rsyslog

The rocket-fast system for log processing

eventlog monitor v2

RSyslog Windows Agent 7.1 Released

By friedlPosted on Posted in Release AnnouncementTagged , , , , , , No Comments on RSyslog Windows Agent 7.1 Released

Release Date: 2021-07-14

Build-IDs: Service 7.1.0.214, Client 7.1.0.300

Features

  • EventLog Monitor V2: Add support to monitor Analytic and Debug Channels. These channels will only work in polling mode and detection of the last record is limited due the nature of analytic / debug channels.
  • EventLog Monitor V2: Added new “Copy Messageformat into property” option to copy a second output format into a custom property.
  • File Monitor: Added support for batched processing which is a huge improvement regarding processing speed.

Bugfixes

  • EventLog Monitor v2: Removed unnecessary spaces within LOGSIEM JSON format.
  • File Monitor: Fixed a race condition saving the correct file position on action failure.
  • Status Actions: Fixed an issue calculating wrong values when multiple compute status actions were executed at the same time.

You can download Free Trial Version of RSyslog Windows Agent.

RSyslog Windows Agent 7.0 Released

By friedlPosted on Posted in Release AnnouncementTagged , , , , , , No Comments on RSyslog Windows Agent 7.0 Released

Release Date: 2021-03-09

Build-IDs: Service 7.0.0.213, Client 7.0.0.297

Features

  • Filter Engine: Add support to filter by IPv6 addresses.
  • Eventlog Monitor V2: Added support to for LogPoint SIEM JSON Format.
  • Eventlog Monitor V2: Added support for the following EventLog properties (if available):
    Providerguid, processed, threaded, version, opcode, eventtype, nxseverityvalue (required for Severity Mapping in LogPoint SIEM JSON Format)
  • Action Caching: Added support for caching / queuing in RELP Action when Action processing fails.
  • Filter Engine: Added support to store filter results when using the global Status Variable type filters.
  • Queue Engine: Added Warning/Error events which are generated when the queue gets full.
  • Librelp: Updated librelp to v1.8.0.
  • Openssl: Updated to version 1.1.1g.

Bugfixes

  • Filter Engine: Fixed SaveIntoProperty handling when using the Status Type Filter.
  • Queue Engine: Fixed an issue that caused an internal exception
    STATUS_STACK_BUFFER_OVERRUN when two TCP Syslog Sessions where closed at the same time.

You can download Free Trial Version of RSyslog Windows Agent.

RSyslog Windows Agent 3.3 Released

By Adiscon SupportPosted on Posted in News, Release AnnouncementTagged , , , , , , ,

Adiscon is proud to announce the 3.3 release of RSyslog Windows Agent.

This is a bugfixing release with minor feature update.

Most importantly, the Adiscon SNMP MIB now supports messages sizes up to 64k (previous limit was 255 characters). The OpenSSL Library has been updated to 1.0.2h. Bugs were fixed primarily in RELP and syslog forwarding processing. For details please see the change log.

Detailed information can be found in the version history below.

Build-IDs: Service 3.3.152, Client 3.3.235

Features

  • Components:
    • OpenSSL library updated to 1.0.2h.
  • Adiscon SNMP Mib:
    • Changed DisplayString limit from 255 characters to 65536. Now, strings above 255 characters can be send using the adiscon mibs.

