Skip to content
This repository has been archived by the owner on Dec 13, 2021. It is now read-only.

RSyslog Windows Setup

Jump to bottom
Jack Whitter-Jones edited this page Oct 22, 2020 · 9 revisions

RSyslog Windows Agent

The Windows RSyslog agent has been used to demonstrate the ingestion method of Windows Syslog events. With the use of RSyslog within the Linux operating system, the use of the RSyslog Windows Agent was to provide consistency across both platforms. However, alternatives can be used to transport Windows log files to the Syslog Forwarder described within the Architectural Design and RSyslog Linux Setup. The remainder of this section demonstrates the setup of the RSyslog Windows User-Agent through the RSyslog Windows User-Agent Configuration application.

Before continuing it is important that you read over the RSyslog Linux setup, as this device is used as a central log forwarder.

RSyslog Windows Agent Setup

Within the RSyslog Windows Agent, two key features are presented:

  • Services - The monitoring capability within the user-agent, e.g., Heartbeat that sends a pulse to allow to ensure the device is still active
  • Rulesets - The actions taken on the device when events occur, such as forwarding.

Ruleset Forwarding

Before beginning stop the RSyslog Windows User-Agent, by clicking the big blue button at the top of the RSyslog Windows User-Agent Configuration. If you dont stop it prior to doing the steps, dont worry just make sure you restart the service

Before the RSyslog Windows Agent can begin forwarding, there are two steps that must be done prior. As the architecture uses a Linux central log forwarder, a edit to the RSyslog configuration file and firewall must be made.

On the Linux device, add the following template above the postgres template made in the RSyslog Linux Setup.

$template remote-incoming-logs,"/var/log/%HOSTNAME%-%fromhost-ip%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs

Next RSyslog must load the TCP and UDP Syslog Reception modules. To do this uncomment the module and input lines shown in the image below. To add more IP-ranges that will be ingested, add them via a comma-seperated list as shown by the red arrow.

RSyslog Linux Configuration Setup 1

It is encouraged you use the UFW firewall to ensure you are protected, however, by default everything will be passed through, if however, you do use UFW then UDP and TCP for ports 514 will need to be allowed

sudo ufw allow udp/514
sudo ufw allow tcp/514

It is worth noting that if you enable syslog through the command below, the TCP rule will NOT be enabled, ONLY UDP.

sudo ufw allow syslog

Now that the RSyslog central log forwarder is accepting data from our remote-hosts, the setup of the RSyslog Windows User-Agent can begin. The following steps can be followed to enable Syslog Forwarding.

  1. Open the RSyslog Windows User-Agent Configuration panel
  2. Right-click the Ruleset and click 'Add Ruleset'
  3. Give the ruleset a name, such as, Syslog Forwarding and then click next
  4. Create a rule for this action, and click 'Forward Syslog'

After the rule has been created, navigate to the rules configuration (highlighted in green in the image below). Set the protocol type to TCP (it is fine to use UDP, however, I want to have a stable connection of logs. UDP should be considered based on the scale of environment). Finally, highlighted in red, set the IP of the RSyslog central log forwarder and set the port to 514 (the default port for syslog).

RSyslog Windows Agent Configuration 1

Lastly, the Syslog message format can be set to the legacy option, however, the recommended format can be used as well. This is shown in the image below, highlighted in red.

RSyslog Windows Agent Configuration 2

Finally, save (top left, but will prompt before exiting) and close the RSyslog Windows User-Agent Configuration panel, an application restart must be done for our services and rulesets to be in effect. Re-open the configuration panel and move onto the service setup discussed below.

Service Setup (Optional, But Useful)

Before beginning stop the RSyslog Windows User-Agent, by clicking the big blue button at the top of the RSyslog Windows User-Agent Configuration. If you dont stop it prior to doing the steps, dont worry just make sure you restart the service

In this example a file monitor will be setup, but with the forwarding ruleset any service can be used. The following steps can be used to achieve this:

  1. Create a plain text file on your desktop
  2. Create a new Service by right click on the Services header
  3. Hover over Add Service and click 'File Monitor'
  4. At the top of the File Monitor page, click the browse button next to 'File and Path Name' and browse to the plain text file on your desktop.
  5. On the same page, scroll to the bottom, and change the Ruleset to the Syslog Forwarding ruleset that was setup previously.
  6. Save (top left, but will prompt before exiting) and close the RSyslog Windows User-Agent Configuration panel, an application restart must be done for our services and rulesets to be in effect.
  7. Re-open the configuration panel and restart the RSyslog Windows User-Agent (big blue buttons at the top of the application)

This will achieve a file monitoring service that will forward to the central forwarder.

Final Remarks

It is worth noting the EventLog Monitor will pipe a substantial amount of information, and therefore choke the Postgres database and/or your network. It is encouraged to ensure that you properly configure the EventLog Monitoring service prior to ingesting any information. This can be done by not setting the Ruleset to the Syslog Forwarder before configuration is complete.

To check if Windows is forwarding properly, check the central forwarder with the following command:

ls /var/log/

The output should show a new directory, with the naming convention of hostname-ipaddress.

Clone this wiki locally