5. Collecting logs from Windows hosts
5.7. Using an XML-based configuration file
Starting from syslog-ng Agent for Windows version 3.0.4, it is possible to specify the configuration of the agent in an XML file when installing the agent, and also when starting the agent. The configuration file must be a valid XML
Using an XML-based configuration file
file that complies to the XML schema supplied with the syslog-ng agent.
Note
By default, the XML schema file is called ng-agent-conf.xsd is located in the installation folder of the syslog-ng agent, next to the syslog-syslog-ng-agent.exe file.
Procedure 5.21. Creating an XML configuration file for the syslog-ng agent
1. Create a new configuration file, or edit the one shown in Section 5.7.1, “Sample configuration files for the syslog-ng Agent” (p. 117). Use a text editor that can validate the file to the XML schema of the configuration file. One such editor is the Microsoft XML Notepad 2007 application, which is available for free at http://msdn.microsoft.com/en-us/xml/bb190622.aspx.
2. When creating the configuration file, bear in mind the following points:
■ For details on the format of the XML file, see the sample file at Section 5.7.1, “Sample configuration files for the syslog-ng Agent” (p. 117) and XML schema (.xsd) file installed with the agent.
■ File sources, event sources, servers, and filters must have a unique index, that is, the definition of the first server should start as <Server0 Enabled="1", the second <Server2 Enabled="1", etc.
■ File sources must have a unique identifier (UUID). The agent does not create these identifiers, you must enter them into the configuration file manually.
■ If you do not use throttling, remove the Throttle attribute from the destination. Setting the Throttleattribute to 0 is not accepted by the agent.
■ If you do not want the agent to send old (already existing) messages to the logserver, use the fol-lowing in the configuration file:
<syslog-ng_Agent SendOldMessages="0">
Note that when it starts, the agent automatically removes the SendOldMessages="0" attribute from the configuration file, but it will not resend the messages after the agent is restarted.
3. To start the agent and use the configuration file, open a command prompt, and issue the following command:
syslog-ng-agent.exe -c myconfigfile.xml -d. This command will start the agent in debug mode, and display any errors of the XML configuration file.
4. If there are no errors in the configuration file, start the agent in normal mode: syslog-ng-agent.exe -c myconfigfile.xml.
To use the XML file during the installation of the agent, use the same syntax with the installer:
syslog-ng-agent-3.0.4-setup.exe /xmlconfig="fullpath\myconfigfile.xml". Note that the XML schema file must be in the same folder as the installer file.
Note
■If you are using an XML-capable agent without using an XML configuration file, and you want to switch to using an XML configuration file without reinstalling the agent, execute the syslog-ng-agent.exe -i
"fullpath\myconfigfile.xml" command. The syslog-ng Agent service will be re-registered to use the XML configuration file.
Using an XML-based configuration file
■If you want to use the .msi installer with an xml file, use the syslog-ng-agent-3.0.4-setup.msi SLNGOPTS="/xmlconfig=fullpath\myconfigfile.xml" command, or edit the installer with the Orca MSI editor (http://www.technipages.com/download-orca-msi-editor.html), and add the SLNGOPTS="/xmlconfig=fullpath\myconfigfile.xml"to the installation parameters on the Customization tab.
5.7.1. Sample configuration files for the syslog-ng Agent
The following is a sample configuration file with minimal settings for the syslog-ng Agent for Windows application.
<?xml version="1.0" encoding="utf-8"?>
${EVENT_NAME} ${EVENT_SOURCE}: [${EVENT_TYPE}] ${EVENT_MSG} (EventID
${EVENT_ID})">
<Sources Enabled="1">
<Event Index="0" Enabled="1" Name="Application" />
<Event Index="1" Enabled="1" Name="Security" />
<Event Index="2" Enabled="1" Name="System" />
</Sources>
The following is a more detailed configuration file for the syslog-ng Agent for Windows application.
Sample configuration files for the syslog-ng Agent
<?xml version="1.0" encoding="utf-8"?>
${EVENT_NAME} ${EVENT_SOURCE}: [${EVENT_TYPE}] ${EVENT_MSG} (EventID
${EVENT_ID})">
<Sources Enabled="1">
<Event Index="0" Enabled="1" Name="Application" />
<Event Index="1" Enabled="1" Name="Security" />
<Event Index="3" Enabled="1" Name="System" />
</Sources>
<Filter Enabled="1">
<Formatted_Message Enabled="1">
<Rule Index="0" Regexp="testregexp" Enabled="1" />
<Rule Index="1" Regexp="testregexp2" Enabled="1" />
</Formatted_Message>
<Computer Enabled="1">
<Rule Index="0" Computer="mycomputername1" Enabled="1" />
<Rule Index="1" Computer="mycomputername2" Enabled="1" />
</Computer>
Sample configuration files for the syslog-ng Agent
<Rule Index="0" Type="4" Enabled="1"></Rule>
<Rule Index="1" Username="NT AUTHORITY\SYSTEM" Enabled="1"
/>
<Rule Index="0" Source="Security" Category="Object Access"
Enabled="1" />
<Rule Index="1" Source=" EventCreate" Category=""
Enabled="1" />
<Rule Index="0" Regexp="Verbose" Enabled="1" />
<Rule Index="1" Regexp="Info" Enabled="1" />
</Formatted_Message>