Bugfixes

  • Send Syslog Action:
    • Fixed an issue with the “Disable processing, forward as it is” Option. RawSyslogMsg property is used instead of msg property.
  • Send Relp Action:
    • Fixed an issue in the Session Close shutdown procedure which could lead to leaking sessions on Relp Servers.
    • Send Relp Action: Fixed an issue setting a proper status on failure.
    • Fixed a problem handling socket failures.
  • Event Monitor V2:
    • Dynamic properties could break XML format if they contained spaces in their name. Spaces and control characters are now properly replaced with underscores.
  • Relp Listener:
    • Fixed Socketsystem startup if only one Relp Listener Service was configured without any other network related services.
  • Syslog Server:
    • Fixed an issue relaying the priority / facility properties on Syslog Forward. The prifac property was not properly recreated if the message source was Syslog.
    • Fixed an issue with RFC5424 header parsing which partially parsed invalid formatted syslog messages. This broke the original message.
    • Fixed a parsing issue (TCP Protocol only) when the syslog header was missing. When the first characters were a number, TCP Syslog tried to detect octet framing. This failed but the beginning characters of the message were lost. Also octet framing was not disabled resulting in unexpected endings of the message.
    • Fixed an issue with RFC 3164 Syslog Header parsing when “take syslog source from msg” is enabled.
  • Property Replacer:
    • Date related options are now evaluated before and after the property is truncated. But only if a match before the string truncation was not successful.

Version 3.3 is a free download. Customers with existing 2.x keys can contact our Sales department for upgrade prices. If you have a valid Upgrade Insurance ID, you can request a free new key by sending your Upgrade Insurance ID to sales@adiscon.com. Please note that the download enables the free 30-day trial version if used without a key – so you can right now go ahead and evaluate it.

RSyslog Windows Agent 3.2 Released

By Adiscon SupportPosted on Posted in News, Release AnnouncementTagged , , , , , , ,

Adiscon is proud to announce the 3.2 release of RSyslog Windows Agent.

This is a maintenenance release for RSyslog Windows Agent, which includes Features and bugfixes.

There is a huge list of changes, but the most important is the enhanced support for file based configurations.

Also inbuild components like OpenSSL and NetSNMP have been updated to the latest versions.

Detailed information can be found in the version history below.

Build-IDs: Service 3.2.143, Client 3.2.0.230

Features

  • Components:
    • Updated OpenSSL 1.0.2e.
  • Engine:
    • When using TLS Mode x509/Name, permitted peers will also checked against the certificate Subject Alternative Name (SAN) now.
  • EventLog Monitor V2:
    • Added new Option “Wait time after action failure” which specifies the wait time after an action error occurred. Without the wait time, the subscription would immediately hit again. It is most likely that the action failure was caused by network problems, so a wait time of (default value) 15 seconds is a reasonable default.
  • File Monitor:
    • Added regular expressions support for Message Separators. Also added Options to prepend or append message separators to the message. When using regex message separators, it might be necessary to include the message separator into the message.
  • Syslog Action:
    • Added wait time doubling option for the Diskqueue feature. When enabled, the configured wait time will be doubled until the doubling limit is reached.
    • Added random wait time delay option for the Diskqueue feature. When enabled, a random wait time (up to the configured maximum) will be added to the configured wait time.
    • Added Overrun prevention delay option for the Diskqueue feature. When enabled, the action will sleep for the configured delay between each syslog message.
  • Services TestMode:
    • Added a testmode for Services, currently EventLog Monitor V1 & V2 and File Monitor are supported. When enabling the testmode for a certain service, it will process it’s Events/Files over and over again. So only use this setting for testing purpose.
  • File Based Configuration:
    • Added support for file includes. The feature can be enabled by setting one or both options in the Client Options called “Create individual configuration files for Services” and “Create individual configuration files for RuleSets”. When enabled, the configuration client will split Services and/or Rulesets into separated files. The main configuration file will include these files by a pattern. The Service itself is able to read includes within includes up to a depth level to 10. When using custom (hand written) configuration with includes, the configuration client will only be able to read them. However the client will not be able to maintain (Save) the custom configuration structure.
  • Command line:
    • Added handler for CTRL+C when running the Service in console mode

