Windows Quick Start Guide for syslog-ng Premium Edition 5 LTS



Similar documents
Performance Guideline for syslog-ng Premium Edition 5 LTS

The syslog-ng Premium Edition 5LTS

The syslog-ng Premium Edition 5F2

Kaseya Server Instal ation User Guide June 6, 2008

WhatsUp Gold v16.3 Installation and Configuration Guide

Issue Tracking Anywhere Installation Guide

Symantec AntiVirus Corporate Edition Patch Update

Installing Policy Patrol on a separate machine

Enterprise Manager. Version 6.2. Installation Guide

Design Better Products. SolidWorks SolidWorks Enterprise PDM Installation Guide

WhatsUp Gold v16.2 MSP Edition Deployment Guide This guide provides information about installing and configuring WhatsUp Gold MSP Edition to central

Linko Software Express Edition Typical Installation Guide

VERSION NINE. Be A Better Auditor. You Have The Knowledge. We Have The Tools. INSTALLATION GUIDE

Spector 360 Deployment Guide. Version 7

SAS 9.3 Foundation for Microsoft Windows

Reconfiguring VMware vsphere Update Manager

Metalogix Replicator. Quick Start Guide. Publication Date: May 14, 2015

WhatsUp Log Management Installation and Migration Guide, including Getting Started Information. (Applies to v and later)

Configuring SonicWALL TSA on Citrix and Terminal Services Servers

Installation Guide for Pulse on Windows Server 2012

Archive Attender Version 3.5

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Installation Guide for Pulse on Windows Server 2008R2

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

Creating client-server setup with multiple clients

What is new in syslog-ng Premium Edition 4 F1

Distributed syslog architectures with syslog-ng Premium Edition

How To Use Gfi Mailarchiver On A Pc Or Macbook With Gfi From A Windows 7.5 (Windows 7) On A Microsoft Mail Server On A Gfi Server On An Ipod Or Gfi.Org (

QUANTIFY INSTALLATION GUIDE

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

Portions of this product were created using LEADTOOLS LEAD Technologies, Inc. ALL RIGHTS RESERVED.

4cast Client Specification and Installation

Sophos for Microsoft SharePoint startup guide

Setting Up SSL on IIS6 for MEGA Advisor

Quick Start Guide For Ipswitch Failover v9.0

Spector 360 Deployment Guide. Version 7.3 January 3, 2012

Symantec Backup Exec System Recovery Exchange Retrieve Option User's Guide

DameWare Server. Administrator Guide

NETASQ SSO Agent Installation and deployment

Bosch ReadykeyPRO Unlimited Installation Guide, product version 6.5. This guide is item number DOC , revision 2.029, May 2012.

WhatsUp Gold v16.2 Installation and Configuration Guide

Networking Best Practices Guide. Version 6.5

NETWRIX EVENT LOG MANAGER

Secure Messaging Server Console... 2

Moxa Device Manager 2.3 User s Manual

safend a w a v e s y s t e m s c o m p a n y

for Networks Installation Guide for the application on the server July 2014 (GUIDE 2) Lucid Rapid Version 6.05-N and later

ACTIVE DIRECTORY DEPLOYMENT

How To Install An Aneka Cloud On A Windows 7 Computer (For Free)

for Networks Installation Guide for the application on the server August 2014 (GUIDE 2) Lucid Exact Version 1.7-N and later

WhatsUp Gold v16.1 Installation and Configuration Guide

Netwrix Auditor for Windows Server

Nexio Connectus with Nexio G-Scribe

Preparing Your Server for an MDsuite Installation

ez Agent Administrator s Guide

MadCap Software. Upgrading Guide. Pulse

Microsoft SQL Server Installation Guide

Microsoft Corporation. Project Server 2010 Installation Guide

In the same spirit, our QuickBooks 2008 Software Installation Guide has been completely revised as well.

