The syslog-ng Agent for Windows 4 LTS Administrator Guide

Publication date September 05, 2013

This manual is the primary documentation of the syslog-ng Agent for Windows 4 LTS application.

Copyright 1996-2013 BalaBit IT Security Ltd.

This guide is published under the Creative Commons Attribution-Noncommercial-No Derivative Works (by-nc-nd) 3.0 license. The latest version is always available at http://www.balabit.com/support/documentation. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young ([email protected]) This documentation and the product it describes are considered protected by copyright according to the applicable laws. The Zorp name and the Zorp logo are registered trademarks of BalaBit. The BalaBit Shell Control Box name and the BalaBit Shell Control Box logo are registered trademarks of BalaBit. The syslog-ng name and the syslog-ng logo are registered trademarks of BalaBit. The BalaBit name and the BalaBit logo are registered trademarks of BalaBit. Linux is a registered trademark of Linus Torvalds. Debian is a registered trademark of Software in the Public Interest Inc. Windows 95, 98, ME, 2000, XP, Server 2003, Vista, Server 2008 and 7 are registered trademarks of Microsoft Corporation. MySQL is a registered trademark of Oracle and/or its affiliates. Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Red Hat, Inc., Red Hat Enterprise Linux and Red Hat Linux are trademarks of Red Hat, Inc. SUSE is a trademark of SUSE AG, a Novell business. Solaris is a registered trademark of Sun Microsystems, Inc. AIX, AIX 5L, AS/400, BladeCenter, eServer, IBM, the IBM logo, IBM System i, IBM System i5, IBM System x, iSeries, i5/OS, Netfinity, NetServer, OpenPower, OS/400, PartnerWorld, POWER, ServerGuide, ServerProven, and xSeries are trademarks or registered trademarks of International Business Machines. Alliance Log Agent for System i is a registered trademark of Patrick Townsend & Associates, Inc. All other product names mentioned herein are the trademarks of their respective owners. Some rights reserved. DISCLAIMER BalaBit is not responsible for any third-party Web sites mentioned in this document. BalaBit does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. BalaBit will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.

www.balabit.com

Table of Contents
Preface ............................................................................................................................................. vii 1. Summary of contents ............................................................................................................... vii 2. Target audience and prerequisites .............................................................................................. vii 3. Products covered in this guide .................................................................................................. viii 4. Typographical conventions ....................................................................................................... viii 5. Contact and support information ............................................................................................. viii 5.1. Sales contact .................................................................................................................. ix 5.2. Support contact ............................................................................................................. ix 5.3. Training ........................................................................................................................ ix 6. About this document ................................................................................................................ ix 6.1. Summary of changes ...................................................................................................... ix 6.2. Feedback ....................................................................................................................... xi 6.3. Acknowledgments .......................................................................................................... xi 1. Introduction .................................................................................................................................... 1 1.1. Supported operating systems .................................................................................................... 1 2. Installing the syslog-ng Agent ......................................................................................................... 3 2.1. Installing the syslog-ng Agent in standalone mode ...................................................................... 3 2.2. Installing the syslog-ng Agent on the domain controller and the hosts of a domain ........................ 5 2.2.1. Installing the syslog-ng Agent on the domain controller and the hosts of a domain .............. 5 2.3. Silent installation ..................................................................................................................... 7 2.4. Installing syslog-ng Agent into a custom folder .......................................................................... 9 2.5. Upgrading syslog-ng Agent for Windows to the latest version ...................................................... 9 2.6. Uninstalling syslog-ng Agent .................................................................................................. 10 2.7. Uninstalling syslog-ng Agent in silent mode ............................................................................. 10 3. Configuring syslog-ng Agent for Windows ..................................................................................... 11 3.1. How to configure the syslog-ng Agent ..................................................................................... 11 3.1.1. Configuring a standalone syslog-ng Agent ..................................................................... 11 3.1.2. Configuring the syslog-ng Agents of a domain ............................................................... 11 3.1.3. Using an XML-based configuration file ......................................................................... 14 3.2. Configuring destinations ........................................................................................................ 16 3.2.1. Configuring the destination logservers .......................................................................... 17 3.2.2. Limiting the rate of messages ....................................................................................... 24 3.3. Configuring message sources .................................................................................................. 25 3.3.1. Eventlog sources ........................................................................................................ 25 3.3.2. Managing file sources .................................................................................................. 28 3.3.3. Configuring global settings .......................................................................................... 33 3.3.4. Disabling sources and filters globally ............................................................................. 33 3.4. Using SSL-encrypted connections with the syslog-ng Agent ....................................................... 34 3.4.1. Enabling encrypted connections ................................................................................... 34 3.4.2. Using mutual authentication with syslog-ng Agent .......................................................... 34 3.4.3. Importing certificates with the Microsoft Management Console ....................................... 36 3.5. Filtering messages ................................................................................................................. 36 3.5.1. Filtering eventlog messages .......................................................................................... 37 3.5.2. Filtering file messages ................................................................................................. 41 3.6. Customizing the message format ............................................................................................ 42

www.balabit.com

iii

3.6.1. Customizing messages using templates .......................................................................... 42 3.6.2. Customizing the timestamp used by the syslog-ng Agent ................................................. 43 3.6.3. Macros available in the syslog-ng Agent ......................................................................... 44 3.7. Controlling the syslog-ng Agent services .................................................................................. 48 3.7.1. Command-line options ................................................................................................ 49 4. Troubleshooting syslog-ng Agent for Windows ............................................................................. 50 4.1. Sending messages and CPU load ............................................................................................. 51 4.2. Creating core and memory dumps ........................................................................................... 51 4.3. Enabling debug logging in syslog-ng Agent .............................................................................. 52 4.4. Logging domain update errors ................................................................................................ 52 5. Configuring the auditing policy on Windows ................................................................................. 54 5.1. Turning on security logging on Windows XP ........................................................................... 54 5.2. Turning on security logging for domain controllers ................................................................... 54 5.3. Turning on auditing on Windows 2003 Server .......................................................................... 55 Appendix 1. License contract for BalaBit Product ............................................................................. 56 Appendix 2. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License ............................................................................................................................................................ 63 Glossary ............................................................................................................................................ 68 Index ................................................................................................................................................. 72

www.balabit.com

iv

List of Examples
3.1. Legacy BSD Syslog Protocol log ..................................................................................................... 3.2. Snare log ...................................................................................................................................... 3.3. Collecting the logs of multiple applications from a single folder .......................................................... 3.4. Using command line options .......................................................................................................... 19 22 28 49

www.balabit.com

List of Procedures
2.1. Installing the syslog-ng Agent in standalone mode .............................................................................. 3 2.2.1. Installing the syslog-ng Agent on the domain controller and the hosts of a domain .............................. 5 2.4. Installing syslog-ng Agent into a custom folder .................................................................................. 9 2.6. Uninstalling syslog-ng Agent .......................................................................................................... 10 2.7. Uninstalling syslog-ng Agent in silent mode ..................................................................................... 10 3.1.2.1. Configuring the syslog-ng Agents of the domain hosts ................................................................. 12 3.1.2.2. Configuring the syslog-ng Agents of the domain controllers ......................................................... 12 3.1.3.1. Creating an XML configuration file for the syslog-ng Agent .......................................................... 14 3.2.1. Configuring the destination logservers .......................................................................................... 17 3.2.2. Limiting the rate of messages ....................................................................................................... 24 3.3.1.1. Managing eventlog sources ........................................................................................................ 26 3.3.1.2. Determining the name of a custom eventlog container on Windows Vista and newer ...................... 27 3.3.1.3. Determining the name of a custom eventlog container on Windows 2000, XP, or Server 2003 ...... 2 7 3.3.2. Managing file sources .................................................................................................................. 28 3.3.3. Configuring global settings .......................................................................................................... 33 3.3.4. Disabling sources and filters globally ............................................................................................. 33 3.4.1. Enabling encrypted connections ................................................................................................... 34 3.4.2.1. Configuring mutual authentication with the syslog-ng Agent for Windows ...................................... 35 3.4.3. Importing certificates with the Microsoft Management Console ....................................................... 36 3.5.1. Filtering eventlog messages .......................................................................................................... 37 3.5.2. Filtering file messages ................................................................................................................. 41 3.6.1. Customizing messages using templates .......................................................................................... 42 4.3. Enabling debug logging in syslog-ng Agent ...................................................................................... 52 4.4. Logging domain update errors ........................................................................................................ 52 5.1. Turning on security logging on Windows XP ................................................................................... 54 5.2. Turning on security logging for domain controllers ........................................................................... 54 5.3. Turning on auditing on Windows 2003 Server .................................................................................. 55

www.balabit.com

vi

Summary of contents

Preface
Welcome to the syslog-ng Agent for Windows Administrator Guide! This document describes how to configure and manage syslog-ng Agent for Windows. Background information for the technology and concepts used by the product is also discussed.
Note For details on configuring and managing the Linux/Unix versions of the syslog-ng Premium Edition application, see The syslog-ng Premium Edition 4 LTS Administrator Guide. For details on configuring and managing the syslog-ng Agent for IBM System i application, see The syslog-ng Agent for IBM System i Administrator Guide.

1. Summary of contents
Chapter 1, Introduction (p. 1) describes the main functionality and purpose of syslog-ng PE. Chapter 2, Installing the syslog-ng Agent (p. 3) describes how to install the syslog-ng Agent in various scenarios and how to upgrade to new versions. Chapter 3, Configuring syslog-ng Agent for Windows (p. 11) provides detailed description on configuring and managing syslog-ng Agent for Windows. Chapter 4, Troubleshooting syslog-ng Agent for Windows (p. 50) describes how to solve common errors and problems. Chapter 5, Configuring the auditing policy on Windows (p. 54) provides descriptions on how to enable auditing on various Windows platforms. Appendix 1, License contract for BalaBit Product (p. 56) includes the text of the End-User License Agreement applicable to syslog-ng Agent for Windows. Glossary (p. 68) provides definitions of important terms used in this guide. Index (p. 72) provides cross-references to important terms used in this guide.

2. Target audience and prerequisites

This guide is intended for system administrators and consultants responsible for designing and maintaining logging solutions and log centers. It is also useful for IT decision makers looking for a tool to implement centralized logging in heterogeneous environments. The following skills and knowledge are necessary for a successful syslog-ng administrator: At least basic system administration knowledge. An understanding of networks, TCP/IP protocols, and general network terminology. Working knowledge of the UNIX or Linux operating system.

www.balabit.com

vii

Products covered in this guide

In-depth knowledge of the logging process of various platforms and applications. An understanding of the legacy syslog (BSD-syslog) protocol) and the new syslog (IETF-syslog) protocol) standard.

3. Products covered in this guide

This guide describes the use of the following syslog-ng version: syslog-ng Premium Edition (syslog-ng PE) 4 LTS (4.0.0) and later

4. Typographical conventions
Before you start using this guide, it is important to understand the terms and typographical conventions used in the documentation. For more information on specialized terms and abbreviations used in the documentation, see the Glossary at the end of this document. The following kinds of text formatting and icons identify special information in the document.
Tip Tips provide best practices and recommendations.

Note Notes provide additional information on a topic, and emphasize important facts and considerations.

Warning Warnings mark situations where loss of data or misconfiguration of the device is possible if the instructions are not obeyed.

Command

Commands you have to execute. Reference items, additional readings. File names. Parameter and attribute names. GUI output messages or dialog labels. A submenu or menu item in the menu bar. Buttons in dialog windows.

Emphasis
/path/to/file Parameters

Label Menu Button

5. Contact and support information

This product is developed and maintained by BalaBit IT Security Ltd. We are located in Budapest, Hungary. Our address is:

www.balabit.com

viii

Sales contact

BalaBit IT Security Ltd. 2 Alz Street H-1117 Budapest, Hungary Tel: +36 1 398-6700 Fax: +36 1 208-0875 E-mail: <[email protected]> Web: http://www.balabit.com/

5.1. Sales contact

You can directly contact us with sales related topics at the e-mail address <[email protected]>, or leave us your contact information and we call you back.

5.2. Support contact

In case you experience a problem that is not covered in this guide, visit post it on syslog-ng mailing list. the syslog-ng wiki or

5.3. Training
BalaBit IT Security Ltd. holds courses on using its products for new and experienced users. For dates, details, and application forms, visit the http://www.balabit.com/support/trainings/ webpage.

6. About this document

This guide is a work-in-progress document with new versions appearing periodically. The latest version of this document can be downloaded from the BalaBit website here.

6.1. Summary of changes

6.1.1. Summary of changes
Version 3.2 - 4.0

Changes in product: Extended the list of compatible Microsoft .NET Framework versions with version 3.0 and version 3.5 in Procedure 2.1, Installing the syslog-ng Agent in standalone mode (p. 3). Updated the description of Legacy BSD Syslog Protocol in Procedure 3.2.1, Configuring the destination logservers (p. 17). Changes in document: Procedure 2.4, Installing syslog-ng Agent into a custom folder (p. 9) has been added to the document. Procedure 4.3, Enabling debug logging in syslog-ng Agent (p. 52) has been clarified.

www.balabit.com

ix

Summary of changes

A warning about file sources on network shares has been added to Procedure 3.3.2, Managing file sources (p. 28). A warning about archiving for the event container has been added to Section 3.3.1, Eventlog sources (p. 25). A note about running the service with "log on as service" rights has been added to Section 3.7, Controlling the syslog-ng Agent services (p. 48). The description of failover has bee clarified in Section 3.2, Configuring destinations (p. 16). The relation between syslog-ng PE and syslog-ng Agent for Windows has been clarified in Section 1.1, Supported operating systems (p. 1). The document index has been updated. Procedures have been restructured to facilitate easier understanding. Latin abbreviations have been replaced in document with their English equivalents. Links to sections in the document have been harmonized. Links to external web pages have been clarified.
Version 3.1.1 - 3.2

Changes in product: Added how to set file encoding to Procedure 3.3.2, Managing file sources (p. 28). Added the Snare protocol description to Procedure 3.2.1, Configuring the destination logservers (p. 17). Added global and destination-specific filters to Section 3.5, Filtering messages (p. 36). Documented XML export and import in Section 3.1.3, Using an XML-based configuration file (p. 14) and removed the obsolete XML examples. Added how to process multi-line messages to Processing multi-line messages (p. 32). Added filters to Procedure 3.5.1, Filtering eventlog messages (p. 37). Added filters to Procedure 3.5.2, Filtering file messages (p. 41). Updated macros in Section 3.6.3, Macros available in the syslog-ng Agent (p. 44). Figures have been added to the document. Changes in documentation: Editorial changes only.
Version 3.0 - 3.1

Changes in product: The contents of the guide have been updated to syslog-ng Agent for Windows 3.1. Changes in documentation: The documentation of the syslog-ng Agent for Windows has been separated from The syslog-ng Administrator Guide.

www.balabit.com

Feedback

6.2. Feedback
Any feedback is greatly appreciated. General comments, errors found in the text, and any suggestions about how to improve the documentation is welcome at <[email protected]>.

6.3. Acknowledgments
BalaBit would like to express its gratitude to the syslog-ng users and the syslog-ng community for their invaluable help and support, including the community members listed at syslog-ng Community Page.

www.balabit.com

xi

Supported operating systems

Chapter 1. Introduction
This chapter describes how to install and configure the syslog-ng Agent on Microsoft Windows hosts. The syslog-ng Agent for Windows is a log collector and forwarder application for the Microsoft Windows platform. It collects the log messages of the Windows-based host and forwards them to a syslog-ng server using regular or TLS-encrypted TCP connections. The features and restrictions of the syslog-ng Agent are summarized below: Reads messages from eventlog containers and log files. Transfers log messages using TCP. Supports TLS encryption. Authenticates the server using X.509 certificates. Mutual authentication is also supported. The format of eventlog messages can be customized using macros. Supports multiple destinations both in parallel and fail-over modes. Can be managed from a domain controller using group policies. Only basic filtering is supported by the agent, message segmenting, parsing, and classification is not. Note that the log messages on Windows come from files either eventlog containers or custom logfiles which are already stored on the harddisk, so the agent does not use additional disk buffering.