Bugfixes

  • Syslog Server:
    • Fixed a problem receiving RFC3195RAW messages.
    • Fixed message timeout handling when no message separator was enabled in Syslog TCP mode.
  • Syslog Action:
    • Fixed an issue when diskqueue files were corrupt. Now corrupted entries are skipped properly.
    • In some cases when the Action was in diskqueue mode, it could happen that the internal retry failed. Cached syslog messages wouldn’t be sent until the service restart.
  • SSL/TLS:
    • Actions with support for SSL/TLS (like Send Syslog Action) could fail to send messages if the recipient closed the connection during meantime. The handling of closed connections has been hardened now when TLS/SSL is enabled.
  • Command line:
    • Fixed handling when using more than one command line option
  • File Based Configuration:
    • Fixed a bug reading general options from File configuration.
    • Fixed an issue reading and writing into correct data directories when using custom locations.
    • Fixed an issue detecting if data state files need to be reloaded.
    • Better error handling when configfile is missing or not accessible.
  • Configuration client:
    • When deleting an item in a datagrid, the Confirm/reset Button become clickable now to save or reset the changes.
    • Fixed timestamp for “EventLog Legacy Format” INSERT
    • Fixed invisible encryption checkbox for password fields (Like ODBC Action)
    • Fixed an issue of unwanted LastRecord saving when changing eventlog channels settings.
    • The little “Save” Button has been changed to a “Confirm” which is more precisely.
    • Corrected Min/Max values for General->Queue Limit Setting.
    • Removed invisible click areas for all checkboxes and radio buttons.
    • Fixed loading of “Processed Files” in File Monitor when running in file config format.
    • Changed error handling when exporting configuration in file format.
    • Fixed incorrect trimming of spaces at the end of text variables (problem only affected file based configurations)

Version 3.2 is a free download. Customers with existing 2.x keys can contact our Sales department for upgrade prices. If you have a valid Upgrade Insurance ID, you can request a free new key by sending your Upgrade Insurance ID to sales@adiscon.com. Please note that the download enables the free 30-day trial version if used without a key – so you can right now go ahead and evaluate it.

RSyslog Windows Agent 2.2 Released

By Adiscon SupportPosted on Posted in News, Release AnnouncementTagged , , , , ,

Adiscon is proud to announce the 2.2 release of RSyslog Windows Agent.

This is the maintenance release and contains mainly bugfixes.

Most notably, this version includes OpenSSL library 1.0.1g. This fixes the latest openssl security issues known as heartbleed.

Remote Eventlog Monitoring in Eventlog Monitor V2 has been improved.

Detailed information can be found in the version history below.

Build-IDs: Service 2.2.117, Client 2.2.0.141

Features

  • Updated embedded OpenSSL library to 1.0.1g

Bugfixes

  • EventLog Monitor V2: Fixed a problem reading the “Process unknown/unconfigured Eventlog Channgels” option which was added in the last minor update.
  • EventLog Monitor V2: Fixed a problem when using “Remote EventLog Monitoring”. Now logsources are read from the remote machine properly.
  • Engine: Fixed startup issues reading windows registry. This problem only applied if you configured the service to run with an user account that has insufficient write rights into the windows registry.

 

Version 2.2 is a free download. Customers with existing 1.x keys can contact our Sales department for upgrade prices. If you have a valid Upgrade Insurance ID, you can request a free new key by sending your Upgrade Insurance ID to sales@adiscon.com. Please note that the download enables the free 30-day trial version if used without a key – so you can right now go ahead and evaluate it.

RSyslog Windows Agent and CEE

By Adiscon SupportPosted on Posted in Guides for Windows AgentTagged , , , ,

The Rsyslog Windows Agent comes with support for the new CEE enhanced format out of the box. It is designed to work flawlessly with all components from the Adiscon product lines and other CEE enhanced-enabled products. And it is one of the first products to support the Project Lumberjack at all. If you do not know what CEE enhanced is good for, it might be wise to watch our introduction into CEE.

In this guide, we will show the necessary steps to create a configuration for the RSyslog Windows Agent to output CEE enhanced conform log messages. The setup itself is very simple and does not differ a lot from other basic setups. In the end we will have a configuration, that will poll Windows EventLogs and forward them via syslog in CEE enhanced format to another syslog server.

Step 1: Setting up the ruleset and action.

