This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Windows Event Collector (WEC)

The AxoRouter Windows Events connector can receive Windows Event Logs by running a Windows Event Collector (WEC) server. After enabling the Windows Events connector, you can configure your Microsoft Windows hosts to forward their event logs to AxoRouter using Windows Event Forwarding (WEF).

Windows Event Forwarding (WEF) reads any operational or administrative event logged on a Windows host and forwards the events you choose to a Windows Event Collector (WEC) server - in this case, AxoRouter.

Prerequisites

When using TLS authentication, you’ll need a

  • CA certificate (in PEM format) that AxoRouter uses to authenticate the clients.
  • A certificate and the matching private key (in PEM format) that AxoRouter shows to the clients.

These files must be available on the AxoRouter host, and readable by the axorouter service for the connector to work.

Add new Windows Event Log connector

To add a new connector to an AxoRouter host, complete the following steps.

  1. Create a new connector.

    1. Find the host.

    2. Select Connectors. The list of connectors available on the host is displayed.

      Connectors of the host

    3. Select add , then select the type of connector you want to create.

      Connectors of the host

    4. Enter a Name for the connector. This name must be unique on the host.

      Connectors of the host

    5. (Optional) Add custom labels to the connector.

      You can also modify the product and vendor labels of the connector. In that case, Axoflow will treat the incoming messages as it was received and classified as data from the specified product. This is useful if you want to send data from a specific product to a dedicated port.

      These labels and other parameters of the connector will be available under the meta.connector key as metadata for the messages received via the connector, and can be used in routing decisions and processing steps. You can check the metadata of the messages using log tapping.

      Connectors of the host

  2. Configure the protocol-level settings of the connector.

    WEC protocol settings

    1. Set the Hostname field. The clients will address this hostname. Note that:

      • The Common Name of the server’s certificate (set in the following steps) must contain this hostname, otherwise the clients will reject the connection.
      • You’ll have to use this hostname when configuring the Subscription Manager address in the Group Policy Editor.

    2. (Optional) If for some reason don’t want to run the connection on the default port (5986), adjust the Port field.

    3. Set the paths for the certificates and keys used for the TLS-encrypted communication with the clients.

      Use absolute paths (for example, /etc/axorouter/user-config/tls-key.pem). The key and the certificate must be in PEM format. You have to make sure that these files are available on the AxoRouter host, currently you can’t distribute them from Axoflow Console.

      • CA certificate path: The CA certificate that AxoRouter uses to authenticate the clients. If you want to limit which clients are accepted, set the More options > Certificate subject filter field.
      • Server certificate path: The certificate that AxoRouter shows to the clients.
      • Server private key path: The private key of the server certificate.

  3. Configure the subscriptions of the connector.

    WEC subscription settings

    1. Select Add new Subscription.

    2. (Optional) Set a name for the subscription. If you leave it empty, Axoflow Console automatically generates a name.

    3. Enter the event filter query into the Query field. This query specifies which events are collected by the subscription. For details on the query syntax, see the Microsoft documentation.

      A single query can retrieve events from a maximum of 256 different channels.

      For example, the following example queries every event from the Security, System, Application, and Setup channels.

      <Query Id="0">
    <Select Path="Application">*</Select>
    <Select Path="Security">*</Select>
    <Select Path="Setup">*</Select>
    <Select Path="System">*</Select>
</Query>

    4. (Optional) If needed, you can configure other low-level options in the More options section. For details, see Additional options.

  4. Select Create.

  5. Make sure to enable the ports you’ve configured in the connector on the firewall of the AxoRouter host, and on other firewalls between the AxoRouter host and your data sources.

  6. Configure Windows Event Forwarding (WEF) on your clients to forward their events to the AxoRouter WEC connector.

    When configuring the Subscription Manager address in the Group Policy Editor, use the hostname you’ve set in the connector

    Windows Group Policy Editor

Additional options

You can set the following options of the WEC connector under Subscriptions > More options.

WEC more settings

  • Certificate subject filter: A simple string to filter the clients based on the Common Name of their certificate. You can use the * and ? wildcard characters.

  • UUID: A unique ID for the subscription. If empty, Axoflow Console automatically generates it.

  • Heartbeat interval: The number of seconds, before the client will send a heartbeat message. The client sends heartbeat messages if it has no new events to send. Default value: 3600s

  • Connection retry interval: Time between reconnection attempts. Default value: 60s

  • Connection retry count: Number of times the client will attempt to reconnect if AxoRouter is unreachable. Default value: 10

  • Max time: The maximum number of seconds the client aggregates new events before sending them in a batch. Default value: 30s

  • Max elements: The maximum number of events that the client aggregates before sending them in a batch. By default it’s empty, meaning that only the Max time and Max envelope size options limit the aggregation. Default value: empty

  • Max envelope size: The maximum number of bytes in the SOAP envelope used to deliver the events. Default value: 512000 bytes

  • Locale: The language in which rendering information is expected, for example, en-US. Default value: Client choose

  • Data locale: The language in which numerical data is expected to be formatted, for example, en-US. Default value: Client choose

  • Read existing events: If enabled (Yes), the event source sends:

    • all existing events that match the filter, and
    • any events that subsequently occur for that event source.

    If disabled (No), existing events will be ignored.

    Default value: No

  • Ignore channel error: Subscription queries that result in errors will terminate the processing of the clients. Enable this option to ignore such errors. Default value: Yes

  • Content format: Determines whether to include rendering information (RenderedText) with events or not (Raw). Default value: Raw

Metadata fields

The AxoRouter Windows Events connector adds the following fields to the meta variable:

field value
meta.connector.type windowsEvents
meta.connector.name <name of the connector>
meta.connector.port <port of the connector>