1.1. Supported operating systems

The central syslog-ng server cannot be installed on Microsoft Windows platforms. The syslog-ng Agent for Windows is capable of forwarding log messages to the central syslog-ng server. It is part of the syslog-ng PE, and is licensed together with it. The syslog-ng Agent supports the following operating systems: Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows 7
Note The syslog-ng Agent for Windows application supports the XML-based eventlog used format on Microsoft Windows Vista and Microsoft Windows Server 2008, and Windows 7, and also offers full support for 64-bit operating systems.

www.balabit.com

Supported operating systems

Note Managing syslog-ng Agent from a Windows 2000 domain controller is not supported.

www.balabit.com

Chapter 2. Installing the syslog-ng Agent

The syslog-ng Agent for Windows application can be installed in standalone mode on independent hosts. If your hosts are members of a domain, you can install the syslog-ng agent on the domain controller and configure them globally. For details on how to install the syslog-ng Agent for Windows application in standalone mode, see Procedure 2.1, Installing the syslog-ng Agent in standalone mode (p. 3). For details on how to install the syslog-ng Agent for Windows application on the members of a domain, see Section 2.2, Installing the syslog-ng Agent on the domain controller and the hosts of a domain (p. 5).
Note The syslog-ng Agent for Windows application is configured usually using its MMC snap-in (when managed globally from the domain controller or when configuring it in standalone mode). However, it is also possible to use an XML-based configuration file. For details, see Section 3.1.3, Using an XML-based configuration file (p. 14).

Installer types: syslog-ng-agent-<version>-setup.exe is the general installer. This installs an agent that can be configured with a local configuration, XML configuration file and can receive configuration from domain group policy. syslog-ng-agent-nosnapin-<version>-setup.exe is a special installer. .NET environment is not required for it. This installs an agent that can only be configured with an XML configuration file, and can receive configuration from domain group policy. syslog-ng-agent-setup-<version>-<amd64/i386>.msi is an MSI installer for domain clients, installing by group policy.

2.1. Procedure Installing the syslog-ng Agent in standalone mode

Purpose: The syslog-ng Agent for Windows application can be installed in standalone mode on independent hosts. If your hosts are members of a domain, install the syslog-ng Agent on the domain controller, as described in Section 2.2, Installing the syslog-ng Agent on the domain controller and the hosts of a domain (p. 5). The syslog-ng Agent requires about 10 MB hard disk space. To install the syslog-ng Agent in standalone mode, complete the following steps:
Note The syslog-ng Agent for Windows requires the Microsoft .NET Framework version 2.0, 3.0 or 3.5. This package is usually already installed on most hosts. Download the package here.

Steps:

www.balabit.com

Step 1. Start the installer. Run the syslog-ng-agent-<versionnumber>-setup.exe file.

Note Installing the syslog-ng Agent requires administrator privileges.

Step 2. Read the End User License Agreement and select I Agree. Step 3. Select the destination folder where you want to install the syslog-ng Agent for Windows application, then select Next. Step 4. Select Standalone mode, then click Next.

Figure 2.1. Installing in Standalone mode

Step 5. Starting from version 3.0.3, the syslog-ng Agent sends only messages that are created after the agent has been installed. If you want to send old log messages to the syslog-ng server, enable the Send log messages generated before the syslog-ng Agent was installed option and click Install. Step 6. The installer automatically opens the configuration interface of the syslog-ng Agent. As a minimum, you must set the IP address of the destination server, and the agent will automatically start sending eventlog messages to your central logserver from the Application, Security, and System eventlog containers.
Note The installation is completed only after you close the configuration interface. For details on how to modify the configuration later, see Section 3.1.1, Configuring a standalone syslog-ng Agent (p. 11).

www.balabit.com

Installing the syslog-ng Agent on the domain controller and the hosts of a domain

2.2. Installing the syslog-ng Agent on the domain controller and the hosts of a domain
The syslog-ng Agent for Windows application can be installed on the domain controller and the members of a domain from the domain controller, and configured globally using group policies. The syslog-ng Agent requires about 10 MB hard disk space. For details on how to install the syslog-ng Agent application in a domain, see Procedure 2.2.1, Installing the syslog-ng Agent on the domain controller and the hosts of a domain (p. 5). For details on how to configure the syslog-ng Agents of the domain hosts, see Procedure 3.1.2.1, Configuring the syslog-ng Agents of the domain hosts (p. 12). For details on how to configure the syslog-ng Agents of the domain controllers, see Procedure 3.1.2.2, Configuring the syslog-ng Agents of the domain controllers (p. 12).
Note Starting from version 3.0.4, the .msi version of the installer does not install the MMC configuration snap-in of the agent, therefore the .msi installer does not require the .NET framework.

2.2.1. Procedure Installing the syslog-ng Agent on the domain controller and the hosts of a domain
Purpose: To install the syslog-ng Agent application on the domain controller and the hosts of a domain, complete the following steps. This procedure assumes that you install the syslog-ng Agent on the domain controllers in standalone mode, and configure the domain hosts from each domain controller.
Note To configure the syslog-ng Agent from domain controllers, you need to install the syslog-ng Agent in standalone mode on at least one domain controller. You can then export the configuration of syslog-ng Agent from the first domain controller and import it to other domain controllers, or you can configure an agent group policy on the other domain controllers, and install syslog-ng Agent in domain mode.

Note Starting from version 3.0.3, the syslog-ng Agent sends only messages that are created after the agent has been installed. If you want to send old log messages to the syslog-ng server, download the Orca MSI editor here, open the .msi installer of the syslogng Agent, select Property, and change the value of the SENDOLDMESSAGES field to yes.

Steps: Step 1. Download both the Microsoft Installer (.msi) version and the executable (.exe) version of the syslogng Agent installer to the domain controller host. Make sure to download the executable that includes the MMC snap-in module. Note that separate .msi intallers are available for 32-bit and 64-bit operating systems.

www.balabit.com

Installing the syslog-ng Agent on the domain controller and the hosts of a domain

Note Installing the syslog-ng Agent requires administrator privileges, but configuring the related group policies on the domain controller requires domain administrator or higher (for example enterprise administrator) privileges.

Step 2. Install the syslog-ng Agent application to your domain controllers using the .exe installer.
Note The .exe installer of the syslog-ng Agent for Windows requires Microsoft .NET Framework version 2.0. This package is usually already installed on most hosts. Download the package here.

Step 3.

On Windows 2008: Select Start > Control Panel > Administrative Tools > Group Policy Management. On other Windows platforms: Select Start > Control Panel > Administrative Tools > Active Directory Users and Computers, right-click on the Organizational Unit of the domain whose hosts you want to install the syslog-ng Agent on, and select Properties.

Step 4.

On Windows 2008: Select and edit the Group Policy object you want to add the syslog-ng Agent configuration to. Alternatively, you can create a new group policy object as well. On other Windows platforms: Select Group Policy, and edit the Group Policy object you want to add the syslog-ng Agent configuration to. Alternatively, you can create a new group policy object as well.

Step 5. Select Computer Configuration, right-click on Software Settings, and select New > Package. Step 6. Navigate to the syslog-ng Agent for Windows .msi installer and select Open. Step 7. Select Assigned, then OK. Step 8. Select Computer Configuration > syslog-ng Agent Settings and configure the syslog-ng Agent. The members of the domain will use this configuration.

www.balabit.com

Silent installation

Figure 2.2. syslog-ng Agent Settings

Step 9. The syslog-ng Agent for Windows application will be automatically installed on the members of the domain when they are next rebooted.
Note If you do not want to install the syslog-ng Agent automatically from the domain controller, skip Steps 5-7, complete Step 8, then install the syslog-ng-agent-nosnapin-<versionnumber>-setup.exe file manually on the members of the domain. This method is useful if you do not want to install the syslog-ng Agent on every host of the domain.

Step 10. After the members of the domain have been rebooted, execute the gpupdate command on the members of the domain. The syslog-ng Agent for Windows application will receive its configuration during the group policy update, and start processing log messages accordingly.

2.3. Silent installation

The syslog-ng Agent for Windows application can be installed in silent mode as well, without requiring any user interaction. The various installer options can be specified as command-line options. The following options are available:
/S /D=

Start the installer in silent mode. This option is required for the silent installation. Install the syslog-ng Agent into the specified folder.

www.balabit.com

Silent installation

Warning If you use the /D option, make sure that this is the last option in the commandline. For example: syslog-ng-agent-nosnapin-4.0.3-setup.exe /S
/SENDOLDMSGS=NO /D=c:\agent\ /XMLCONFIG=c:\test.xml /LOCALUPGRADE

/NOMENU /LOCAL /REMOTE /SENDOLDMSGS=

Do not add entries about syslog-ng Agent to the Start menu. Install syslog-ng Agent in standalone mode. This is the default, installation mode of the syslog-ng Agent. Install syslog-ng Agent in domain mode. If set to YES, the syslog-ng Agent will forward every message available in its message sources. By default, it is FALSE, meaning that only new messages are forwarded.
Note This option has no effect when using an XML configuration file (the /XMLCONFIG option). To send old messages in this case, add the SendOldMessages="1" attribute to the XML configration file:
<syslog-ng_Agent SendOldMessages="1">

Note that after syslog-ng Agent starts up, it automatically removes the SendOldMessages="1" attribute from the configuration file.

/XMLCONFIG= /GPOUPGRADE

Use the specified XML configuration file for the configuration of syslog-ng Agent. Upgrade all GPO configuration having syslog-ng settings during the installation.
Warning Use it only on a domain controller.

/XMLUPGRADE /LOCALUPGRADE

Upgrade xml configuration during the installation if xml configuration file is used. Upgrade local settings.
Note If syslog-ng Agent uses only local configuration and you do not specify this option, it is possible that syslog-ng Agent will not start while you are upgrading its local configuration by opening local configuration with syslog-ng agent MMC snap-in.

/NOUPGRADE

The installer does not perform upgrade during the installation (default). Use it if the configuration comes from GPO or you are using XML configuration and you do not want to upgrade it (in this case, agent will upgrade it temporarily after starting).

The upgrade operation will be only performed if upgrading is really needed for the specified configuration. For example: If there is no configuration version switching between the current and the previous syslog-ng agent (for

www.balabit.com

Upgrading syslog-ng Agent for Windows to the latest version

example when upgrading from version 3.0.7 to version 3.0.8) the local settings will not be upgraded even you give /LOCALUPGRADE option.

2.4. Procedure Installing syslog-ng Agent into a custom folder

Purpose: The .msi installer package of syslog-ng Agent can be modified to install the syslog-ng Agent application into a custom folder. Steps: When installing the syslog-ng Agent application from the command line, execute the following command to specify a custom installation folder: msiexec /i syslog-ng-agent-setup-<version>-<amd64/i386>.msi
INSTDIR=C:\<path-to-custom-folder>\

Otherwise, complete the following steps to modify the .msi package. Step 1. Download the Orca MSI editor. Step 2. Start Orca and load the syslog-ng-agent-setup-<version>-<amd64/i386>.msi file to modify. Step 3. Select Transform > New Transform. Step 4. Add the INSTDIR property to the Property Table, and set its value to the full path of the folder where you want to install the syslog-ng Agent application. Step 5. Select Transform > Generate Transform and save the modifications into a .mst file. Step 6. Close the Orca MSI Editor. Step 7. Select Start > Control Panel > Administrative Tools > Active Directory Users and Computers and edit the Group Policy object that contains the syslog-ng Agent configuration. Step 8. Add the saved .mst package as a modification to the syslog-ng Agent .msi package.

2.5. Upgrading syslog-ng Agent for Windows to the latest version

The exact upgrading procedure of the syslog-ng Agent for Windows application depends on how you have installed and how you manage the agent.
Warning When upgrading agents running in domain mode, always upgrade the agents running on the domain hosts before upgrading the agent running on the domain controllers. The hosts of a domain (including the domain controllers) should run the same version of the syslog-ng Agent, running different versions on the hosts in neither supported nor recommended.

Note Upgrading to syslog-ng Agent for Windows version 4.0 is supported only from syslog-ng Agent version 3.0.8 (the latest stable release) and version 3.2.1 (the latest feature release).

www.balabit.com

Upgrading syslog-ng Agent for Windows to the latest version

If a host is running syslog-ng Agent in standalone mode, download and execute the syslog-ng-agent-<versionnumber>-setup.exe installer on the host and verify that the displayed information is correct. The agent will be automatically restarted when you close the configuration window. If a domain host is running the syslog-ng Agent that was installed by the domain controller from the .msi installer package, complete the steps described in Section 2.2, Installing the syslog-ng Agent on the domain controller and the hosts of a domain (p. 5). The system will automatically recognize that the new package will update the syslog-ng Agent for Windows application. If a domain host is running the syslog-ng Agent that was installed manually from the syslog-ng-agent-nosnapin-<versionnumber>-setup.exe file, run the new syslog-ng-agent-nosnapin-<versionnumber>-setup.exe file on the host. After the installation is complete, select Start > Run and execute the gpupdate command to refresh the domain settings of the agent. If with syslog-ng-agent-<versionnumber>-setup.exe or syslog-ng-agent-nosnapin-<versionnumber>-setup.exe, download and execute the same installer. It will display the previous XML configuration file, and upgrades it if desired. syslog-ng Agent has been installed with an XML configuration file

2.6. Procedure Uninstalling syslog-ng Agent

To uninstall the syslog-ng Agent application, complete the following steps. To uninstall syslog-ng Agent from the command-line, see Procedure 2.7, Uninstalling syslog-ng Agent in silent mode (p. 10). Step 1. Navigate to the installation directory of syslog-ng Agent. Step 2. Start the uninstall.exe file. Step 3. Follow the on-screen instructions.

2.7. Procedure Uninstalling syslog-ng Agent in silent mode

To uninstall the syslog-ng Agent application from the command-line, complete the following steps. To uninstall syslog-ng Agent using the graphical interface, see Procedure 2.6, Uninstalling syslog-ng Agent (p. 10). Step 1. Start a command prompt and navigate to the installation directory of syslog-ng Agent. Step 2. To uninstall syslog-ng Agent and delete its configuration from the registry, execute the uninstall.exe /S /DELCONF command. To uninstall syslog-ng Agent, without deleting its configuration, execute the uninstall.exe /S command.

www.balabit.com

10

How to configure the syslog-ng Agent

Chapter 3. Configuring syslog-ng Agent for Windows

3.1. How to configure the syslog-ng Agent
This section describes how to configure the syslog-ng Agent application. The exact method depends on the installation scenario and also on the configuration method (regular or XML-based) you want to use. The syslog-ng Agent for Windows application is configured usually using its MMC snap-in (when managed globally from the domain controller or when configuring it in standalone mode). However, it is also possible to use an XML-based configuration file. For details on how to configure a syslog-ng Agent that was installed in standalone mode, see Section 3.1.1, Configuring a standalone syslog-ng Agent (p. 11). For details on how to configure the syslog-ng Agents of the domain hosts, see Procedure 3.1.2.1, Configuring the syslog-ng Agents of the domain hosts (p. 12). For details on how to configure the syslog-ng Agents of the domain controllers, see Procedure 3.1.2.2, Configuring the syslog-ng Agents of the domain controllers (p. 12). For details on how to configure syslog-ng Agent from file, see Section 3.1.3, Using an XML-based configuration file (p. 14).

3.1.1. Configuring a standalone syslog-ng Agent

In standalone mode, to configure an already installed syslog-ng Agent, select Start Menu > Programs > syslogng Agent for Windows > Configure syslog-ng Agent. Alternatively, select Start Menu > Run, enter gpedit.msc, then select Computer configuration > syslog-ng Agent Settings
Warning After modifying its configuration, you have to restart the syslog-ng Agent service for the changes to take effect. To restart the syslog-ng Agent service, select Start Menu > Run enter services.msc and restart the syslog-ng Agent service.

3.1.2. Configuring the syslog-ng Agents of a domain

This section describes how to configure the syslog-ng Agent for Windows application in domain mode. For details on how to configure the syslog-ng Agents of the domain hosts, see Procedure 3.1.2.1, Configuring the syslog-ng Agents of the domain hosts (p. 12). For details on how to configure the syslog-ng Agents of the domain controllers, see Procedure 3.1.2.2, Configuring the syslog-ng Agents of the domain controllers (p. 12). For details on the relationship of different group-policy levels, see Section 3.1.2.3, Domain versus local settings (p. 13).

www.balabit.com

11

Configuring the syslog-ng Agents of a domain

Note Managing syslog-ng Agent from a Windows 2000 domain controller is not supported.