Table of Contents. CHAPTER 1 About This Guide CHAPTER 2 Introduction CHAPTER 3 Database Backup and Restoration... 15

Preparing to Install SQL Server 2005

Introduction and Overview

How To Install Powerpoint 6 On A Windows Server With A Powerpoint 2.5 (Powerpoint) And Powerpoint On A Microsoft Powerpoint 4.5 Powerpoint (Powerpoints) And A Powerpoints 2

StruxureWare Power Monitoring 7.0.1

AdminToys Suite. Installation & Setup Guide

SSL SSL VPN

Upgrading Client Security and Policy Manager in 4 easy steps

Performance measurements of syslog-ng Premium Edition 4 F1

Secret Server Installation Windows Server 2012

QuadraMed Enterprise Scheduling Combined Service Installation Guide. Version 11.0

SOLARWINDS ORION. Patch Manager Evaluation Guide for ConfigMgr 2012

Installation Instruction STATISTICA Enterprise Server

Desktop Deployment Guide ARGUS Enterprise /29/2015 ARGUS Software An Altus Group Company

IBackup Drive User Guide

The syslog-ng Agent for Windows 5 LTS Administrator Guide

Moving the TRITON Reporting Databases

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

SMS Database System Quick Start. [Version 1.0.3]

Migrating MSDE to Microsoft SQL 2008 R2 Express

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Secret Server Installation Windows Server 2008 R2

Buffalo Technology: Migrating your data to Windows Storage Server 2012 R2

Installing GFI MailEssentials

GUARD1 PLUS SE Administrator's Manual

Secret Server Installation Windows 8 / 8.1 and Windows Server 2012 / R2

ilaw Installation Procedure

SMART Vantage. Installation guide

Setting Up a Unisphere Management Station for the VNX Series P/N Revision A01 January 5, 2010

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Portions of this product were created using LEADTOOLS LEAD Technologies, Inc. ALL RIGHTS RESERVED.

Upgrade Guide. CA Application Delivery Analysis 10.1

enicq 5 System Administrator s Guide

NAS 253 Introduction to Backup Plan

Intelligent Power Protector User manual extension for Microsoft Virtual architectures: Hyper-V 6.0 Manager Hyper-V Server (R1&R2)

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

SonicWALL CDP 5.0 Microsoft Exchange InfoStore Backup and Restore

For Active Directory Installation Guide

LifeSize Control Installation Guide

Diamond II v2.3 Service Pack 4 Installation Manual

Transcription:

Windows Quick Start Guide for syslog-ng Premium Edition 5 LTS November 19, 2015 Copyright 1996-2015 Balabit SA

Table of Contents 1. Introduction... 3 1.1. Scope... 3 1.2. Supported platforms... 4 2. Installation... 5 2.1. Prerequisites... 5 2.2. Installing syslog-ng Premium Edition for Windows as server... 6 2.3. Preparing for the client installation... 6 2.4. Installing the syslog-ng Agent for Windows client... 7 3. Configuring syslog-ng Premium Edition... 8 3.1. Reliable Transfer Protocol... 8 3.2. Macros in file names... 9 3.3. Storing messages in encrypted files... 10 4. Further information... 11 4.1. About Balabit... 11 4.2. Sales contact... 11 2

Introduction 1. Introduction The syslog-ng application is a flexible and highly scalable system logging application that is ideal for creating centralized and trusted logging solutions. Typically, syslog-ng is used to manage log messages and implement centralized logging, where the aim is to collect the log messages of several devices on a single, central log server. The different devices called syslog-ng clients all run syslog-ng, and collect the log messages from the various applications, files, and other sources. The clients send all important log messages to the remote syslog-ng server, which sorts and stores them. syslog-ng Premium Edition on Windows: The syslog-ng Premium Edition on Windows application has most of the features of its Linux/UNIX counterpart, and comes with the same text-based configuration. For limitations specific to the platform, refer to: http:///sites/default/files/documents/syslog-ng-pe-5.0-guides/en/syslog-ng-pe-v5.0-guide-admin/html-single/index.html#windows-limitations Three distinct operation scenarios are available: In client mode, syslog-ng collects the local logs generated by the host and forwards them through a network connection to the central syslog-ng server or to a relay. Clients often also log the messages locally into files. In server mode, syslog-ng acts as a central log-collecting server. It receives messages from syslog-ng clients and relays over the network, and stores them locally in files, or passes them to other applications, for example log analyzers. In relay mode, syslog-ng receives logs through the network from syslog-ng clients and forwards them to the central syslog-ng server using a network connection. Relays also log the messages from the relay host into a local file, or forward these messages to the central syslog-ng server. The application determines the mode of operation automatically, based on the license and the configuration file. syslog-ng Agent for Windows: A lightweight client alternative to syslog-ng Premium Edition for Windows, the syslog-ng Agent for Windows application can collect and forward log messages to a remote server. It comes with a graphical user interface, and it's easier to deploy to a large number of machines. 1.1. Scope This guide contains instructions for setting up syslog-ng Premium Edition (PE) as server and syslog-ng Agent for Windows as client on Windows for evaluation. In addition, basic configuration options are provided for reliable transfer protocol, macros in filenames, and storing messages in encrypted files. This guide is intended as a quick introduction. For evaluating syslog-ng PE in scenarios which exceed the single client-to-server complexity (including, but not limited to usage in domain hosts, complex networks, productive environments, and load testing), refer to The syslog-ng Premium Edition 5 LTS Administrator Guide. 3

