Rsyslog Windows Agent Configuration

 

This section contains some basic or advanced configuration samples for the Rsyslog Windows Agent. They show some basic configurations as well as complex scenarios in conjunction with rsyslog for Linux.

  Using RSyslog Windows Agent to forward log files

  Forward Windows Eventlogs with RSyslog Windows Agent

  How To setup File Monitor Service

  How To setup the Forward via Syslog Action

 

Forward Windows Eventlogs with RSyslog Windows Agent

Step 1: Setting up the rule set and action.

  1. First we define a new rule set. Right-click “Rules”. A pop up menu will appear. Select “Add Rule Set” from this menu.
  2. Then, a wizard starts. Change the name of the rule to whatever name you like. We will use “Forward syslog” in this example. Click “Next” to go on with the next step.
  3. Select only Forward via Syslog. Do not select any other options for this sample. Also, leave the “Create a Rule for each of the following actions” setting selected. Click “Next”. You will see a confirmation page. Click “Finish” to create the rule set.
  4. As you can see, the new Rule Set “Forward syslog” is present. Please expand it in the tree view until the action level of the “Forward syslog” Rule and select the “Forward syslog” action to configure.
  5. Configure the “Forward via Syslog” Action
    Type the “IP or the Hostname” of your syslog server into the Syslog Server field in the form.

11.png

Note : Enter your syslog server IP in blank

  1. Finally, make sure you press the “Save” button – otherwise your changes will not be applied. Then start the service and you are done.

Step 2 : Setting up the service

Now we will set up the service. There is one thing to mention first. You need to know choose one of the latter links according to your operating system. This is important, or the setup might not work properly. We have 2 different versions of the EventLog Monitor. Here is a small list in which you can see, which service fits which operating systems.

  1. EventLog Monitor: 2000, XP, 2003
  2. EventLog Monitor V2: Vista, 2008, 7, Windows server 2008,2012 r2

it is advised to used the optimized EventLog Monitor V2. This is due to the massive changes that Microsoft introduced to the EventLog system.

How To setup EventLogMonitor V2 Service

  1. First, right click on “Services”, then select “Add Service” and then “Event Log Monitor V2″

Again, you can use either the default name or any one you like. We will use the default name in this sample. Leave the “Use default settings” selected and press “Next”.

  1. As we have used the default, the wizard will immediately proceed with step 3, the confirmation page. Press “Finish” to create the service. The wizard completes and returns to the configuration client.
  2. Now, you will see the newly created service beneath the “Services” as part of the tree view. To check its parameters, select it

Note: The “Default RuleSet” has been automatically assigned as the rule set to use. By default, the wizard will always assign the first rule set visible in the tree view to new services.

  1. Finally we, bind a rule set to this service. If you already have a rule set, simply choose one. If not, then you will have to create one, or insert the actions you want to take in the default rule set.

The last step is to save the changes and start the service. This procedure completes the configuration of the syslog server.
The NT Service cannot dynamically read changed configurations. As such, it needs to be restarted after such changes. In our sample, the service was not yet started, so we simply need to start it. If it already runs, you need to restart it.

That’s it. This is how you create a simple Event Log Monitor V2 for Vista.

Using RSyslog Windows Agent to forward log files

Step 1: Setting up the ruleset and action.

 As previous create new rule “Pandy-Log File”
Step 2: Setting up the service.
  1. First, right click on “Services”, then select “Add Service” and the “File Monitor”.

Now, you will see the newly created service beneath the “Services” part of the tree view. To check its parameters, select it

Now the Log Files are monitored successfully.

Note:  For all kind of Configuration Give the Tag Value as <HOSTNAME> < IP ADDRESS> <LABEL>, which helps to trace the logs.Example for monitoring MSSQL Monitoring :

PANDY            <HostIP >       MSSQL.LOG. 

Hope the Docx helps to do Log/Event/File Forwarding to Syslog Server for SIEM Integration.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s