3.1.2.1. Procedure Configuring the syslog-ng Agents of the domain hosts

Purpose: To configure an already installed syslog-ng Agent from the domain controller, perform the following steps. Steps: Step 1. On the domain controller, select Start > Control Panel > Administrative Tools > Active Directory Users and Computers. Step 2. Right-click on the Organizational Unit, then select Properties > syslog-ng Agent Settings. Step 3. Configure the syslog-ng Agent as needed for the domain hosts. The changes will take affect when the domain hosts update their settings from the domain controller. By default, this happens every 90 minutes, depending on your domain settings. To download the configuration earlier, execute the gpupdate command on the members of the domain.
Note When the domain hosts update their settings, the syslog-ng Agent will be automatically restarted to load the new settings, except when there is no difference between the old and the new settings.

3.1.2.2. Procedure Configuring the syslog-ng Agents of the domain controllers

Purpose: To configure the syslog-ng Agent running on the domain controllers, perform the following steps. Steps: Step 1. On the domain controller, select Start > Control Panel > Administrative Tools > Active Directory Users and Computers. Step 2. Right-click on the Organizational Unit of the domain whose domain controllers you want to configure, then select Properties. By default, the domain controllers are in the Domain Controllers organizational unit. Step 3. Select Group Policy, and edit the Group Policy object you want to add the syslog-ng Agent configuration to. Alternatively, you can create a new group policy object as well. Step 4. Select Computer Configuration > syslog-ng Agent Settings and configure the syslog-ng Agent. The domain controllers of the domain will use this configuration. Step 5. Configure the syslog-ng Agent as needed for the domain controllers. If you have multiple domain controllers, the changes will take affect when the other domain controllers update their settings from this domain

www.balabit.com

12

Configuring the syslog-ng Agents of a domain

controller. By default, this happens every 5 minutes, depending on your domain settings. To download the configuration earlier, execute the gpupdate command on the domain controllers.
Note When the domain controllers receive the new settings, the syslog-ng Agent will be automatically restarted to load the new settings, except when there is no difference between the old and the new settings.

3.1.2.3. Domain versus local settings The syslog-ng Agent follows the standard policy-inheritance methods of Windows: GPOs (Group Policy Objects) from parent containers are inherited by default. When multiple GPOs apply to these computers, the settings in the GPOs are aggregated. The final value of a given policy setting is set only by the highest precedent GPO that contains the setting. (However, the final value for a few settings will actually be the combination of values across GPOs.) In this processing order, sites are applied first, but have the least precedence. OUs (Organization Units) are processed last, but have the highest precedence. When multiple group policy objects are assigned, the group policies are applied in the following order: 1. The local group policy object is applied. 2. The group policy objects linked to sites are applied. If multiple GPOs exist for a site, they are applied in the order specified by the administrator. 3. GPOs linked to the domains are applied in the specified order. 4. GPOs linked to OUs are applied. The OU group policy objects are set from the largest to the smallest organizational unit; that is, first the parent OU and then the child OU. By default, a policy applied later overwrites a policy that was applied earlier. Hence, the settings in a child OU can override the settings in the parent OU. 5. If any group policy is not configured, the syslog-ng Agent checks its local policy settings, and uses the local setting if available. The following are the rules regarding group policy settings inheritance: A policy setting is configured (Enabled or Disabled) for a parent OU, and the same policy setting is not configured for its child OUs. The child OUs inherit the parents policy. A policy setting is configured (Enabled or Disabled) for a parent OU, and the same policy setting is configured for its child OUs. The child OUs settings override the settings inherited from the parents OU. There is a specific case, when the type of this setting is list: The syslog-ng Agent will aggregate the contents of these lists and will use the same elements only once. If any policy is not configured (Not Configured), no inheritance takes place.

www.balabit.com

13

Using an XML-based configuration file

Note Do not use setting Not Configured in local settings, because in that case, it can still use previously configred values. Use settings Enabled or Disabled instead.

3.1.3. Using an XML-based configuration file

Starting from syslog-ng Agent for Windows version 3.2, it is possible to export the configuration of syslog-ng Agent into an XML file. This configuration file can be used as the default configuration when installing the syslog-ng Agent to another host, or can be imported to an existing installation using a command-line utility.
Warning Do not manually edit or modify the exported XML file. In case you want to validate the XML file, use the syslog-ng-agent-conf.xsd file located in the installation directory of syslog-ng Agent for Windows.

3.1.3.1. Procedure Creating an XML configuration file for the syslog-ng Agent
Purpose: To create an XML configuration file that can be used by other syslog-ng Agent configurations, perform the following steps. Steps: Step 1. Install the syslog-ng Agent for Windows application on a host. Step 2. Create the configuration you want to use on other hosts using the graphical interface. The syslog-ng Agent for Windows application will store this configuration in the registry. Step 3. Right-click on syslog-ng Agent Settings and select Export to export the configuration of syslog-ng Agent from the registry to an XML file. Select where to save the XML file. Alternatively, you can export the configuration of syslog-ng Agent from the command line using the configmanager.exe -export <source> "destination xml file" command. The <source> parameter determines which configuration is exported: {GPO ID}: Export the configuration related to the specified Group Policy Object ID (for example, {99AF1185-AB80-40B2-B4B8-41A1E907F329}). localsettings: Export the local settings of the host. domainsettings: Export the settings the host received from the domain controller.
Note To overwrite the XML configuration file, use the /F option. This will force export even if the file already exists.

www.balabit.com

14

Using an XML-based configuration file

Step 4. Use the configuration file on other hosts. For details on the different options, see Section 3.1.3.2, Configuring syslog-ng Agent from an XML file (p. 15). 3.1.3.2. Configuring syslog-ng Agent from an XML file How you configure the syslog-ng Agent application to use an XML configuration file depends on your environment. See the following list for details.
Warning Do not manually edit or modify the exported XML file. Do not delete the XML configuration file: syslog-ng Agent for Windows will look for the file every time it is started or restarted. If you need to change the location of the file, edit the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\syslog-ng Agent\ImagePath

registry key.

To start an already installed, standalone syslog-ng Agent using an XML configuration file, execute the following steps in a command line: 1. cd <syslog-ng agent installation directory> 2. net stop "syslog-ng agent" 3. syslog-ng-agent.exe -i <PATH>\configuration.xml 4. net start "syslog-ng agent" To use the XML file during the installation of the syslog-ng Agent application, navigate to Setup syslogng Agent for Windows operating mode window and select XML mode. In the next window, browse your XML configuration. Note that the XML schema file will be installed in the syslog-ng Agent directory. If you want to use the .msi installer with an xml file, use the syslog-ng-agent-3.2.1-setup.msi SLNGOPTS="/xmlconfig=fullpath\myconfigfile.xml" command, or edit the installer with the Orca MSI editor, and add the SLNGOPTS="/xmlconfig=fullpath\myconfigfile.xml" to the installation parameters on the Customization tab. To import the XML configuration file into the registry of the host, use the following command: configmanager.exe -import <destination> "source xml file" command, then restart the syslog-ng Agent service. The <destination> parameter determines which configuration the XML configuration will be converted to: {GPO ID}: Import the configuration to the specified Group Policy Object ID (for example, {99AF1185-AB80-40B2-B4B8-41A1E907F329}). localsettings: Import the configuration as the local settings of the host. domainsettings: Import the configuration as the domain settings of the host.
Warning Importing the configuration file from an XML file into the registry of the host has no effect if syslog-ng Agent is configured to use an XML configuration file.

www.balabit.com

15

Configuring destinations

3.2. Configuring destinations

The syslog-ng Agent for Windows application can send the log messages of the Windows host to a central log server or relay. It is possible to send the same messages to multiple servers, when each server receives the same messages; and also to configure failover servers, when the agent sends the messages to a primary server, or to a failover server if the primary becomes unavailable. If the agent loses the connection to a destination server and the reconnection fails, it will send an eventlog message. The successful reconnection attempt is also logged. (If the server is unavailable for a long time, the agent sends a log message about the failed connection once in every ten minutes.) If the failover server also becomes unavailable, the application will switch to the next failover server, and so on. If the last failover server is unavailable, it switches back to the primary. The application does not switch back automatically to the primary server if it becomes available again, only if the syslog-ng Agent for Windows has been restarted.
Note The failover servers will use the same options that the primary server uses. Only the name and the address can be configured for the failover servers.

Similarly to the Linux version, the agent now sends MARK messages to the server to indicate that the client host is alive but there are no log messages to send. A MARK message is sent every ten minutes.
Warning The syslog-ng Agent for Windows application does not support the unreliable UDP protocol. Configure your central log server to accept logs using TCP or TLS connections. If needed, adjust your firewall configuration to permit such traffic to the log server.

www.balabit.com

16

Configuring destinations

Figure 3.1. Adding new destinations

3.2.1. Procedure Configuring the destination logservers

Purpose: To configure a new destination, complete the following steps: Steps: Step 1. Start the configuration interface of the syslog-ng Agent for Windows application. Step 2. Select syslog-ng Agent Settings > Destinations, and double-click on Add new server. Step 3. Enter the hostname or the IP address of the logserver into the Server Name field. If your logserver is configured to accept messages on a non-standard port, type the port number into the Server Port field.

www.balabit.com

17

Configuring destinations

Figure 3.2. Adding new server

Step 4. On Messages tab, select the protocol used to transfer log messages and press Reset to apply the selected template. The following protocol templates are available: Legacy BSD Syslog Protocol: Use the legacy BSD-syslog protocol specified in RFC3164. This option uses the following message template: <${PRI}>${BSDDATE} ${HOST} ${APP_NAME}[${PROCESS_ID}]: ${MSG}. Within the message part, syslog-ng Agent replaces CRLF with 2 spaces and TAB character with 1 space.

www.balabit.com

18

Configuring destinations

Figure 3.3. Legacy BSD Syslog Protocol

Example 3.1. Legacy BSD Syslog Protocol log
<134>Oct 04 14:45:33 zts-win019.ztswin2008dom.balabit Microsoft-Windows-Eventlog[2880]: ZTSWIN2008DOM\balabit: System Microsoft-Windows-Eventlog: [Information] The Application log file was cleared. (EventID 104)

Syslog Protocol: Use the new IETF-syslog protocol specified in RFC 5424-5428. Starting from version 3.0, syslog-ng also supports the IETF-protocol.

www.balabit.com

19

Configuring destinations

Figure 3.4. Syslog Protocol

Note Starting with version 3.2, the syslog-ng Agent for Windows application uses the IETF-syslog protocol by default, and the default metadata to include is Macro names and values.

When using the IETF-syslog protocol to transfer Eventlog messages, the syslog-ng Agent application can include the macros (name-value pairs) in the SDATA part of the log message. Select the data to add to the log messages from the Metadata to include list. The following options are available: None: Include only the data mandated by RFC5424.
[meta sequenceId="value" sysUpTime="value"] [origin ip="value" software="value"]

Macro names and values: Include every available Event macro, except EVENT_MSG (EVENT_MESSAGE), EVENT_MSG_XML (EVENT_MESSAGE_XML) and macros with null value.

www.balabit.com

20

Configuring destinations

This is the default setting.

499 <132>1 2010-09-28T12:02:30+02:00 zts-win004.ztswin2003dom.balabit testapp 1220 - [meta sequenceId="1" sysUpTime="1"][origin ip="zts-win004.ztswin2003dom.balabit" software="testapp"][[email protected] EVENT_ID="1000" EVENT_NAME="Application" EVENT_REC_NUM="1673" EVENT_SID="S-1-5-21-3460971693-970282485-2299281428-1001" EVENT_SID_TYPE="User" EVENT_SOURCE="testapp" EVENT_TYPE="Warning" EVENT_USERNAME="ZTS-WIN004\\balabit"] ZTS-WIN004\balabit: Application testapp: [Warning] test message (EventID 1000)

Note The names of SDATA fields must be in the following format: name@<private enterprise number>, for example, [email protected]. (18372.4 is the private enterprise number of BalaBit IT Security, the developer of syslog-ng Agent for Windows.) Messages received from eventlog sources include the [email protected] SD-ID. For example, on your syslog-ng PE server you can refer to message fields like:
${[email protected]_SOURCE}

Messages received from eventlog sources include the [email protected] SD-ID. For example, on your syslog-ng PE server you can refer to message fields like:
${[email protected]}

EventData (deprecated Agent v3.1 functionality): Include the name-vaule pairs from the EventData > <Data> field of the log message and the Keyword value from the System part of the XML Eventlog messages. Note that these fields are available only on Windows Vista and newer operating systems, and syslog-ng Agent 3.1. automatically included these values in the log messages.
[[email protected] "name"="value"] [[email protected] Keyword="value"]

See the following sample log message:

338 <132>1 2010-09-28T12:02:30+02:00 zts-win004.ztswin2003dom.balabit testapp 1620 - [meta sequenceId="1" sysUpTime="1"][origin ip="zts-win004.ztswin2003dom.balabit" software="testapp"][[email protected] Data="test message"][[email protected] Keyword="Classic"] ZTS-WIN004\balabit: Application testapp: [Warning] test message (EventID 1000)332

Snare Protocol: Send log messages in a format compatible with the Snare log monitoring tool.

www.balabit.com

21

Configuring destinations

Figure 3.5. Snare Protocol

Warning 3.1 and earlier versions of the syslog-ng Agent for Windows application used an imperfect message template to send Snare-compatible messages. This has been corrected in the Snare Protocol option. If you need the old, imperfect mode of operation, select a syslog protocol and select Message Type > Agent v3.1 Snare Compatible Message Type (deprecated), then click Reset Event Message Template.

Note Snare is a tab-separated message format. Within the message part, agent replaces CRLF with 2 space, TAB character with 1 space. You cannot modify the log format if you have selected this protocol.

Example 3.2. Snare log

<134>Oct 06 13:49:41 zts-win019.ztswin2008dom.balabit MSWinEventLog 1 Application 1 Wed Oct 06 13:49:41 2010 1 syslog-ng Agent S-1-5-21-551780264-1021859348-3425375765-1003 User Information zts-win019.ztswin2008dom.balabit None Application started 1

www.balabit.com

22

Configuring destinations

Note Selecting the Syslog Protocol option is identical to using the syslog driver in the Linux/Unix version of syslogng. Similarly, selecting Legacy BSD Syslog Protocol is equivalent to the tcp driver of syslog-ng. Changing a protocol does not automatically change the protocol template used. To use a protocol-specific template, select Reset Protocol Template after modifying the protocol.

Step 5. If needed, modify the template of the messages. The format of the messages can be different for the eventlog and the file sources.
Warning The maximal length of the template is 1023 characters.

Step 6. If the host running syslog-ng Agent is sometimes logged in into a domain, sometimes not, then its hostname might change depending on its actual domain membership. This might cause that the hostname appearing in the syslog messages depends on the domain membership of the host. To avoid this situation, enable the Force DNS Hostname option. That way syslog-ng Agent resolves the name of its host from the DNS server, and uses the resolved FQDN in the syslog messages. Step 7. If you have a backup server that can accept log messages if the primary logserver becomes unavailable, select the Failover Servers tab, click Add, and enter the hostname or the IP address of the backup logserver into the Server Name field. Repeat this step if you have more than one backup servers.

www.balabit.com

23

Configuring destinations

Figure 3.6. Failover Servers

Step 8. If you want to send the log messages to more than on server in parallel, so that every server receives every message, repeat Steps 3-4 to add the secondary servers. Secondary servers may have failover servers as well.
Note The syslog-ng Agent for Windows application considers a message received by the logserver if the primary server of the destination, or one of its failover servers receives it. To modify which server of a destination is the primary server, select syslog-ng Agent Settings > Destinations, right-click on the server you want to be primary, select Properties > Set Primary Server.