Supported platforms 1.2. Supported platforms The list of supported platforms for syslog-ng PE for Windows and syslog-ng Agent for Windows is available here: http:///network-security/syslog-ng/central-syslog-server/specifications. 4

Installation 2. Installation 2.1. Prerequisites The installers are available via MyBalabit. In addition to the installers, a valid license is required to install the syslog-ng PE server. Contact your sales representative for access and license files. 2.1.1. Procedure Downloading the server installer Obtain the syslog-ng Premium Edition installer from MyBalaBit: Step 1. Navigate to Downloads > All files > syslog-ng> premium edition Step 2. Choose the latest available version (5.0.2 is used as an example) Step 3. Download the 32-bit or 64-bit installer, depending on your server's architecture: For the 32-bit installer, navigate to Setups > win32 and download syslog-ng-premium-edition-5.0.2-win32.exe For the 64-bit installer, navigate to Setups > win64 and download syslog-ng-premium-edition-5.0.2-win64.exe The binaries include all required libraries and dependencies of syslog-ng. These components are installed in the C:\Program Files\syslog-ng directory by default. The installer can reuse existing configuration and license files. Following installation, sample configuration files are also available in the etc subfolder. 2.1.2. Procedure Downloading the client installer (Windows Agent) Obtain the syslog-ng Agent for Windows installer from MyBalaBit: Step 1. Navigate to Downloads > All files > syslog-ng > syslog-ng-agent Step 2. Choose the latest available version (5.0.2 is used as an example) Step 3. Navigate to Setups > win32 and download syslog-ng-agent-5.0.2-setup.exe Regardless of the path name, the installer contains both the 32-bit and the 64-bit binaries. Step 4. Installing the.net framework. The installer requires Microsoft.NET framework. The following versions of the framework are supported: 2.0, 3.0, or 3.5. This affects the following platforms: Windows XP and Windows 2003 Server: These platforms either do not contain the.net framework, or come with an earlier, unsupported version. Install any of the supported versions. Windows 8 and Windows 2012 Server: These platforms come with a more recent version of the.net framework. To ensure compatibility, install any of the supported versions. For further details, see Procedure 2.1, Installing the syslog-ng Agent in standalone mode in The syslog-ng Agent for Windows 5 LTS Administrator Guide. 5

Prerequisites 2.2. Procedure Installing syslog-ng Premium Edition for Windows as server Running syslog-ng PE in server mode requires a license file. The license determines how many individual hosts can connect to the server. You can obtain the license from your sales representative. Step 1. Copy the installer and license.txt file to the server Step 2. Execute the installer Step 3. Select Next on the Welcome screen, and accept the EULA Step 4. Select Install syslog-ng Premium Edition and choose Next (the other option will simply unpack syslog-ng without registering it as a service) Step 5. Keep the default installation path and choose Next Step 6. Navigate to the license file (license.txt) and choose Next Step 7. At this point, existing configurations could be loaded from backup. Skip this step by choosing Next Step 8. Click Install to start the installation. Wait for the process to finish, then choose Close Step 9. Configure the server using the sample configuration file: Step a. Navigate to C:\Program Files\syslog-ng\etc Step b. Copy syslog-ng-eventlog-to-file-sample.conf to syslog-ng.conf Step c. The sample configuration file is configured to store logs in the C:\tmp temporary folder. Create the C:\tmp temporary folder for storing logs. Step 10. Start syslog-ng as an administrator: Step a. In the Start menu, navigate to All Programs > syslog-ng Premium Edition Step b. Right-click Start syslog-ng, and choose Run as Administrator Expected outcome. syslog-ng PE is started, and logs appear in C:\tmp\eventlog_to_file_example.txt. 2.3. Procedure Preparing for the client installation To verify the client installation, a new network source must be added to the syslog-ng PE configuration: Step 1. Open the C:\Program Files\syslog-ng\etc\syslog-ng.conf configuration file for editing Step 2. Add the following snippet to the end of the file: source s_network { syslog(); }; destination d_nettofile { file('c:\tmp\tcp_to_file_example.txt' flags(no-multi-line)); }; 6