1. First we define a new rule set. Right-click “Rulesets”. A pop up menu will appear. Select “Add Rule Set” from this menu.

2. Then, a wizard starts. Change the name of the ruleset to whatever name you like. We will use “Forward syslog” in this example. The screen looks as follow:

Click “Next” to go on with the next step.

3. Select only Forward via Syslog. Do not select any other options for this sample. Also, leave the “Create a Rule for each of the following actions” setting selected. Click “Next”. You will see a confirmation page. Click “Finish” to create the rule set.
null

4. As you can see, the new Rule Set “Forward syslog” is present. Please expand it in the tree view until the action level of the “Forward syslog” Rule and select the “Forward syslog” action to configure.

5. Configure the “Forward via Syslog” Action
Insert the IP of your syslog server into the field “Syslog Server”. You can change the port if needed as well. We will keep it on the default port 514. You could also change to protocol type to TCP for example. Attention RSyslog Windows Agent and your syslog server must use the same port and the same protocol.

But you need to change the “Used Message Format”. Click on the dropdown menu to see the options and choose “Use CEE enhanced Syslog Format”.
null

The configuration for syslog forwarding should now look like this:
null

6. Finally, make sure you press the “Save” button – otherwise your changes will not be applied.

Step 2: Setting up the EventLog Monitor V2.

Note: This guide explains how to set up the EventLog Monitor V2 Service for Windows Vista/z/2008. These steps are not applicable if you are using Windows XP/2000/2003. In that case, please use the regular EventLog Monitor.

1. First, right click on “Services”, then select “Add Service” and then “Event Log Monitor V2”:

Again, you can use either the default name or any one you like. We will use the default name in this example. Leave the “Use default settings” selected and press “Finish”, as we are not changing any other settings right now.

2. Now, you will see the newly created service beneath the “Services” as part of the tree view. To check its parameters, select it:

As you can see, the service automatically checks for all present EventLogs. You can now select or disable certain logs or change some of their properties.

Note: The ruleset “Forward Syslog” has been automatically assigned as the ruleset to use. By default, the wizard will always assign the first rule set visible in the tree view to new services.

Step 3: Starting the Service.

5. The last step is to save the changes and start the service. This procedure completes the configuration of the syslog server.

The Service cannot dynamically read changed configurations. As such, it needs to be restarted after such changes. In our sample, the service was not yet started, so we simply need to start it. If it already runs, you need to restart it.

We are now finished. You should now receive the Eventlog messages on your syslog server in CEE enhanced format.

How To setup EventLogMonitor V2 Service

By adisconteamPosted on Posted in Guides for Windows AgentTagged ,

Note: This guide explains how to set up the EventLog Monitor Service for Windows Vista. These steps are not applicable if you are using Windows XP.

1. First, right click on “Services”, then select “Add Service” and then “Event Log Monitor V2”:

Again, you can use either the default name or any one you like. We will use the default name in this sample. Leave the “Use default settings” selected and press “Next”.

2. As we have used the default, the wizard will immediately proceed with step 3, the confirmation page. Press “Finish” to create the service. The wizard completes and returns to the configuration client.

3. Now, you will see the newly created service beneath the “Services” as part of the tree view. To check its parameters, select it:

As you can see, the service has been created with the default parameters.

Note: The “Default RuleSet” has been automatically assigned as the rule set to use. By default, the wizard will always assign the first rule set visible in the tree view to new services.

4. Finally we, bind a ruleset to this service. If you already have a ruleset, simply choose one. If not, then you will have to create one, or insert the actions you want to take in the default ruleset.
Remember, this is only an example. You can do it in any way you want.

5. The last step is to save the changes and start the service. This procedure completes the configuration of the syslog server.

The NT Service cannot dynamically read changed configurations. As such, it needs to be restarted after such changes. In our sample, the service was not yet started, so we simply need to start it. If it already runs, you need to restart it.

That’s it. This is how you create a simple Event Log Monitor V2 for Vista.

Scroll to top