Step 9. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

3.2.2. Procedure Limiting the rate of messages

Purpose:

www.balabit.com

24

Configuring message sources

The syslog-ng Agent can control the rate of messages (message per second) sent to the central server. That way sudden message-bursts can be avoided, and the load of the server is decreased. To limit the number of messages sent to a destination, complete the following steps: Steps: Step 1. Start the configuration interface of the syslog-ng Agent for Windows application. Step 2. Select syslog-ng Agent Settings > Destinations. Step 3. Select the destination server and select Properties. To limit the number of messages that the syslog-ng Agent sends to the server per second, enter the desired limit into the Throttle field. By default (0), the syslog-ng Agent does not limit the number of messages sent.
Note The throttling parameter applies to the total number of messages sent, not to every source independently. The same value applies to the failover servers of the destination. If you are sending messages to multiple servers, then the speed of the primary server is important: if the primary server cannot accept the messages fast enough, the syslog-ng Agent will reduce the number of sent messages to match the speed of the primary server, even if the secondary servers could accept messages faster. If the secondary servers cannot accept messages as fast as the primary server, then the secondary servers will lose messages; the syslog-ng Agent will not slow down to wait for them.

Step 4. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

3.3. Configuring message sources

The syslog-ng Agent for Windows application can read messages from eventlog containers and text files. The following sections explain how to configure these message sources. For details on how to forward messages from eventlog containers, see Section 3.3.1, Eventlog sources (p. 25). For details on how to forward messages from plain text log files, see Procedure 3.3.2, Managing file sources (p. 28). Some global settings can apply to both types of sources, these are described in Procedure 3.3.3, Configuring global settings (p. 33).

3.3.1. Eventlog sources

The syslog-ng Agent for Windows application can collect messages from the standard Windows eventlog containers, as well as from custom containers. The agent automatically forwards the messages from three standard eventlog containers (Application, Security, System). To enable or disable these sources, or to add custom eventlog containers, complete the following steps:
Note The syslog-ng Agent for Windows sends its own log messages into the Application eventlog container. The agent caches in the registry the ID of the last message sent to the destination server, so if the agent is not operating for a time (for example it is restarted ), then it starts reading messages from the last cached message ID, sending out all the new messages.

www.balabit.com

25

Eventlog sources

Warning If an eventlog container becomes corrupt, the agent will stop processing the event source. A log message (Eventlog file is corrupt) is sent directly to the logserver to notify about the error.

Warning Hazard of data loss! It is not recommended to setup archiving for the event container. It is possible to lose logs if there are non-processed events in the event container when the archiving is started. Windows closes and renames the event container and starts a new one regardless of any reading applications. To prevent this, enable overwrite events when needed mode in the Windows Event Viewer with the following conditions: The messages are not generated faster than the agent's processing speed. There is enough window between the first and the last events for planned agent stops. Ensure that new events will not overwrite the event last read by the agent during agent stop.

3.3.1.1. Procedure Managing eventlog sources

Figure 3.7. Managing eventlog sources

Steps: Step 1. Start the configuration interface of the syslog-ng Agent for Windows application. Step 2. Select syslog-ng Agent Settings > Eventlog Sources, and double-click on Event Containers.

www.balabit.com

26

Eventlog sources

Step 3.

To disable sending messages from an eventlog container, unselect the checkbox before the name of the container. To modify the log facility associated with the messages of the container, select the container, click Edit, and select the log facility to use in the Log Facility field. To add a custom container, select Add, and enter the name if the container into the Event Container Name field. If you do not know the name of the container, see Procedure 3.3.1.2, Determining the name of a custom eventlog container on Windows Vista and newer (p. 27) and Procedure 3.3.1.3, Determining the name of a custom eventlog container on Windows 2000, XP, or Server 2003 (p. 27).

Step 4. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

3.3.1.2. Procedure Determining the name of a custom eventlog container on Windows Vista and newer
Purpose: To determine the name of a custom eventlog container on Windows Vista, Server 2008, and Windows 7, complete the following steps. Steps: Step 1. Open the Event Viewer application. Step 2. Select the custom container you are looking for (for example DNS Server). Step 3. Right click on the container and select Properties. Step 4. The name of the container is the name of the file (without the extension) displayed in the Logname field (for example for C:\WINDOWS\system32\config\DnsEvent.Evt it is DnsEvent). Step 5. Use this name as the name of the custom eventlog container during the procedure described in Procedure 3.3.1.1, Managing eventlog sources (p. 26).
Note On Windows Vista and Server 2008, some container are not real containers, but show selected messages collected from multiple containers. To forward such messages to the syslog-ng server, you have to find out which real containers are displayed in the container, and add them to the configuration of the syslog-ng Agent. Some containers have the %4 characters in their names. When adding these to the syslog-ng Agent, replace %4 with the / (slash) character. For example write microsoft-windows-bits-client/analytic instead of microsoft-windows-bits-client%4analytic. If you are sending old messages to the server as well, the syslog-ng Agent will not send the very first message stored in the container. This is a bug in the Windows API.

3.3.1.3. Procedure Determining the name of a custom eventlog container on Windows 2000, XP, or Server 2003
Purpose: To determine the name of a custom eventlog container on Windows 2000, XP, or Server 2003, complete the following steps.

www.balabit.com

27

Eventlog sources

Steps: Step 1. On the client host select Start > Run > regedit. Step 2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\. The custom containers are listed here. For example, the following are valid container names: DFS Replication, File Replication Service, DNS Server. Step 3. Use this name as the name of the custom eventlog container during the procedure described in Procedure 3.3.1.1, Managing eventlog sources (p. 26).

3.3.2. Procedure Managing file sources

Purpose: The syslog-ng Agent for Windows application can collect log messages from text files. It can process messages spanning multiple lines, and supports the use of wildcards (*, ?) in filenames to be able to follow log files that are automatically rotated. Note that every line of the file that ends with a newline character is considered a separate message. However, if a file contains only a single line that does not end with a newline character, syslog-ng Agent will not process the line. To configure file sources, complete the following steps:
Warning Files used as file sources must reside locally on the host the syslog-ng Agent application is running on. Files located on network shares are not supported, because the syslog-ng Agent for Windows application is running as a local service and does not have the privileges to access network shares.

Note If an application writes a message into a log file without ending the line with a new-line character, saves (closes) the file, and later continues to write into the same line, then this is visible in the file as a single line, but the syslog-ng Agent interprets them as two separate messages.

Warning If an application deletes a log file, the application must ensure that syslog-ng Agent had enough time to forward the messages from the file to the central server to avoid losing messages.

Example 3.3. Collecting the logs of multiple applications from a single folder If two applications log into the same folder (for example C:\logs), you have to create two file sources. For example, if the name of the log files is application1-*.log and application2-*.log, respectively, then create two file sources with the C:\logs Base Directory, but with different File Name Filter: application1-*.log and application2-*.log, respectively. If other applications log into the C:\logs folder, add a separate expression for each application. By default, the syslog-ng Agent will send every message to the server that arrives into any of the monitored log files. To send only the messages that arrive into the latest file of the source, enable the Last Modified File Only option.

www.balabit.com

28

Eventlog sources

Figure 3.8. Managing file sources

www.balabit.com

29

Eventlog sources

Figure 3.9. Sources properties

Steps: Step 1. Start the configuration interface of the syslog-ng Agent for Windows application. Step 2. Select syslog-ng Agent Settings > File Sources, double-click on Sources, and check the Enable option. Step 3. Select Add > Browse, and select the folder containing the log files in the Base Directory field. Select or enter the name and extension of the log files in the File Name Filter field. Wildcards may be used. The syslog-ng Agent will forward log messages from every file that is located in this folder and has a name that matches the filter expression.
Warning Files used as file sources must reside locally on the host the syslog-ng Agent application is running on. Files located on network shares are not supported, because the syslog-ng Agent for Windows application is running as a local service and does not have the privileges to access network shares.

Tip When specifying the Base Directory, you can use the environment variables of Windows, for example %WINDIR%, %SYSTEMROOT%, %PROGRAMFILES%, and so on.

www.balabit.com

30

Eventlog sources

Warning Note that when managing members of a domain, the selected path must be available on the domain members, for example C:\logs must be available on the client hosts and not on the domain controller.

Step 4.

To send messages from the files located in the subfolders of the folder set as Base Directory, select the Recursive option. To send messages only from the file that was last modified, select the Last Modified File Only option.
Note When using the Last Modified File Only option with a file source that has wildcard in the filename (for example *.log), the following will happen. When started for the first time, the agent will send the contents of every matching file to the central server, and store the position of the last message in the file with the most recent modification date. When new messages are written to this file, the agent will send only the new messages. However, if an older file is modified, the agent will resend the entire contents of this newly modified file, and store the position of the last message in this file only. When you use wildcards together with the Last Modified File Only option, make sure that older files will not be modified.

If you are forwarding the logs of Internet Information Server (IIS) 5 applications, select the IIS 5.x Log option.
Note If this option is not selected, the syslog-ng Agent monitors every matching file in the folder for changes, and sends new log messages from all files.

To send messages only from the file that was last modified of every subfolder of the Base Directory, select both the Last Modified File Only and the Recursive options. To change the log facility or the log severity associated to the file source, select the desired facility or priority from the Log Facility or Log Severity fields, respectively.
Note Significant changes to the settings of a file source may cause the syslog-ng Agent to resend the entire contents of the matching files. This means that log messages already sent earlier to the syslogng server may be resent and thus duplicated in the server logs. Configuration changes that may result in such behavior are: changing the Base Directory, changing filter options, changing recursivity and Last Modified File Only options.

Step 5. By default, the syslog-ng Agent application assumes that the source files are encoded using the default windows ANSI code page, specific to the locale of the host. If the files have a different encoding, select

www.balabit.com

31

Eventlog sources

it from the File Encoding field. Unicode, UTF-16, and UTF-32 encodings are currently not supported. Note that the log messages are sent to the destinations using UTF-8 encoding. Step 6. If a log messages in the log file consists of multiple lines, that is, the log messages contain newline characters, configure syslog-ng Agent to process the related lines as a single message. The syslog-ng Agent application can automatically handle Apache Tomcat Catalina and Oracle SQL log messages. To process such messages, select the name of the application from the Multiple Lines > Application field. Note that the timestamp of Tomcat log messages depends on the locale of the host. To process multi-line log messages of a different application, complete the following steps. Step a. Select Multiple Lines > Application > Custom, and set the Multiple Lines > Prefix and optionally the Multiple Lines > Garbage fields. Step b. Specify a string or regular expression that matches the beginning of the log messages in the Multiple Lines > Prefix field. If the Prefix option is set, the syslog-ng Agent ignores newline characters from the source until a line matches the regular expression again, and treats the lines between the matching lines as a single message.
Note Use as simple regular expressions as possible, because complex regular expressions can severely reduce the rate of processing multi-line messages.

Step c. Use the Multiple Lines > Garbage option when processing multi-line messages that contain unneeded parts between the messages. Specify a string or regular expression that matches the beginning of the unneeded message parts. If the Garbage option is set, the syslog-ng Agent ignores lines between the line matching the Garbage expression and the next line matching Prefix. When receiving multi-line messages from a source when the Garbage option is set but no matching line is received between two lines that match Prefix, the syslog-ng Agent application will continue to process the incoming lines as a single message until a line matching Garbage is received.
Warning If the Garbage option is set, the syslog-ng Agent application discards lines between the line matching the Garbage and the next line matching Prefix expressions.

Step d. Optional Step: After creating and testing a custom pattern, please consider sending your pattern to BalaBit so we can include it in a future version of syslog-ng Agent. To share your pattern with BalaBit and other syslog-ng Agent users, click Multiple Lines > Send custom pattern to BalaBit. Your e-mail application will open, with an e-mail containing the application name and the pattern. Step 7. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

www.balabit.com

32

Eventlog sources

3.3.3. Procedure Configuring global settings

Purpose: The syslog-ng Agent for Windows application has some global settings that can apply to both eventlog and file sources. To configure the global settings, complete the following procedure: Steps: Step 1. Start the configuration interface of the syslog-ng Agent for Windows application. Step 2. Select syslog-ng Agent Settings and double-click on Global Settings. Step 3. Set the default log facility associated to the messages. Step 4. By default, the filters and regular expressions (see Section 3.5, Filtering messages (p. 36)) used in the message filters are case-sensitive. To make them case-insensitive, select the Regular Expressions Ignore Case or the Filters Ignore Case options, or both.
Note The Regular Expressions Ignore Case option makes the Message Contents filter case-insensitive for both file and eventlog sources. The Filters Ignore Case option makes the Computers, Sources and Categories, and the Users filter case-insensitive.

Step 5. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

3.3.4. Procedure Disabling sources and filters globally

Purpose: Filters and sources can be disabled globally as well. Disabling filters or sources means that the syslog-ng Agent ignores the disabled settings: that is, if the file sources are disabled, the agent does not send the messages from the files to the server. For details, see the following procedure. Steps: Step 1. Start the configuration interface of the syslog-ng Agent for Windows application. Step 2. To disable eventlog sources, select syslog-ng Agent Settings, right-click on Eventlog Sources, then select Properties > Disable. To disable file sources, select syslog-ng Agent Settings, right-click on File Sources, then select Properties > Disable. To disable eventlog filters, select syslog-ng Agent Settings > Destinations, right-click on Global Event Filters, then select Properties > Disable. To disable file filters, select syslog-ng Agent Settings > Destinations, right-click on Global File Filters, then select Properties > Disable. Step 3. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

www.balabit.com

33

Using SSL-encrypted connections with the syslog-ng Agent

3.4. Using SSL-encrypted connections with the syslog-ng Agent

When connecting to a syslog-ng server using an encrypted connection, the syslog-ng agent verifies the certificate of the server. The connection is established only if the Certificate Authority (CA) that issued the certificate of the server is available in the Certificate Store (MMC > Certificates > Computer Account > Local Computer > Trusted Root Certificates) of the Windows-based host.
Note This certificate (sometimes also called the CACert of the server) is not the certificate of the server: it is the certificate of the CA that signed the certificate of the server.

3.4.1. Procedure Enabling encrypted connections

Purpose: To enable SSL-encrypted connections to the server, complete the following steps: Steps: Step 1. Start the configuration interface of the syslog-ng Agent for Windows application. Step 2. Select syslog-ng Agent Settings > Destinations. Step 3. Right-click on the server that accepts encrypted connections and select Properties. Step 4. Select the Use SSL option.
Warning The connection can be established only if the Certificate Authority (CA) that issued the certificate of the server is available in the Certificate Store (MMC > Certificates > Computer Account > Local Computer > Trusted Root Certificates) of the Windows-based host. For details on importing certificates, see Procedure 3.4.3, Importing certificates with the Microsoft Management Console (p. 36).

Note The subject_alt_name parameter (or the Common Name parameter if the subject_alt_name parameter is empty) of the server's certificate must contain the hostname or the IP address (as resolved from the syslog-ng clients and relays) of the server (for example syslog-ng.example.com). Alternatively, the Common Name or the subject_alt_name parameter can contain a generic hostname, for example *.example.com. Note that if the Common Name of the certificate contains a generic hostname, do not specify a specific hostname or an IP address in the subject_alt_name parameter.

Step 5. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

3.4.2. Using mutual authentication with syslog-ng Agent

When the syslog-ng server is configured to use mutual authentication, it requests a certificate from the syslog-ng clients. The syslog-ng Agent application can automatically show the requested certificate to the server when the

www.balabit.com

34

Using mutual authentication with syslog-ng Agent

connection is established, provided it is available in the Personal Certificates store (MMC > Certificates > Computer Account > Local Computer > Personal Certificates) of the Local Computer. Use the Certificate Import Wizard to import this certificate. For details, see Procedure 3.4.3, Importing certificates with the Microsoft Management Console (p. 36).
Note If a certificate revocation list (CRL) is available in the Local Computer/Personal Certificates store, the syslog-ng Agent verifies that the certificate of the syslog-ng server is not on this list.