Prerequisites log { source(s_network); destination(d_nettofile); flags(flow-control); }; Step 3. Save the configuration file Step 4. Restart the syslog-ng service 2.4. Procedure Installing the syslog-ng Agent for Windows client The following instructions describe the standalone installation, which is configured locally. For more advanced installation options (using domain group policies, installing by group policy), refer to The syslog-ng Agent for Windows 5 LTS Administrator Guide. No license file is required to run syslog-ng PE in client mode. Step 1. Execute the downloaded binary. Step 2. Accept the EULA. Step 3. Select the destination folder for syslog-ng Agent for Windows. Step 4. Choose Stand alone mode. Step 5. The installer generates a simple configuration. Enter the destination IP of the syslog-ng PE server: Step a. Select Destinations Step b. Double-click Add new server Step c. Enter the server's IP address Step d. Change the port number to 601 Step e. Click OK Step 6. Close the configuration window to finish installation. Step 7. Validating the installation Test remote logging: Step a. Log out and back in on the Windows client Step b. Verify the server log. Expected outcome. On the syslog-ng PE server, the logout and login events are displayed in the C:\tmp\tcp_to_file_example.txt logfile. 7

Configuring syslog-ng Premium Edition 3. Configuring syslog-ng Premium Edition The syslog-ng application reads incoming messages and forwards them to the selected destinations. The syslog-ng application can receive messages from files, remote hosts, and other sources. Log messages enter syslog-ng in one of the defined sources, and are sent to one or more destinations. Sources and destinations are independent objects; log paths define what syslog-ng does with a message, connecting the sources to the destinations. A log path consists of one or more sources and one or more destinations; messages arriving from a source are sent to every destination listed in the log path. A log path defined in syslog-ng is called a log statement. There are many other optional elements, like filters, parsers, etc., but in this guide we focus on a core syslog-ng feature: reliable logging. Note The syslog-ng PE server for Windows can also be installed without a license file. In this case it will act as a client or relay (depending on configuration), but with some additional features compared to syslog-ng Agent for Windows. These features include disk buffer and relay. Consult the documentation or a pre-sales engineer for further details. 3.1. Reliable Transfer Protocol The syslog-ng PE application can send and receive log messages in a reliable way over the TCP transport layer using the Reliable Log Transfer Protocol (RLTP ). RLTP is a proprietary transport protocol that prevents message loss during connection breaks. The transport is used between syslog-ng PE hosts (for example, a client and a server, or a client-relay-server), and interoperates with the flow-control and reliable disk-buffer mechanisms of syslog-ng PE, thus providing the best way to prevent message loss. The sender detects which messages has the receiver successfully received. If messages are lost during the transfer, the sender resends the missing messages, starting from the last successfully received message. Therefore, messages are not duplicated at the receiving end in case of a connection break (however, in failover mode this is not completely ensured). RLTP also allows to receive encrypted and non-encrypted connections on the same port, using a single source driver. To make RLTP work, you have to enable it on the server and on all participating clients as well. In the following example, a minimum working configuration is provided; for additional options, including TLS configuration, refer to Chapter 12, Reliable Log Transfer Protocol in The syslog-ng Premium Edition 5 LTS Administrator Guide. 3.1.1. Procedure Configuring the syslog-ng PE server for RLTP Step 1. Open the C:\Program Files\syslog-ng\etc\syslog-ng.conf configuration file for editing Step 2. Replace the line syslog(); with the following: syslog(port(601) transport(rltp(tls-required(no)))); Step 3. Save the file and restart syslog-ng Expected outcome. 8

