rsyslog

The rocket-fast system for log processing

RSyslog Windows Agent and CEE

The Rsyslog Windows Agent comes with support for the new CEE enhanced format out of the box. It is designed to work flawlessly with all components from the Adiscon product lines and other CEE enhanced-enabled products. And it is one of the first products to support the Project Lumberjack at all. If you do not know what CEE enhanced is good for, it might be wise to watch our introduction into CEE.

In this guide, we will show the necessary steps to create a configuration for the RSyslog Windows Agent to output CEE enhanced conform log messages. The setup itself is very simple and does not differ a lot from other basic setups. In the end we will have a configuration, that will poll Windows EventLogs and forward them via syslog in CEE enhanced format to another syslog server.

Step 1: Setting up the ruleset and action.

1. First we define a new rule set. Right-click "Rulesets". A pop up menu will appear. Select "Add Rule Set" from this menu.

2. Then, a wizard starts. Change the name of the ruleset to whatever name you like. We will use "Forward syslog" in this example. The screen looks as follow:

Click "Next" to go on with the next step.

3. Select only Forward via Syslog. Do not select any other options for this sample. Also, leave the "Create a Rule for each of the following actions" setting selected. Click "Next". You will see a confirmation page. Click "Finish" to create the rule set.
null

4. As you can see, the new Rule Set "Forward syslog" is present. Please expand it in the tree view until the action level of the "Forward syslog" Rule and select the "Forward syslog" action to configure.

5. Configure the "Forward via Syslog" Action
Insert the IP of your syslog server into the field "Syslog Server". You can change the port if needed as well. We will keep it on the default port 514. You could also change to protocol type to TCP for example. Attention RSyslog Windows Agent and your syslog server must use the same port and the same protocol.

But you need to change the "Used Message Format". Click on the dropdown menu to see the options and choose "Use CEE enhanced Syslog Format".
null

The configuration for syslog forwarding should now look like this:
null

6. Finally, make sure you press the "Save" button – otherwise your changes will not be applied.

Step 2: Setting up the EventLog Monitor V2.

Note: This guide explains how to set up the EventLog Monitor V2 Service for Windows Vista/z/2008. These steps are not applicable if you are using Windows XP/2000/2003. In that case, please use the regular EventLog Monitor.

1. First, right click on "Services", then select "Add Service" and then "Event Log Monitor V2″:

Again, you can use either the default name or any one you like. We will use the default name in this example. Leave the "Use default settings" selected and press "Finish", as we are not changing any other settings right now.

2. Now, you will see the newly created service beneath the "Services" as part of the tree view. To check its parameters, select it:

As you can see, the service automatically checks for all present EventLogs. You can now select or disable certain logs or change some of their properties.

Note: The ruleset "Forward Syslog" has been automatically assigned as the ruleset to use. By default, the wizard will always assign the first rule set visible in the tree view to new services.

Step 3: Starting the Service.

5. The last step is to save the changes and start the service. This procedure completes the configuration of the syslog server.

The Service cannot dynamically read changed configurations. As such, it needs to be restarted after such changes. In our sample, the service was not yet started, so we simply need to start it. If it already runs, you need to restart it.

We are now finished. You should now receive the Eventlog messages on your syslog server in CEE enhanced format.

One thought on “RSyslog Windows Agent and CEE

  1. Pingback: Rsyslog Windows Agent Released rsyslog

Comments are closed.