3.4.2.1. Procedure Configuring mutual authentication with the syslog-ng Agent for Windows
Purpose: If the syslog-ng server requests authentication from the syslog-ng Agent, complete the following steps. Steps: Step 1. Create certificates for the clients. By default, the syslog-ng Agent will look for a certificate that contains the hostname or IP address of the central syslog-ng server in its Common Name. If you use a different Common Name, do not forget to complete Step 3 to set the Common Name of the certificate. The certificate must contain the private key and must be in PKCS12 format.
Tip To convert a certificate and a key from PEM format to PKCS12 you can use the following command:
openssl pkcs12 -export -in agentcertificate.pem -inkey agentprivatekey.pem -out agentcertificatewithkey.pfx

Step 2. Import this certificate into the Personal Certificate store of the Local Computer using the Certificate Import Wizard. For details, see Procedure 3.4.3, Importing certificates with the Microsoft Management Console (p. 36). Step 3. By default, the syslog-ng Agent will look for a certificate that contains the hostname or IP address of the central syslog-ng server in its Common Name. (The agent will look for the server name or address set in the Server Name field of the destination.) If the certificate of the client has a different Common Name, complete the following steps: Step a. Start the configuration interface of the syslog-ng Agent for Windows application. Step b. Select syslog-ng Agent Settings > Destinations. Step c. Right-click on the server that requires mutual authentication and select Properties. Step d. Select the Use SSL option, click Select, then select the certificate to use. You can also type the Common Name of the certificate into the Client Certificate Subject field. If you have more than one certificates with the same Common Name, alternatively, you can type the Distinguished Name (DN) of the certificate into the Client Certificate Subject field. When using the Distinguished Name, type only the elements of the name, separated with comma, starting with the country. For example US, Maryand,
Pasadena, Example Inc, Sample Department, mycommonname

www.balabit.com

35

Filtering messages

Note A common way is to use the hostname or the IP address of the host running the syslog-ng Agent as the Common Name of the certificate (for example syslog-ng-agent1.example.com).

Step 4. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

3.4.3. Procedure Importing certificates with the Microsoft Management Console

Purpose: To import a certificate, complete the following steps. Steps: Step 1. Start Microsoft Management Console by executing mmc.exe (Start menu Run application).
Note Running mmc.exe requires administrator privileges.

Step 2. Click on the Add/Remove snap-in item of the File menu. Step 3. Click Add, select the Certificates module, and click Add. Step 4. Select Computer account in the displayed window and click Next. Step 5. Select Local computer and click Close. Step 6. To import the CA certificate of the syslog-ng server's certificate, navigate to Console Root > Certificates > Trusted Root Certificate Authorities > Certificates. To import a certificate for the syslog-ng Agent to perform mutual authentication, navigate to Console Root > Certificates > Personal > Certificates. Step 7. Right-click on the Certificates folder and from the appearing menu select All tasks > Import. The Certificate Import Wizard will be displayed. Click Next. Optional step: Certificates used to authenticate the syslog-ng Agent in mutual authentication include the private key. Provide the password for the private key when requested. Step 8. Windows offers a suitable certificate store by default, so click Next. Step 9. Click Finish on the summary window and Yes on the window that marks the successful importing of the certificate.

3.5. Filtering messages

The syslog-ng Agent for Windows application can filter log messages both in blacklist- and whitelist fashion. When using blacklisting, you can define filters, and any message that matches the filters is ignored by the agent only messages that do not match the filters are sent to the central server. When using whitelisting, you can define filters,

www.balabit.com

36

Filtering messages

and the messages matching the filters are forwarded to the central server other messages are ignored. By default, blacklist filtering is used. If you define multiple filters, the messages must match every filter. In other words, the filters are connected to each other with logical AND operations. Different filters are available for eventlog- and file sources. When the syslog-ng Agent processes a message, it checks the relevant filters on-by-one: if it finds a filter that matches the message, the agent stops processing the message without sending it to the server.
Note By default, all filters are case sensitive. For details on how to change this behavior, see Procedure 3.3.3, Configuring global settings (p. 33).

For details on how to filter messages received from eventlog sources, see Procedure 3.5.1, Filtering eventlog messages (p. 37). For details on how to filter messages received from file sources, see Procedure 3.5.2, Filtering file messages (p. 41). For details on how to disable filtering globally, see Procedure 3.3.4, Disabling sources and filters globally (p. 33).

3.5.1. Procedure Filtering eventlog messages

Purpose: The following types of filters are available for eventlog sources: Sources: Filter on the source (application) that created the message. Corresponds with the EVENT_SOURCE macro. Sources and Event ID: Filter on the source (application) that created the message, and optionally on the identification number of the event. Corresponds with the EVENT_SOURCE and EVENT_ID macros. Message Contents: Filter the text of the message, that is, the contents of the EVENT_MESSAGE macro. In this filter you can use regular expressions. Sources and Categories: Filter on the source (application) that created the message, and optionally on the category of the event. Corresponds with the EVENT_SOURCE and EVENT_CATEGORY macros. Users: Filter on the username associated with the event. Corresponds with the EVENT_USERNAME macro. Computers: Filter on the name of the computer (host) that created the event. Corresponds with the HOST macro. Event Types: Filter on the type of the event. Corresponds with the EVENT_TYPE macro. To modify the filters used for eventlog messages, complete the following procedure: Steps: Step 1. Start the configuration interface of the syslog-ng Agent for Windows application. Step 2. To apply filters globally to every eventlog message, select syslog-ng Agent Settings > Destinations > Global Event Filters, and right-click Global Event Filters.

www.balabit.com

37

Filtering messages

To apply filters only to a specific destination, select syslog-ng Agent Settings > Destinations, select the destination server, then select Event Filters. Right-click Event Filters.
Note If you want to use both global and local (server side) filtering, first global filters will be applied to the eventlog messages and then the local filters.

Step 3. Select Properties > Enable > OK.

Figure 3.10. Global event filters

Step 4. To use whitelist-filtering, select White List Filtering. By default, syslog-ng Agent uses blacklist filtering. Step 5. On the right-hand pane, double-click on the type of filter you want to create. Step 6. To ignore messages sent by a specific application, or messages of the application with a specific event ID, double-click on Sources and Event ID, select Add, and select the name of the source (application) whose messages you want to ignore from the Source Name field. To ignore only specific messages of the application, enter the ID of the event into the Event ID field. Select Add > Apply.

www.balabit.com

38

Filtering messages

Figure 3.11. Sources and Event ID

To ignore messages that contain a specific string or text, double-click on Message Contents, enter the search term or a regular expression into the Regular Expression field, then select Add > Apply.

www.balabit.com

39

Filtering messages

Figure 3.12. Message Contents

To ignore messages sent by a specific application, or messages of the application that fall into a specific category, double-click on Sources and Categories, select Add, and select the name of the application whose messages you want to ignore from the Application Name field. To ignore only those messages of the application that fall into a specific category, enter the name of the category into the Category field. Select Add > Apply. To ignore messages sent by a specific user, double-click on Users, enter the name of the user into the User field, then select Add > Apply. To ignore messages sent by a specific computer (host), double-click on Computers, enter the name of the user into the Computer field, then select Add > Apply. Event Types: To ignore messages of a specific event-type, double-click on Event Types, select the event types to ignore, and select Ok > Apply.
Note Under Windows Vista and Server 2008, Windows labels certain messages as level 3 and the Event Viewer labels such messages as warnings. This is against the official specification: level 3 should not be used; and only level 2 messages are warnings. To filter these events, you have to manually add a new event type to the registry and set its value to 3, for example
HKEY_LOCAL_MACHINE\SOFTWARE\BalaBit\syslog-ng Settings\EventSources\Filter\Type\Rule0\Type=3 Agent\Local

www.balabit.com

40

Filtering messages

Step 7. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

3.5.2. Procedure Filtering file messages

Purpose: The following types of filters are available for file sources: Message Contents: Filter the text of the message, that is, the contents of the FILE_MESSAGE macro. In this filter you can use regular expressions. File Name: Filter on the file name. Corresponds with the FILE_NAME macro. In this filter you can use regular expressions. Only available for destination file filters. To modify the filters used for file messages, complete the following procedure: Steps: Step 1. Start the configuration interface of the syslog-ng Agent for Windows application. Step 2. To apply filters globally to every file message, select syslog-ng Agent Settings > Destinations > Global File Filters, and right-click Global File Filters. To apply filters only to a specific destination, select syslog-ng Agent Settings > Destinations, select the destination server, then select File Filters. Right-click File Filters.
Note If you want to use both global and local (server side) filtering, first global filters will be applied to the file messages and then the local filters.

Step 3. Select Properties > Enable > OK.

www.balabit.com

41

Customizing the message format

Figure 3.13. Global file filters

Step 4. To use whitelist-filtering, select White List Filtering. By default, syslog-ng Agent uses blacklist filtering. Step 5. On the right-hand pane, double-click on the type of filter you want to create. Step 6. To ignore messages that contain a specific string or text, double-click on Message Contents, enter the search term or a regular expression into the Regular Expression field, then select Add.

Step 7. Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

3.6. Customizing the message format

The format of the messages received from the eventlog and the file sources can be customized using templates. You can define separate message format for the eventlog and the file sources. If you have multiple destination servers configured, you can define separate templates for each server. When creating a template to customize the message format, you can use macros, all alphanumeric characters, and the following special characters: <>,():;-+/_.

3.6.1. Procedure Customizing messages using templates

Purpose: To create a template, complete the following procedure:

www.balabit.com

42

Customizing the timestamp used by the syslog-ng Agent

Warning These macros are available only in the syslog-ng Agent for Windows. To recognize Windows-specific elements of the log message (for example eventlog-related macros) on the syslog-ng server, you have to use parsers on the syslog-ng server. The parser must be configured to match the message format set in the syslog-ng Agent. For details on configuring parsers on your syslog-ng Premium Edition server, see Chapter 12, Parsing and segmenting structured messages in The syslog-ng Premium Edition 4 LTS Administrator Guide.

Steps: Step 1. Start the configuration interface of the syslog-ng Agent for Windows application. Step 2. Select syslog-ng Agent Settings > Destinations. Select your logserver, and click Properties. Step 3. To change the format of messages received from eventlog sources, type the message format you want to use into the Event Message Format > Message Template field. To change the format of messages received from file sources, type the message format you want to use into the File Message Format > Message Template field. Do not forget to add the $ character before macros. For a complete list of the available macros, see Section 3.6.3, Macros available in the syslog-ng Agent (p. 44). For example, to send the messages in the DATE HOSTNAME MESSAGE format, type Date:$DATE Hostname:$HOST Logmessage:$MESSAGE. Note that the $MESSAGE macro contains not only the text of the log message, but also additional information received from the message source, such as the name of the eventlog container, or the file, as set in the eventlog-specific and file-specific templates.
Note Templates are assigned to a single destination server, so it is possible to use different templates for different servers. However, a server and its failover servers always receive the same message.

Warning If you have more than one destination servers configured (separate servers, not in failover mode), and you want to use the same template for every server, you must manually copy the template into the configuration of each server. Template modifications are not applied automatically to every server. To use a Snare-compatible message format, select Message Type > Snare Compatible Message Type and click Reset Message Template.

Step 4. Click OK. Step 5. To activate the changes, restart the syslog-ng Agent service.

3.6.2. Customizing the timestamp used by the syslog-ng Agent

The syslog-ng Agent can send the syslog messages using either the ISO or the BSD timestamp format. It is recommended to use the ISO format, because it contains much more information than the BSD format.

www.balabit.com

43

Macros available in the syslog-ng Agent

Note that in the syslog-ng Agent, the macros without prefix (for example DATE) always refer to the receiving date of the message (for example R_DATE) when it arrived into the event log container, and are included only for compatibility reasons.
Warning If a remote host is logging into the event log of the local host that is running syslog-ng Agent for Windows, both hosts should be in the same timezone, because the event log message does not include the timezone information of the sender host. Otherwise, the date of the messages received from the remote host will be incorrect.

3.6.3. Macros available in the syslog-ng Agent

The following sections list the available macros:
Warning These macros are available only in the syslog-ng Agent for Windows. To recognize Windows-specific elements of the log message (for example eventlog-related macros) on the syslog-ng server, you have to use parsers on the syslog-ng server. The parser must be configured to match the message format set in the syslog-ng Agent. For details on configuring parsers on your syslog-ng PE server, see Chapter 12, Parsing and segmenting structured messages in The syslog-ng Premium Edition 4 LTS Administrator Guide.

Macros related to protocol headers Macros related to the date and time of the message Macros related to eventlog sources Macros related to file sources
Note Note that if you use the Syslog protocol template (meaning that messages are sent using the IETF-syslog protocol), only the message part of the log message can be customized, the structure of the headers and other information is fixed by the protocol.

By

default,

syslog-ng

Agent

uses

${APP_NAME}[${PROCESS_ID}]: ${EVENT_NAME} ${EVENT_SOURCE}: [${EVENT_TYPE}] ${EVENT_MSG} (EventID ${EVENT_ID}) for eventlog messages, and $FILE_NAME: $FILE_CURRENT_POSITION/$FILE_SIZE: $FILE_MESSAGE

following format: <${PRI}>${BSDDATE} ${HOST} ${MESSAGE}, where $MESSAGE is ${EVENT_USERNAME}:

the

for file messages. 3.6.3.1. Protocol-related macros of the syslog-ng Agent

APP_NAME

Description: An alias for the APPLICATION_NAME macro.

APPLICATION_NAME

Description: At event container: Name of the application the message came from

www.balabit.com

44

Macros available in the syslog-ng Agent

At file as the name of creator (default value): syslog-ng-agent

HOST

Description: Name of the host sending the message. Hostnames are automatically converted to lowercase.
MESSAGE

Description: The content of the message, including the text of the message and any file- or event-specific macros that are set for the source.
MSG

Description: An alias for the MESSAGE macro.

PRI

Description: Priority header of the message, storing the facility and the level of the message.
PROCESS_ID

Description: PID of the application the message came from. 3.6.3.2. Time-related macros of the syslog-ng Agent
BSDDATE, R_BSDDATE, S_BSDDATE

Description: Date of the message in BSD timestamp format (month/day/hour/minute/second, each expressed in two digits). This is the original syslog time stamp without year information, for example Jun 13 15:58:00. If possible, it is recommended to use ISODATE for timestamping.
DATE

Description: An alias of the ISODATE macro.

DAY, R_DAY, S_DAY

Description: The day the message was sent.

FULLDATE, R_FULLDATE, S_FULLDATE

Description: A nonstandard format for the date of the message using the same format as DATE, but including the year as well, for example: 2006 Jun 13 15:58:00.
HOUR, R_HOUR, S_HOUR

Description: The hour of day the message was sent.

ISODATE, R_ISODATE, S_ISODATE

Description: Date of the message in the ISO 8601 compatible standard timestamp format (yyyy-mm-ddThh:mm:ss+ZONE), for example: 2006-06-13T15:58:00.123+01:00. If possible, it is recommended to use ISODATE for timestamping. Note that the syslog-ng Agent cannot produce fractions of a second (for example milliseconds) in the timestamp.
MIN, R_MIN, S_MIN

Description: The minute the message was sent.

www.balabit.com

45

Macros available in the syslog-ng Agent

MONTH, R_MONTH, S_MONTH

Description: The month the message was sent as a decimal value, prefixed with a zero if smaller than 10.
MONTHNAME, R_MONTHNAME, S_MONTHNAME

Description: The English name of the month the message was sent, abbreviated to three characters (for example Jan, Feb, and so on).
R_DATE

Description: Date when the message was recorded into the eventlog container.
S_DATE

Description: Date when the message was created.

SEC, R_SEC, S_SEC

Description: The second the message was sent.

TZ, R_TZ, S_TZ

Description: The name of the time zone of the host.

TZOFFSET, R_TZOFFSET, S_TZOFFSET

Description: The time-zone as hour offset from GMT; for example: -07:00. In syslog-ng 1.6.x this used to be -0700 but as ISODATE requires the colon it was added to TZOFFSET as well.
UNIXTIME, R_UNIXTIME, S_UNIXTIME

Description: Standard unix timestamp, represented as the number of seconds since 1970-01-01T00:00:00.
YEAR, R_YEAR, S_YEAR

Description: The year the message was sent.