Reliable Transfer Protocol The syslog source now supports RLTP protocol as a transport, without TLS support. Declaring the port is necessary, as there is no default port number for RLTP transport. 3.1.2. Procedure Configuring syslog-ng Agent for Windows clients for RLTP Step 1. From the Start menu, launch the Configure syslog-ng Agent for Windows application Step 2. Select Destinations Step 3. Right-click the previously configured destination, and choose Properties Step 4. Enable RLTP Step 5. Choose OK to save your changes, and exit from the configuration interface Step 6. Restart syslog-ng Agent for the new configuration settings to take effect Note To restart services, you need Administrator privileges. If you use the Stop syslog-ng Agent and Start syslog-ng Agent options from the Start Menu, remember to right-click and choose the Run as Administrator option. Remote logging can be tested the same way as described in Procedure 2.4, Installing the syslog-ng Agent for Windows client (p. 7). 3.2. Procedure Macros in file names On servers where logs of many clients are retained for extended periods of time, log files are usually stored under a directory hierarchy. To help sort incoming log messages to such hierarchies, syslog-ng supports the use of macros. Depending on the needs of your organization, date, source host, or combined solutions can be used. In the following example, the file destination on the server is modified to also write messages into a directory structure under /var/log, where the first level is the year, the second level is the week of the year, followed by a file name based on the sending host. Step 1. Open the C:\Program Files\syslog-ng\etc\syslog-ng.conf configuration file for editing Step 2. Locate the block starting with destination d_nettofile Step 3. Modify it to look like the following line: destination d_nettofile { file('c:\tmp\tcp_to_file_example.txt' flags(no-multi-line)); file('c:\tmp\$year\$week\$host-messages' flags(no-multi-line) create-dirs(yes)); }; For more details on macros available in syslog-ng, refer to The syslog-ng Premium Edition 5 LTS Administrator Guide. Step 4. Save the file and restart syslog-ng 9

Reliable Transfer Protocol Note Collecting to C:\tmp\tcp_to_file_example.txt is left there for your convenience, it can be safely removed. If the related configuration item is removed, the file stays in the folder, but will not be updated. 3.3. Procedure Storing messages in encrypted files The syslog-ng PE application can store log messages securely in encrypted, compressed and timestamped binary files. Timestamps can be requested from an external Timestamping Authority (TSA). Logstore files consist of individual chunks, every chunk can be encrypted, compressed, and timestamped separately. Chunks contain compressed log messages and header information needed for retrieving messages from the logstore file. The syslog-ng PE application generates an SHA-1 hash for every chunk to verify the integrity of the chunk. The hashes of the chunks are chained together to prevent injecting chunks into the logstore file. The syslog-ng PE application can encrypt the logstore using various algorithms, using the aes128 encryption algorithm in CBC mode and the hmac-sha1 hashing (HMAC) algorithm as default. In the following example, a simple logstore destination is added which stores logs with maximum compression. Step 1. Open the C:\Program Files\syslog-ng\etc\syslog-ng.conf configuration file for editing Step 2. Locate the block starting with destination d_nettofile Step 3. Add the following line right below: destination d_logstore { logstore('c:\tmp\messages.lgs' compress(9) ); }; Step 4. Locate the line containing destination(d_nettofile) Step 5. Add the following line right below: destination(d_logstore) Step 6. Restart syslog-ng for the configuration changes to take effect Step 7. Validating the changes You can verify that logs are arriving to the logstore using the following command: "C:\Program Files\syslog-ng\bin\lgstool.exe cat C:\tmp\messages.lgs 10

Further information 4. Further information 4.1. About Balabit Balabit provides security technologies to prevent data breaches without constraining business and is a leading provider of contextual security technologies. Balabit operates globally through partners, and has a network of local offices across the United States and Europe. Balabit's Contextual Security Intelligence strategy protects organizations in real-time from threats posed by the misuse of high-risk and privileged accounts. Solutions include reliable system and application Log Management with context-aware data ingestion, Privileged User Monitoring, and User Behavior Analytics. These technologies can identify unusual user activities, and provide deep visibility into potential threats. Working in conjunction with existing control-based strategies, Balabit enables a flexible and people-centric approach to improve security without adding additional barriers to business practices. Founded in 2000 and headquartered in Luxembourg, Balabit has a proven track record including over twenty Fortune 100 customers, amongst over 1,000,000 corporate users worldwide. For more information, visit. To learn more about commercial and open source Balabit products, request an evaluation version, or find a reseller, visit the following links: The syslog-ng homepage Contact us and request an evaluation version Find a reseller 4.2. Sales contact You can directly contact us with sales related topics at the e-mail address <sales@balabit.com>, or leave us your contact information and we call you back. All questions, comments or inquiries should be directed to <info@balabit.com> or by post to the following address: Balabit SA 1117 Budapest, Alíz Str. 2 Phone: +36 1 398 6700 Fax: +36 1 208 0875 Web: https:/// Copyright 2015 Balabit SA All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Balabit. The latest version is always available at the Balabit Documentation Page. 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information