Configuring syslog-ng Agent from an XML file
4. Configuring destinations
4.1. Configuring the destination log servers
4.2. Limiting the rate of messages
4.3. Sending MARK messages
4.4. Flow-control in syslog-ng Agent for Windows
5. Configuring message sources
5.1. Eventlog sources
5.1.1. Managing eventlog sources
5.1.2. Adding eventlog sources
5.1.3. Determining the name of a custom eventlog container on Windows Vista and newer
5.1.4. Determining the name of a custom eventlog container on Windows XP, or Server 2003
5.2. Managing file sources
5.3. Managing the internal source
5.4. Configuring global settings
5.5. Configuring the hostname format
5.6. Disabling sources and filters globally
6. Using SSL-encrypted connections with the syslog-ng Agent
6.1. Enabling encrypted connections
6.2. Using mutual authentication with syslog-ng Agent
6.2.1. Configuring mutual authentication with the syslog-ng Agent for Windows
6.3. Importing certificates with the Microsoft Management Console
7. Filtering messages
7.1. Filtering eventlog messages
7.2. Filtering file messages
8. Customizing the message format
8.1. Customizing messages using templates
8.2. Customizing the timestamp used by the syslog-ng Agent
8.3. Macros available in the syslog-ng Agent
8.3.1. Protocol-related macros of the syslog-ng Agent
8.3.2. Time-related macros of the syslog-ng Agent
8.3.3. Eventlog-related macros of the syslog-ng Agent
8.3.4. File-related macros of the syslog-ng Agent
9. Controlling the syslog-ng Agent services
9.1. Command-line options
10. Troubleshooting syslog-ng Agent for Windows
10.1. Sending messages and CPU load
10.2. Debugging syslog-ng Agent
10.2.1. Creating core and memory dumps
10.2.2. Enabling debug logging in syslog-ng Agent
10.2.3. Troubleshooting domain setting problems
10.3. Reading eventlog messages is slow on Windows Vista or newer
10.3.1. Limitations of using the EVT API on Windows Vista or newer
10.3.2. Enabling the EVT API on Windows Vista or newer
10.4. Debug bundle on Windows
syslog-windebun.ps1 — syslog-ng WINdows DEBUg buNdle generator PowerShell script
11. Configuring the auditing policy on Windows
11.1. Turning on security logging on Windows XP
11.2. Turning on security logging for domain controllers
11.3. Turning on auditing on Windows 2003 Server
A. END USER LICENSE AGREEMENT FOR BALABIT PRODUCT (EULA)
Glossary
List of syslog-ng PE interface labels
Index

List of Procedures

2.1. Installing the syslog-ng Agent in standalone mode
2.2.1. Installing the syslog-ng Agent on the domain controller and the hosts of a domain
2.4. Installing the MSI package of syslog-ng Agent into a custom folder
2.6. Uninstalling syslog-ng Agent
2.7. Uninstalling syslog-ng Agent in silent mode
3.1. Configuring a standalone syslog-ng Agent
3.2.1. Configuring the syslog-ng Agents of the domain hosts
3.2.2. Configuring the syslog-ng Agents of the domain controllers
3.3.1. Creating an XML configuration file for the syslog-ng Agent
4.1. Configuring the destination log servers
4.2. Limiting the rate of messages
4.3. Sending MARK messages
5.1.1. Managing eventlog sources
5.1.2. Adding eventlog sources
5.1.3. Determining the name of a custom eventlog container on Windows Vista and newer
5.1.4. Determining the name of a custom eventlog container on Windows XP, or Server 2003
5.2. Managing file sources
5.3. Managing the internal source
5.4. Configuring global settings
5.5. Configuring the hostname format
5.6. Disabling sources and filters globally
6.1. Enabling encrypted connections
6.2.1. Configuring mutual authentication with the syslog-ng Agent for Windows
6.3. Importing certificates with the Microsoft Management Console
7.1. Filtering eventlog messages
7.2. Filtering file messages
8.1. Customizing messages using templates
10.2.1. Creating core and memory dumps
10.2.2. Enabling debug logging in syslog-ng Agent
10.2.3. Troubleshooting domain setting problems
10.3.2. Enabling the EVT API on Windows Vista or newer
11.1. Turning on security logging on Windows XP
11.2. Turning on security logging for domain controllers
11.3. Turning on auditing on Windows 2003 Server