WEEK, R_WEEK, S_WEEK

Description: The week number of the year, prefixed with a zero for the first nine week of the year. (The first Monday in the year marks the first week.)
WEEKDAY, R_WEEKDAY, S_WEEKDAY

Description: The 3-letter name of the day of week the message was sent, for example Thu. 3.6.3.3. Eventlog-related macros of the syslog-ng Agent
EVENT_CATEGORY

Description: The category of the event.

EVENT_FACILITY

Description: The facility that sent the message.

EVENT_ID

Description: The identification number of the event.

www.balabit.com

46

Macros available in the syslog-ng Agent

EVENT_LEVEL

Description: Importance level of the message represented as a number: 6 - Success, 5 - Informational, 4- Warning, or 3 - Error).
EVENT_MESSAGE

Description: The content of the message.

EVENT_MESSAGE_XML

Description: Contains the entire message in XML format. Available only on Windows Vista and Server 2008 platforms
EVENT_MSG

Description: The content of the message. This is an alias of the EVENT_MESSAGE.

EVENT_MSG_XML

Description: Contains the entire message in XML format. This is an alias of the EVENT_MESSAGE_XML. Available only on Windows Vista and Server 2008 platforms
EVENT_NAME

Description: Name of the Windows event log container (for example Application or Security).
EVENT_REC_NUM

Description: The record number of the event in the event log.

EVENT_SID

Description: The security identification number of the event.

EVENT_SID_TYPE

Description: The security identification number resolved into name. One of the following: User, Group, Domain, Alias WellKnownGroup, DeletedAccount, Invalid, Unknown, Computer.
EVENT_SOURCE

Description: The application that created the message.

EVENT_TASK

Description: The task category of the event. Available only on Windows Vista and Server 2008 platforms
EVENT_TYPE

Description: The importance level of the message in text format.

EVENT_USERNAME

Description: The user running the application that created the message.

www.balabit.com

47

Controlling the syslog-ng Agent services

3.6.3.4. File-related macros of the syslog-ng Agent

FILE_CURRENT_POSITION

Description: The position of the message from the beginning of the file in bytes.
FILE_FACILITY

Description: The facility that sent the message.

FILE_LEVEL

Description: Importance level of the message represented as a number: 6 - Success, 5 - Informational, 4- Warning, or 3 - Error).
FILE_MESSAGE

Description: The content of the message.

FILE_MSG

Description: The content of the message. This is an alias of the FILE_MESSAGE macro.
FILE_NAME

Description: Name of the log file (including its path) from where the syslog-ng Agent received the message.
FILE_SIZE

Description: The current size of the file in bytes.

3.7. Controlling the syslog-ng Agent services

During installation, syslog-ng Agent registers the syslog-ng Agent service that is started automatically when the host boots. To disable the automatic startup of the syslog-ng Agent, or manually start or stop the service, use the Start Menu > Control Panel > Administrative Tools > Services interface. The service is running with the privileges of the NT AUTHORITY\SYSTEM user. When the syslog-ng Agent service is started or stopped, it sends a syslog message to the central log server and an eventlog message to the Application eventlog container of the host.
Warning If you change the timezone setting of the host while the syslog-ng Agent is running, you have to restart the syslog-ng Agent. Otherwise, it will not receive the updated timezone information and the date of the events will be incorrect.

Note It is possible to run the service with an administrator account that has "log on as service" rights (to set user rights, navigate to Local Security Policy > Local Policies > User rights Assignment). These settings are unsupported, use them only at your own risk. Also note that during the next upgrade procedure, these settings will be overwritten by factory default settings.

www.balabit.com

48

Command-line options

3.7.1. Command-line options

The syslog-ng Agent for Windows application has the following command-line options:
Note Command-line options are case-insensitive. The options consist of a single letter introduced by either "-" or "/".

Note On Windows Vista or above, command line options will only work with administrator permission.

/c /d /e /h /i /r /v /x

Start the syslog-ng Agent using the specified XML configuration file. Start the syslog-ng Agent in debug mode. The debug messages can be displayed using the dbgview application (available here). Start the syslog-ng Agent in debug mode and send the messages to the Application eventlog container. Display a help message about the command-line options. Install the syslog-ng Agent service into the services list. Remove the syslog-ng Agent service from the services list. Display version information. Validate XML configuration file without importing it.

To use these options, select Start > Run > cmd, navigate to the directory where the syslog-ng Agent is installed (for example cd C:\Windows\Program Files\BalaBit\syslog-ng Agent\), and execute the syslog-ng-agent.exe file with the required option.
Example 3.4. Using command line options To start syslog-ng Agent in debug mode:
syslog-ng-agent.exe /d

To start syslog-ng Agent with XML configuration file:

syslog-ng-agent.exe /c C:\ConfigFiles\syslog-ng-agent-conf.xml

To register syslog-ng Agent as a service using XML configuration file:

syslog-ng-agent.exe /i C:\ConfigFiles\syslog-ng-agent-conf.xml

www.balabit.com

49

Chapter 4. Troubleshooting syslog-ng Agent for Windows

In case you experience problems with the syslog-ng Agent for Windows application, the following points may be of help.
Note The followings address only problems specific to the syslog-ng Agent, and assume that communication between the server and the client is otherwise possible (that is, the server is properly configured to receive messages and is available on the network, and name resolution is properly configured on the client).

Configuration changes do not take effect: Configuration changes take effect only after restarting the syslog-ng service or rebooting the system. Also restart the system after changing the timezone settings of the host, or importing a certificate that you want to use to authenticate the communication between the agent and the server. If the configuration of the agent has changed since the last restart, the syslog-ng Agent sends a message of the change, including the hmac-sha-1 hash of the new configuration. Also note that if your clients are managed from a Domain Controller, configuration changes are not instantly downloaded to the client hosts, only at the time of the next group policy update. To update the configuration of a client host earlier, open a command prompt on the client host, and issue the gpupdate /force command. After downloading the configuration from the Domain Controller, the syslog-ng Agent service is automatically restarted if the configuration has changed.
Note Certain domain settings that may affect the syslog-ng Agent are downloaded only when the machine is rebooted. For example, moving the computer from one group policy to another requires a reboot to have effect.

The syslog-ng Agent does not send messages to the server: Check the Application eventlog for messages of the syslog-ng Agent. In case of connection errors and certificate problems, the syslog-ng Agent sends error messages into the eventlog. Ensure that the destination address of the server is correctly set. If you use SSL encryption, verify that the certificate of the Certificate Authority of the server and that the certificate of the client are properly imported. If there are no error messages, check the logs on your logserver: the syslog-ng Agent sends a MARK message every ten minutes even if there are no other messages to send. The syslog-ng Agent sends only MARK messages to the server: Verify that you have configured the eventlog and file sources, and that they have not been disabled globally. If these settings are correct but the server still does not send any messages, temporarily disable all filters to see that they are not configured to ignore every message. When using filter, it is also recommended to check the global case-sensitivity settings. The hostname used in the messages changes: If a host is sometimes logged in into a domain and sometimes it is not, its hostname might reflect this. To avoid this situation, select syslog-ng Agent > Destinations

www.balabit.com

50

Sending messages and CPU load

> IPv4 > Properties > Edit > Force DNS Hostname. This causes syslog-ng Agent to resolve its own hostname from DNS and use the resolved FQDN in the syslog messages. Command-line parameters are ignored on Windows Vista and 2008 Server: Command-line parameters work only for administrators if User Account Control (UAC) is enabled. To execute syslog-ng Agent with commandline parameters, select Start > Programs > Accessories, right-click on Command prompt > Run as administrator. If you contact the BalaBit Support Team about a problem with the syslog-ng Agent for Windows, execute the syslog-ng-agent -V command from the command line and include every version and platform information it displays in your support request. CPU load is high: See Section 4.1, Sending messages and CPU load (p. 51). Losing messages from eventlog containers: An eventlog container is a special file. The Agent reads this file, formats the messages and sends them to remote log server. Note that the eventlog container can be configured only to a certain size. If the container reaches that size, Windows writes the next message to the beginning of the file. As a result, if the agent is not running (or the destination server is unavailable) so long that the eventlog container is filled up, messages can be lost.

4.1. Sending messages and CPU load

The syslog-ng Agent application can send messages to the server when the Windows Scheduler provides resources to the syslog-ng Agent. When there are many unsent log messages in the log sources, and there is no other significant activity on the host, syslog-ng will start to send the messages to the server, possibly increasing the CPU load to 100%. After all messages have been sent, or if another application requires the resources, the CPU load decreases back to normal.
Tip To avoid the initial large load on the CPU, limit the rate of message sending temporarily. You can remove the limit after the old messages have been sent. For details, see Procedure 3.2.2, Limiting the rate of messages (p. 24).

When relaying the messages from multiple sources, the syslog-ng Agent sends one message at a time from each source. That way a single source with a large log traffic does not block other log sources.

4.2. Creating core and memory dumps

In certain rare cases, you might have to create core dumps of the syslog-ng Agent to investigate a particular problem. When enabled, the syslog-ng Agent for Windows application creates core dumps automatically when it experiences an unexpected shutdown. To enable core dumps, set the HKEY_LOCAL_MACHINE/Software/Balabit/syslog-ng Agent/WriteMinidump registry key to 1. If you use an XML file to configure the syslog-ng Agent for Windows application, add the WriteMinidump="1" attribute to the XML file:
<syslog-ng_Agent WriteMinidump="1">

www.balabit.com

51

Creating core and memory dumps

Core dumps are written into the installation folder of the syslog-ng Agent under the syslog-ng-agent.dmp filename. The size of a core file is typically about 40-50 MB.

4.3. Procedure Enabling debug logging in syslog-ng Agent

Purpose: In case you experience problems with The syslog-ng Agent the BalaBit support team might request you to create debug logs for the application to help troubleshoot the problem. Complete the following steps.
Note When using an XML configuration file, do not modify the registry. Instead, add the AgentDbgLog attribute to the XML configration file, and set it to 1 or two.
<syslog-ng_Agent AgentDbgLog="1">

Steps: Step 1. On the client host select Start > Run > regedit. Step 2. Navigate to HKEY_LOCAL_MACHINE/Software/Balabit/syslog-ng Agent/. Step 3. Select Edit > New > Key, and create a registry key called AgentDbgLog. The type of the key must be DWORD. Step 4. Set the output of the debug logs. To send the debug logs into a file, set the HKEY_LOCAL_MACHINE/Software/Balabit/syslog-ng Agent/AgentDbgLog key to 2. To send the debug logs to the DebugView application, set the HKEY_LOCAL_MACHINE/Software/Balabit/syslog-ng Agent/AgentDbgLog key to 1. Step 5. Reproduce the error. If you requested file output, the syslog_ng_Agent.txt file will be created in the folder where the syslog-ng Agent is installed (%PROGRAMFILES%\syslog-ng Agent\ by default). Step 6. After solving the problem, delete the HKEY_LOCAL_MACHINE/Software/Balabit/syslog-ng Agent/AgentDbgLog key from the registry, otherwise the log file will grow and might consume the available hard disk space. The log file contains the log messages received and processed by the syslog-ng Agent as well.

4.4. Procedure Logging domain update errors

Purpose: If the domain settings are not downloaded to a domain host, the syslog-ng Agent (starting from version 3.0.6) can create a logfile to debug why the domain settings are not updated on the client. Complete the following steps: Steps: Step 1. On the client host select Start > Run > regedit. Step 2. To send the debug logs into a file, set the HKEY_LOCAL_MACHINE/Software/Balabit/syslog-ng Agent/GpoDbgLog key to 2.

www.balabit.com

52

Creating core and memory dumps

To send the debug logs to the DebugView application, set the HKEY_LOCAL_MACHINE/Software/Balabit/syslog-ng Agent/GpoDbgLog key to 1. Step 3. Select Start > Run > gpupdate to reproduce the error. If you requestet file output, the %systemroot%\system32\syslog_gpext.txt file will be created. Step 4. After solving the problem, delete the HKEY_LOCAL_MACHINE/Software/Balabit/syslog-ng Agent/GpoDbgLog key from the r e g i s t r y, otherwise the %systemroot%\system32\syslog_gpext.txt file will grow every time when the domain settings of the client are updated.

www.balabit.com

53

Chapter 5. Configuring the auditing policy on Windows

This section describes how to configure the logging and auditing policy on various versions of Microsoft Windows. The syslog-ng Agent can transfer log messages only about those events that are actually logged, so the audit policy has to be configured to log the important events. Microsoft Windows operating systems can record a range of event types, from a system-wide event such as a user logging on, to an attempt by a particular user to read a specific file. Both successful and unsuccessful attempts to perform an action can be recorded. The audit policy specifies the types of events to be audited. When such an event occurs, an entry is added to the log file of the computer. Following is a brief overview on how to configure the audit policy on various versions of Microsoft Windows. For details, consult the documentation of your operating system, or visit Microsoft TechNet. For details on configuring the auditing and logging of various applications, like the IIS Server or the ISA Server, consult your product documentation.

5.1. Procedure Turning on security logging on Windows XP

Purpose: The following procedure describes how to enable security logging on Windows XP Professional hosts. Steps: Step 1. Login as an administrator. Step 2. Click Start, click Run, and type mmc /a. Step 3. On the File menu, click Add/Remove Snap-in, and click Add. Step 4. Under Snap-in, click Group Policy, and click Add. Step 5. In Select Group Policy Object, select Local Computer, then click Finish, click Close, and click OK. Step 6. In Console Root, select Local Computer Policy, then click Audit Policy. Step 7. Right-click the attribute or event you want to audit on the details pane. Step 8. Set the desired options in the Properties. Step 9. Repeat Steps 7-8 for every other event you want to audit.
Note For details on how to remotely enable security logging for workstations, member servers, and domain controllers, see Procedure 5.2, Turning on security logging for domain controllers (p. 54).

5.2. Procedure Turning on security logging for domain controllers

Purpose: The following procedure describes how to enable security logging on a Windows XP Professional domain controller.

www.balabit.com

54

Steps: Step 1. Login as an administrator. Step 2. Click Start, point to Programs, point to Administrative Tools, and click Active Directory Users and Computers. Step 3. In the console tree, click Domain Controllers. Step 4. Click Action, then click Properties. Step 5. On the Group Policy tab, select the policy you want to change, and click Edit. Step 6. In the Group Policy window, in the console tree, click Audit Policy. Step 7. Right-click the attribute or event you want to audit on the details pane. Step 8. Set the desired options in the Properties. Step 9. Repeat Steps 7-8 for every other event you want to audit.

5.3. Procedure Turning on auditing on Windows 2003 Server

Purpose: The following procedure describes how to configure auditing on a Windows 2003 Server host. Steps: Step 1. Login as an administrator. Step 2. Click Start, point to Programs, point to Administrative Tools, and click Domain Security Policy. Step 3. In the console tree, click Local Policies, then Audit Policy. Step 4. Double-click on an event and select the Define these policy settings option. Step 5. Select the type of event to log: Success or Failure. Step 6. Repeat Steps 4-5 for every other event you want to audit.

www.balabit.com

55

SUBJECT OF THE LICENSE CONTRACT

Appendix 1. License contract for BalaBit Product

SUBJECT OF THE LICENSE CONTRACT
This License Contract is entered into by and between BalaBit as Licensor (hereinafter Company or Licensor, or BalaBit) and Licensee (hereinafter Licensee) and sets out the terms and conditions under which Licensee and/or Licensee's Authorized Subsidiaries may use the BalaBit product under this License Contract. Company name Registered office Company registration number Tax number BalaBit IT Security Ltd. H-1117 Budapest, Alz u. 2. Hungary 01-09-687127 HU11996468

DEFINITIONS
In this License Contract, the following words shall have the following meanings: Name Annexed Software BalaBit Product Description Any third party software that is a not a BalaBit Product contained in the install media of the BalaBit Product. Any software, hardware or service Licensed, sold, or provided by BalaBit including any installation, education, support and warranty services or any product falling under the copyright of BalaBit with the exception of the Annexed Software. The present BalaBit product License Contract.

License Contract

Product Documentation Any documentation referring to the BalaBit Product or any module thereof, with special regard to the administration guide, the product description, the installation guide, user guides and manuals. End-user Certificate The document signed by Licensor which contains a) identification data of Licensee; b) configuration of BalaBit Product and designation of Licensed modules thereof; c) declaration of the parties on accepting the terms and conditions of this License Contract; and d) declaration of Licensee that is in receipt of the install media and the hardware appliance. Defines the conditions (related usage environment and limitations) under the Balabit product may be used by the Licensee. The period of twelve (12) months from the date of delivery of the BalaBit product to Licensee.
Table 1.1. Words and expressions

Product Usage Terms Warranty Period

LICENSE GRANTS AND RESTRICTIONS

Based on the terms and conditions of the present License Contract and the applicable End-user Certificate, and the Product Usage Terms BalaBit grants to Licensee, a non-exclusive, perpetual license to use BalaBit Product. License is transferable only with the prior written approval of BalaBit.

www.balabit.com

56

INTELLECTUAL PROPERTY RIGHTS

Licensee shall use the BalaBit Product in accordance with the conditions sets by the Product Usage Terms, especially in the in the configuration and in the quantities specified in the End-user Certificate and Product Usage Terms. On the install media (firmware CD-ROM, USB stick) all modules of the BalaBit Product will be presented, however, Licensee shall not be entitled to use any module which was not Licensed to it. Access rights to modules and IP connections are controlled by an "electronic key" accompanying the BalaBit Product. Licensee shall be entitled to make one back-up copy of the install media containing the BalaBit Product. Licensee shall make the BalaBit Product available solely to its own employees and those of the Authorized Subsidiaries. Licensee shall take all reasonable steps to protect BalaBit's rights with respect to the BalaBit Product with special regard and care to protecting it from any unauthorized access. Licensee shall, in 5 working days, properly answer the queries of BalaBit referring to the actual usage conditions of the BalaBit Product that may differ or allegedly differs from the License conditions. Licensee shall not modify the BalaBit Product in any way, with special regard to the functions that inspect the usage of the software. Licensee shall install the code permitting the usage of the BalaBit Product according to the provisions defined for it by BalaBit. Licensee may not modify or cancel such codes. Configuration settings of the BalaBit Product in accordance with the possibilities offered by the system shall not be construed as modification of the software. Licensee shall only be entitled to analyze the structure of the BalaBit Products (decompilation or reverse- engineering) if concurrent operation with a software developed by a third party is necessary, and upon request to supply the information required for concurrent operation BalaBit does not provide such information within 60 days from the receipt of such a request. These user actions are limited to parts of the BalaBit Product which are necessary for concurrent operation. Any information obtained as a result of applying the previous Section (i) cannot be used for purposes other than concurrent operation with the BalaBit Product; (ii) cannot be disclosed to third parties unless it is necessary for concurrent operation with the BalaBit Product; (iii) cannot be used for the development, production or distribution of a different software which is similar to the BalaBit Product in its form of expression, or for any other act violating copyright. For any Annexed Software contained by the same install media as the BalaBit Product, the terms and conditions defined by its copyright owner shall be properly applied. BalaBit does not grant any License rights to any Annexed Software. Any usage of the BalaBit Product exceeding the limits and restrictions defined in this License Contract shall qualify as material breach of the License Contract and Licensee shall be fully liable towards BalaBit. Licensee shall have the right to obtain and use content updates only if Licensee concludes a maintenance contract that includes such content updates, or if Licensee has otherwise separately acquired the right to obtain and use such content updates. This License Contract does not otherwise permit Licensee to obtain and use content updates.

INTELLECTUAL PROPERTY RIGHTS

Licensee agrees that BalaBit owns all rights, titles, and interests related to the BalaBit Product and all of BalaBit's patents, trademarks, trade names, inventions, copyrights, know-how, and trade secrets relating to the design, manufacture, operation or service of the BalaBit Products.

www.balabit.com

57

WARRANTIES

The use by Licensee of any of these intellectual property rights is authorized only for the purposes set forth herein, and upon termination of this License Contract for any reason, such authorization shall cease. The BalaBit Products are licensed only for the Licensee's own internal business purposes in every case, under the condition that such License does not convey any license, expressly or by implication, to manufacture duplicate or otherwise copy or reproduce any of the BalaBit Products. The sublicense to third parties, or provides any service with the utilization of the BalaBit Product is not allowed. No other rights than expressly stated herein are granted to Licensee. Licensee will take appropriate steps with its Authorized Subsidiaries, as BalaBit may request, to inform them of and assure compliance with the restrictions contained in the License Contract.

WARRANTIES
BalaBit warrants that during the Warranty Period, the magnetic or optical media upon which the BalaBit Product is recorded will not be defective under normal use. BalaBit will replace any defective media returned to it, accompanied by a dated proof of purchase, within the Warranty Period at no charge to Licensee. Upon receipt of the allegedly defective BalaBit Product, BalaBit will at its option, deliver a replacement BalaBit Product or BalaBit's current equivalent Product to Licensee at no additional cost. BalaBit will bear the delivery charges to Licensee for the replacement Product. Should BalaBit Product be used in conjunction with third party software, BalaBit shall not be liable for errors due to third party software. Only in case of installation by BalaBit, which is subject to a separate deployment contract, see below BalaBit warrants that during the Warranty Period, the BalaBit Product, under normal use in the operating environment defined by BalaBit, and without unauthorized modification, will perform in substantial compliance with the Product Documentation accompanying the BalaBit Product, when used on that hardware for which it was installed, in compliance with the provisions of the user manuals and the recommendations of BalaBit.(The above warranty is only valid under a separate deployment contract between Licensee and BalaBit. based on that deployment contract BalaBit supports to implement any BalaBit Product. Deployment contract defines the scope and conditions of the installation and maintenance also.) The date of the notification sent to BalaBit shall qualify as the date of the failure. Licensee shall do its best to mitigate the consequences of that failure. If, during the Warranty Period, the BalaBit Product fails to comply with this warranty, and such failure is reported by Licensee to BalaBit within the Warranty Period, BalaBit's sole obligation and liability for breach of this warranty is, at BalaBit's sole option, either: (i) to correct such failure, (ii) to replace the defective BalaBit Product or (iii) to refund the license fees paid by Licensee for the applicable BalaBit Product.

TRADE MARKS
BalaBit hereby grants to Licensee the non-exclusive right to use the trade marks of the BalaBit Products in accordance with the terms and for the duration of this License Contract. BalaBit makes no representation or warranty as to the validity or enforceability of the trade marks, nor as to whether these infringe any intellectual property rights of third parties.

www.balabit.com

58

BREACH OF CONTRACT

BREACH OF CONTRACT
In case of breach of contract with respect to BalaBit, or the BalaBit Product, committed by violating any provision of the present License Contract, Licensee shall pay liquidated damages to BalaBit. The amount of the liquidated damages shall be twice as much as the price of the BalaBit Product concerned, on BalaBit's current Price List.

INTELLECTUAL PROPERTY INDEMNIFICATION

BalaBit shall pay all damages, costs and reasonable attorney's fees awarded against Licensee in connection with any claim brought against Licensee to the extent that such claim is based on a claim that Licensee's authorized use of the BalaBit Product infringes a patent, copyright, trademark or trade secret. Licensee shall notify BalaBit in writing of any such claim as soon as Licensee learns of it and shall cooperate fully with BalaBit in connection with the defense of that claim. BalaBit shall have sole control of that defense (including without limitation the right to settle the claim). If Licensee is prohibited from using any BalaBit Product due to an infringement claim, or if BalaBit believes that any BalaBit Product is likely to become the subject of an infringement claim, BalaBit shall at its sole option, either: (i) obtain the right for Licensee to continue to use such BalaBit Product, (ii) replace or modify the BalaBit Product so as to make such BalaBit Product non-infringing and substantially comparable in functionality or (iii) refund to Licensee the amount paid for such infringing BalaBit Product and provide a pro-rated refund of any unused, prepaid maintenance fees paid by Licensee, in exchange for Licensee's return of such BalaBit Product to BalaBit. Notwithstanding the above, BalaBit will have no liability for any infringement claim to the extent that it is based upon: (i) modification of the BalaBit Product other than by BalaBit, (ii) use of the BalaBit Product in combination with any product not specifically authorized by BalaBit to be combined with the BalaBit Product or (iii) use of the BalaBit Product in an unauthorized manner for which it was not designed.

LICENSE FEE
The End-user Certificate and the Product Usage Term contain the details of the purchased License and usage limitations. This information serves as the calculation base of the License fee. Licensee acknowledges that payment of the License fees is a condition of lawful usage. License fees do not contain any installation or post charges, taxes, duties, etc. The license right of BalaBit Product is transferred to the Licensee only when Licensee pays the License fee to BalaBit. In case of non-payment BalaBit has right to terminate, or rescind from the License Contract with immediate effect and Licensee has to send back the BalaBit Product on their own cost and takes all liability regarding the unlawful usage and the early termination.

DISCLAIMER OF WARRANTIES
EXCEPT AS SET OUT IN THIS LICENSE CONTRACT, BALABIT MAKES NO WARRANTIES OF ANY KIND WITH RESPECT TO THE BALABIT PRODUCT. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, BALABIT EXCLUDES ANY OTHER WARRANTIES, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF SATISFACTORY QUALITY, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS.

LIMITATION OF LIABILITY
SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN UNION, DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CON-

www.balabit.com

59

DURATION AND TERMINATION

SEQUENTIAL DAMAGES AND, THEREFORE, THE FOLLOWING LIMITATION OR EXCLUSION MAY NOT APPLY TO THIS LICENSE CONTRACT IN THOSE STATES AND COUNTRIES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET OUT IN THIS LICENSE CONTRACT FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT SHALL BALABIT BE LIABLE TO LICENSEE FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT OR SIMILAR DAMAGES OR LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE BALABIT PRODUCT EVEN IF BALABIT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO CASE SHALL BALABIT'S TOTAL LIABILITY UNDER THIS LICENSE CONTRACT EXCEED THE FEES PAID BY LICENSEE FOR THE BALABIT PRODUCT LICENSED UNDER THIS LICENSE CONTRACT. Based on Article 314 (2) of the Hungarian Civil Code, the Parties enter into this limitation of liability condition in view of the fact that BalaBit shall render the BalaBit Product under this License Contract and perform the obligations assumed by itself to the Licensee against the agreed fee defined in this Agreement. BalaBit shall not take any responsibility, for damages caused by the usage of the Balabit Product which is not in accordance with the Product Usage Terms.

DURATION AND TERMINATION

This License Contract shall come into effect on the day when the End-user Certificate and the declaration of the Licensee on accepting the terms and conditions of this License Contract and the declaration of Licensee that is in receipt of the install media and the hardware appliance are both signed by the duly authorized representatives of the relevant party. Licensee may terminate the License Contract at any time by written notice sent to BalaBit and by simultaneously destroying all copies of the BalaBit Product licensed under this License Contract. BalaBit may terminate this License Contract with immediate effect by written notice to Licensee, if Licensee is in material or persistent breach of the License Contract and either that breach is incapable of remedy or Licensee shall have failed to remedy that breach within 30 days after receiving written notice requiring it to remedy that breach.

AMENDMENTS
Save as expressly provided in this License Contract, no amendment or variation of this License Contract shall be effective unless in writing and signed by a duly authorized representative of the parties to it.

WAIVER
The failure of a party to exercise or enforce any right under this License Contract shall not be deemed to be a waiver of that right nor operate to bar the exercise or enforcement of it at any time or times thereafter.

SEVERABILITY
If any part of this License Contract becomes invalid, illegal or unenforceable, the parties shall in such an event negotiate in good faith in order to agree on the terms of a mutually satisfactory provision to be substituted for the invalid, illegal or unenforceable provision which as nearly as possible validly gives effect to their intentions as expressed in this License Contract.

www.balabit.com

60

NOTICES

NOTICES
Any notice required to be given pursuant to this License Contract shall be in writing and shall be given by delivering the notice by hand, or by sending the same by prepaid first class post (airmail if to an address outside the country of posting) to the address of the relevant party set out in this License Contract or such other address as either party notifies to the other from time to time. Any notice given according to the above procedure shall be deemed to have been given at the time of delivery (if delivered by hand) and when received (if sent by post).

APPLICABLE LAW AND LANGUAGE AND SETTLEMENT OF LEGAL DISPUTES

This agreement shall be governed by and construed in accordance with the laws of the Hungary without regard for its conflicts of law provisions. The language for all communications regarding this Agreement shall be English. The Parties agree that any dispute arising from this Agreement, or the breach, termination, validity or interpretation thereof or in relation thereto shall come under the exclusive jurisdiction of the Hungarian Court as defined below. The Parties irrevocably agree that any dispute, controversy or claim arising out of or in connection with this agreement, or the breach, termination or invalidity thereof, shall be finally settled by arbitration by the Permanent Arbitration Court attached to the Hungarian Chamber of Commerce and Industry acting in accordance with its own Rules of Procedure. The place of arbitration shall be Budapest, the number of arbitrators shall be three (3) and the language to be used in the arbitral proceedings shall be English. The Arbitration Court shall consist of three arbitrators, out of which one shall act as chairman. The chairman should have the competence of judgeship. The Arbitration Court shall be created in the manner that the prosecuting Party, indicating the subject of the debate and nominating an arbitrator, calls the counterparty in writing to nominate the other arbitrator and the nominated arbitrators will elect the chairman.

MISCELLANEOUS
Headings are for convenience only and shall be ignored in interpreting this License Contract. This License Contract and the rights granted in this License Contract may not be assigned, sublicensed or otherwise transferred in whole or in part by Licensee without BalaBit's prior written consent. An independent third party auditor, reasonably acceptable to BalaBit and Licensee, may upon reasonable notice to Licensee and during normal business hours, but not more often than once each year, inspect Licensee's relevant records in order to confirm that usage of the BalaBit Product complies with the terms and conditions of this License Contract. BalaBit shall bear the costs of such audit. All audits shall be subject to the reasonable safety and security policies and procedures of Licensee. In case of non-acceptance in the person, an auditor, appointed by BalaBit shall keep full, complete and accurate inspect concerning that usage of the BalaBit Product complies with the terms and conditions of this License Contract. The auditor shall be entitled to examine, inspect, copy and audit the usage of the BalaBit Product. If the inspection or audit reveals that the usage is not complies with the conditions of the License Contract the Licensee shall immediately: (a) pay to BalaBit the amount of any underpayment, together with interest on that amount calculated at the rate of two per cent (2%) over the Barclay Bank base rate from time to time; and (b) pay the costs of the audit and/or inspection where that audit or inspection reveals an underpayment in excess of five per cent (5%).

www.balabit.com

61

MISCELLANEOUS

In case of the License shall not let the auditor to inspect, or examine the usage of BalaBit Product, BalaBit has right to terminate or rescind from the License Contract with immediate effect and Licensee has to send back the BalaBit Product on their own cost and takes all liability regarding the unlawful usage and the early termination. This License Contract constitutes the entire agreement between the parties with regard to the subject matter hereof.

www.balabit.com

62

Appendix 2. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License

THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED. BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS. 1. Definitions a. "Adaptation" means a work based upon the Work, or upon the Work and other pre-existing works, such as a translation, adaptation, derivative work, arrangement of music or other alterations of a literary or artistic work, or phonogram or performance and includes cinematographic adaptations or any other form in which the Work may be recast, transformed, or adapted including in any form recognizably derived from the original, except that a work that constitutes a Collection will not be considered an Adaptation for the purpose of this License. For the avoidance of doubt, where the Work is a musical work, performance or phonogram, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered an Adaptation for the purpose of this License. b. "Collection" means a collection of literary or artistic works, such as encyclopedias and anthologies, or performances, phonograms or broadcasts, or other works or subject matter other than works listed in Section 1(f) below, which, by reason of the selection and arrangement of their contents, constitute intellectual creations, in which the Work is included in its entirety in unmodified form along with one or more other contributions, each constituting separate and independent works in themselves, which together are assembled into a collective whole. A work that constitutes a Collection will not be considered an Adaptation (as defined above) for the purposes of this License. c. "Distribute" means to make available to the public the original and copies of the Work through sale or other transfer of ownership. d. "Licensor" means the individual, individuals, entity or entities that offer(s) the Work under the terms of this License. e. "Original Author" means, in the case of a literary or artistic work, the individual, individuals, entity or entities who created the Work or if no individual or entity can be identified, the publisher; and in addition (i) in the case of a performance the actors, singers, musicians, dancers, and other persons who act, sing, deliver, declaim, play in, interpret or otherwise perform literary or artistic works or expressions of folklore; (ii) in the case of a phonogram the producer being the person or legal entity who first fixes the sounds of a performance or other sounds; and, (iii) in the case of broadcasts, the organization that transmits the broadcast. f. "Work" means the literary and/or artistic work offered under the terms of this License including without limitation any production in the literary, scientific and artistic domain, whatever may be the mode or form of its expression including digital form, such as a book, pamphlet and other writing;

www.balabit.com

63

a lecture, address, sermon or other work of the same nature; a dramatic or dramatico-musical work; a choreographic work or entertainment in dumb show; a musical composition with or without words; a cinematographic work to which are assimilated works expressed by a process analogous to cinematography; a work of drawing, painting, architecture, sculpture, engraving or lithography; a photographic work to which are assimilated works expressed by a process analogous to photography; a work of applied art; an illustration, map, plan, sketch or three-dimensional work relative to geography, topography, architecture or science; a performance; a broadcast; a phonogram; a compilation of data to the extent it is protected as a copyrightable work; or a work performed by a variety or circus performer to the extent it is not otherwise considered a literary or artistic work. g. "You" means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation. h. "Publicly Perform" means to perform public recitations of the Work and to communicate to the public those public recitations, by any means or process, including by wire or wireless means or public digital performances; to make available to the public Works in such a way that members of the public may access these Works from a place and at a place individually chosen by them; to perform the Work to the public by any means or process and the communication to the public of the performances of the Work, including by public digital performance; to broadcast and rebroadcast the Work by any means including signs, sounds or images. i. "Reproduce" means to make copies of the Work by any means including without limitation by sound or visual recordings and the right of fixation and reproducing fixations of the Work, including storage of a protected performance or phonogram in digital form or other electronic medium. 2. Fair Dealing Rights. Nothing in this License is intended to reduce, limit, or restrict any uses free from copyright or rights arising from limitations or exceptions that are provided for in connection with the copyright protection under copyright law or other applicable laws. 3. License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below: a. to Reproduce the Work, to incorporate the Work into one or more Collections, and to Reproduce the Work as incorporated in the Collections; and, b. to Distribute and Publicly Perform the Work including as incorporated in Collections. The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats, but otherwise you have no rights to make Adaptations. Subject to 8(f), all rights not expressly granted by Licensor are hereby reserved, including but not limited to the rights set forth in Section 4(d). 4. Restrictions. The license granted in Section 3 above is expressly made subject to and limited by the following restrictions: a. You may Distribute or Publicly Perform the Work only under the terms of this License. You must include a copy of, or the Uniform Resource Identifier (URI) for, this License with every copy of the Work You Distribute or Publicly Perform. You may not offer or impose any terms on the Work that restrict the terms of this License or the ability of the recipient of the Work to exercise the rights granted to that recipient under the terms of the License. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties with every

www.balabit.com

64

copy of the Work You Distribute or Publicly Perform. When You Distribute or Publicly Perform the Work, You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License. This Section 4(a) applies to the Work as incorporated in a Collection, but this does not require the Collection apart from the Work itself to be made subject to the terms of this License. If You create a Collection, upon notice from any Licensor You must, to the extent practicable, remove from the Collection any credit as required by Section 4(c), as requested. b. You may not exercise any of the rights granted to You in Section 3 above in any manner that is primarily intended for or directed toward commercial advantage or private monetary compensation. The exchange of the Work for other copyrighted works by means of digital file-sharing or otherwise shall not be considered to be intended for or directed toward commercial advantage or private monetary compensation, provided there is no payment of any monetary compensation in connection with the exchange of copyrighted works. c. If You Distribute, or Publicly Perform the Work or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (for example a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work. The credit required by this Section 4(c) may be implemented in any reasonable manner; provided, however, that in the case of a Collection, at a minimum such credit will appear, if a credit for all contributing authors of Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties. d. For the avoidance of doubt: i. Non-waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme cannot be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License; ii. Waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme can be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License if Your exercise of such rights is for a purpose or use which is otherwise than noncommercial as permitted under Section 4(b) and otherwise waives the right to collect royalties through any statutory or compulsory licensing scheme; and, iii. Voluntary License Schemes. The Licensor reserves the right to collect royalties, whether individually or, in the event that the Licensor is a member of a collecting society that administers voluntary licensing schemes, via that society, from any exercise by You of the rights granted under this Li-

www.balabit.com

65

cense that is for a purpose or use which is otherwise than noncommercial as permitted under Section 4(b). e. Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable law, if You Reproduce, Distribute or Publicly Perform the Work either by itself or as part of any Collections, You must not distort, mutilate, modify or take other derogatory action in relation to the Work which would be prejudicial to the Original Author's honor or reputation. 5. Representations, Warranties and Disclaimer UNLESS OTHERWISE MUTUALLY AGREED BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU. 6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 7. Termination a. This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Collections from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License. b. Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above. 8. Miscellaneous a. Each time You Distribute or Publicly Perform the Work or a Collection, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License. b. If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable. c. No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent.

www.balabit.com

66

d. This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of the Licensor and You. e. The rights granted under, and the subject matter referenced, in this License were drafted utilizing the terminology of the Berne Convention for the Protection of Literary and Artistic Works (as amended on September 28, 1979), the Rome Convention of 1961, the WIPO Copyright Treaty of 1996, the WIPO Performances and Phonograms Treaty of 1996 and the Universal Copyright Convention (as revised on July 24, 1971). These rights and subject matter take effect in the relevant jurisdiction in which the License terms are sought to be enforced according to the corresponding provisions of the implementation of those treaty provisions in the applicable national law. If the standard suite of rights granted under applicable copyright law includes additional rights not granted under this License, such additional rights are deemed to be included in the License; this License is not intended to restrict the license of any rights under applicable law.

www.balabit.com

67

Glossary
alias IP authentication auditing policy BOM BSD-syslog protocol CA certificate An additional IP address assigned to an interface that already has an IP address. The normal and alias IP addresses both refer to the same physical interface. The process of verifying the authenticity of a user or client before allowing access to a network system or service. The auditing policy determines which events are logged on host running Microsoft Windows operating systems. The byte order mark (BOM) is a Unicode character used to signal the byte-order of the message text. The old syslog protocol standard described in RFC 3164. Sometimes also referred to as the legacy-syslog protocol. A Certificate Authority (CA) is an institute that issues certificates. A certificate is a file that uniquely identifies its owner. Certificates contains information identifying the owner of the certificate, a public key itself, the expiration date of the certificate, the name of the CA that signed the certificate, and some other data. In client mode, syslog-ng collects the local logs generated by the host and forwards them through a network connection to the central syslog-ng server or to a relay. A named collection of configured destination drivers. A communication method used to send log messages. A destination that sends log messages to a remote host (that is, a syslog-ng relay or server) using a network connection. A destination that transfers log messages within the host, for example writes them to a file, or passes them to a log analyzing application. The Premium Edition of syslog-ng can store messages on the local hard disk if the central log server or the network connection to the server becomes unavailable. See disk buffer. The name of a network, for example: balabit.com. A log statement that is included in another log statement to create a complex log path. An expression to select messages.

client mode destination destination driver destination, network destination, local disk buffer disk queue domain name embedded log statement filter

www.balabit.com

68

gateway

A device that connects two or more parts of the network, for example: your local intranet and the external network (the Internet). Gateways act as entrances into other networks. High availability uses a second syslog-ng server unit to ensure that the logs are received even if the first unit breaks down. A computer connected to the network. A name that identifies a host on the network. The syslog-protocol standard developed by the Internet Engineering Task Force (IETF), described in RFC 5424-5427. A private key and its related public key. The private key is known only to the owner; the public key can be freely distributed. Information encrypted with the private key can only be decrypted using the public key. The syslog-ng license determines the number of distinct hosts (clients and relays) that can connect to the syslog-ng server. A combination of sources, filters, parsers, rewrite rules, and destinations: syslogng examines all messages arriving to the sources of the logpath and sends the messages matching all filters to the defined destinations. See log source host. See log path. A network computer storing the IP addresses corresponding to domain names. The Oracle Instant Client is a small set of libraries, which allow you to connect to an Oracle Database. A subset of the full Oracle Client, it requires minimal installation but has full functionality. A part of the memory of the host where syslog-ng stores outgoing log messages if the destination cannot accept the messages immediately. Messages from the output queue are sent to the target syslog-ng server. The syslogng application puts the outgoing messages directly into the output queue, unless the output queue is full. The output queue can hold 64 messages, this is a fixed value and cannot be modified. See output buffer. A set of rules to segment messages into named fields or columns. A command that sends a message from a host to another host over a network to test connectivity and packet loss.

high availability host hostname IETF-syslog protocol key pair

license log path

LSH log statement name server Oracle Instant Client

output buffer output queue

overflow queue parser ping

www.balabit.com

69

port

A number ranging from 1 to 65535 that identifies the destination application of the transmitted data. For example: SSH commonly uses port 22, web servers (HTTP) use port 80, and so on. An authentication method that uses encryption key pairs to verify the identity of a user or a client. A regular expression is a string that describes or matches a set of strings. The syslog-ng application supports extended regular expressions (also called POSIX modern regular expressions). In relay mode, syslog-ng receives logs through the network from syslog-ng clients and forwards them to the central syslog-ng server using a network connection. A set of rules to modify selected elements of a log message. A user-defined structure that can be used to restructure log messages or automatically generate file names. In server mode, syslog-ng acts as a central log-collecting server. It receives messages from syslog-ng clients and relays over the network, and stores them locally in files, or passes them to other applications, for example, log analyzers. A named collection of configured source drivers. A source that receives log messages from a remote host using a network connection. The following sources are network sources: tcp(), tcp6(), udp(), udp6(). A source that receives log messages from within the host, for example, from a file. A communication method used to receive log messages. See TLS. The syslog-ng application is a flexible and highly scalable system logging application, typically used to manage log messages and implement centralized logging. The syslog-ng agent for Windows is a log collector and forwarder application for the Microsoft Windows platform. It collects the log messages of the Windowsbased host and forwards them to a syslog-ng server using regular or SSL-encrypted TCP connections. A host running syslog-ng in client mode. The syslog-ng Premium Edition is the commercial version of the open-source application. It offers additional features, like encrypted message transfer and an agent for Microsoft Windows platforms.

Public-key authentication regular expression

relay mode rewrite rule template server mode

source source, network

source, local source driver SSL syslog-ng syslog-ng agent

syslog-ng client syslog-ng Premium Edition

www.balabit.com

70

syslog-ng relay syslog-ng server TLS

A host running syslog-ng in relay mode. A host running syslog-ng in server mode. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols which provide secure communications on the Internet. The syslog-ng Premium Edition application can encrypt the communication between the clients and the server using TLS to prevent unauthorized access to sensitive log messages. A command that shows all routing steps (the path of a message) between two hosts. A Unix domain socket (UDS) or IPC socket (inter-procedure call socket) is a virtual socket, used for inter-process communication.

traceroute unix domain socket

www.balabit.com

71

Index
Symbols
$DAY, $R_DAY, $S_DAY, 45 $FULLDATE, $R_FULLDATE, $S_FULLDATE, 45 $HOUR, $R_HOUR, $S_HOUR, 45 $MIN, $R_MIN, $S_MIN, 45 $MONTH, $R_MONTH, $S_MONTH, 46 $SEC, $R_SEC, $S_SEC, 46 $TZOFFSET, $R_TZOFFSET, $S_TZOFFSET, 46 $UNIXTIME, $R_UNIXTIME, $S_UNIXTIME, 46 $WEEK, $R_WEEK, $S_WEEK, 46 $WEEKDAY, $R_WEEKDAY, $S_WEEKDAY, 46 $YEAR, $R_YEAR, $S_YEAR, 46

D
DATE, 45 DAY, R_DAY, S_DAY, 45 destinations syslog-ng Agent, 16 disk buffer on Windows, 1 domain installation, 5

E
eventlog remote logging, 44

F
file encoding, 31 file sources encoding, 31 on network shares, 28, 30 formatting messages, 23 FULLDATE, R_FULLDATE, S_FULLDATE, 45

A
Apache Tomcat Catalina log messages, 32 auditing policy, 54 configuring on Windows 2003 Server, 55 configuring on Windows XP, 54 authentication syslog-ng Agent, 34

H
hostname in the messages, 23 hostname resolution, 23 HOUR, R_HOUR, S_HOUR, 45

B
BSD-syslog protocol, 18 BSDDATE, R_BSDDATE, S_BSDDATE, 45

I
IETF-syslog protocol, 19 adding macros to SDATA, 20 SDATA, 20 importing certificates, 36 inheriting settings on Windows, 13 installing syslog-ng on Windows, 3 syslog-ng Agent on domain controllers, 3 installing the agent from the domain controller, 5 into a custom directory, 9 without user interaction, 7 ISODATE, R_ISODATE, S_ISODATE, 45

C
Catalina log messages, 32 certificate revocation lists syslog-ng Agent, 35 certificates, 34 importing on Windows, 36 client authentication syslog-ng Agent, 34 client-side failover syslog-ng Agent, 23 configuring syslog-ng on Windows, 1 syslog-ng Agent, 11 CRL syslog-ng Agent, 35 custom installation folder, 9

L
Legacy-syslog protocol, 18 log files on network shares, 28, 30 losing messages from eventlog containers, 51

www.balabit.com

72

M
macros date and time, 45 eventlog sources, 46 file sources, 48 protocol, 44 syslog-ng Agent, 44-46, 48 message filtering eventlog messages, 37 file filters, 41 syslog-ng Agent, 36 message format, 23 syslog-ng Agent, 42 message rate on Windows, 24 message template, 23 metadata in SDATA, 20 MIN, R_MIN, S_MIN, 45 MONTH, R_MONTH, S_MONTH, 46 MONTHNAME, R_MONTHNAME, S_MONTHNAME, 46 multi-line messages, 32 multi-line-prefix(), 32 multiline messages, 32 mutual authentication syslog-ng Agent, 34

N
network shares, 28, 30

O
Oracle SQL log messages, 32

P
processing multi-line messages, 32

R
RFC 3164, 18 RFC 5424-5428, 19 R_DATE, 46

snare, 21, 43 sources eventlog, 25 windows log files, 28 supported operating systems, 1 syslog protocol, 19 syslog-ng Agent, 1 certificate revocation lists, 35 client authentication, 34 client-side failover, 23 configuration file, 14 configuring domain controllers, 12 configuring domain hosts, 12 configuring the logserver, 16 creating core dumps, 51 CRL, 35 default message format, 44 destinations, 16 disabling sources and filters, 33 eventlog sources, 25 failover servers, 23 file sources, 28 filtering messages, 36 importing certificates, 36 inheriting settings, 13 installing, 3 installing the agent from the domain controller, 5 installing the agent in standalone mode, 3 message format, 42 mutual authentication, 34 throttle, 24 timestamp, 43 timezone, 48 troubleshooting, 50-51 upgrading, 9 upgrading to 4.0, 9 XML, 14 S_DATE, 46

T
throttle on Windows, 24 timestamp syslog-ng Agent, 43 timezone Windows, 44, 48 TLS syslog-ng Agent, 34

S
SDATA, 20 SEC, R_SEC, S_SEC, 46 sending macros in SDATA, 20 shared drives, 28, 30 silent installation, 7

www.balabit.com

73

Tomcat log messages, 32 troubleshooting syslog-ng Agent, 50 TZ, R_TZ, S_TZ, 46 TZOFFSET, R_TZOFFSET, S_TZOFFSET, 46

U
uninstalling the agent in silent mode, 10 using the GUI, 10 UNIXTIME, R_UNIXTIME, S_UNIXTIME, 46

W
WEEK, R_WEEK, S_WEEK, 46 WEEKDAY, R_WEEKDAY, S_WEEKDAY, 46 Windows auditing policy, 54 configuring on Windows 2003 Server, 55 configuring on Windows XP, 54

Y
YEAR, R_YEAR, S_YEAR, 46

www.balabit.com

74