One Identity Active Roles allows you to easily and securely manage Active Directory (AD), Entra ID and M365 Identity objects. While Active Roles stores its log messages into Windows Event Log, most log management and log analytics applications expect to receive log messages over the syslog protocol. This is where syslog-ng Premium Edition (PE) can help you. The syslog-ng Windows Agent can collect and forward Active Roles log messages from Windows Event Log, while the syslog-ng server can collect, process, store and forward Active Roles log messages to multiple destinations.
Installing syslog-ng PE together with Active Roles has many advantages, one of which is central log collection. This means that you do not have to log in to individual hosts to check logs, but instead can view logs from every host in a single location. This also enhances security, as logs are available even when they disappear from the original location due to a hardware failure or security incident.
From this blog, you can learn how to configure the syslog-ng Windows Agent to collect and forward Active Roles log messages from Windows Event Log, and how to parse and store the incoming log messages on the syslog-ng server side.
Before you begin
If you want to test the configuration described in this blog, you will need 2-4 hosts. Installing Active Roles needs 1-3 Windows Server machines, while the syslog-ng PE server needs a supported Linux host. Describing system requirements and the installation processes are not in the scope of this blog. Contact One Identity at https://www.syslog-ng.com/register/115582/ to receive a trial version of syslog-ng Premium Edition and help to get started. For Active Roles, you can reach One Identity at https://www.oneidentity.com/register/62175/.
Configuring the syslog-ng Windows Agent
You can configure the syslog-ng Windows Agent either during installation, or any time after that. If you configure the Agent after installation, start the “Configure syslog-ng Agent for Windows” application. Then, in both cases, go to “Eventlog Sources” and double-click “Event Containers”. You should add a new container here, with the container name set to “ARAdminService”.
Next, go to Destinations and add a new server. On the server tab, set the server name or IP address, where the syslog-ng PE server is installed. On the messages tab, set the event message template to:
${EVENT_MSG_XML}
Yes, I know, XML is ugly and not easily human-readable. However, you will see the benefits of this choice as soon as we also configure the XML parser on the syslog-ng server side.
Once you finished configuring the syslog-ng Windows Agent, restart it. You can do so from the Start menu, by using net commands, or from the Services application.
Configuring the syslog-ng PE server
The default syslog-ng PE configuration only collects local log messages. For this blog, we extend this base configuration with:
- A network source to collect log messages from Windows hosts.
- An XML parser.
- File destinations to save the incoming log messages.
- A log statement which connects all these building blocks together.
You should append the below configuration to your syslog-ng.conf. I describe its four components in more detail below.
# source for Windows clients, RFC5424 source s_win { syslog(port(601)); }; # xml parser for Windows XML logs parser p_xml { xml(prefix('winxml.')); }; # destination for Windows logs destination d_fromwin { file("/var/log/fromwin"); file("/var/log/fromwin.json" template("$(format-json --scope rfc5424 --scope dot-nv-pairs --rekey .* --shift 1 --scope nv-pairs)\n") ); }; # log path for Windows logs log { source(s_win); if ("${PROGRAM}" ne "syslog-ng-agent") { parser(p_xml); }; destination(d_fromwin); };
The s_win source listens on port 601 using the new, RFC5424 syslog protocol. There is no encryption configured in this case to make the testing process easier, but of course it is also supported.
The next building block in the configuration is an XML parser. The syslog-ng Windows Agent is configured to send Windows event logs in XML format, as it makes it easy to turn log messages into name-value pairs. If you don’t just save your logs to text files, but also want to document stores or filter log messages, then using name-value pairs allows much more precise log message filtering and searching. We will take a closer look at name-value pairs in our next blog post.
The destination called d_fromwin actually includes two file destination drivers. One of them simply writes the incoming log into a file, while the other one writes the name-value pairs parsed from the XML logs into JSON format. You might not need these in your final syslog-ng configuration, but they are very useful while building it.
Finally, the log path at the end connects all of these building blocks together and also includes some additional logic. The if statement checks the name of the application sending the logs. As internal messages from the syslog-ng Agent are not XML-formatted, those are not parsed by the XML parser.
Testing
Once you saved your configuration and reloaded syslog-ng both on the Windows and Linux sides, you are ready to test it. It might take a short time before connection is established between the Agent and the syslog-ng server, but soon you should be able to see logs in both files defined in the file destination. You should see the same log messages in both files, but using a different format.
Here is the last log message in /var/log/fromwin. You can see the regular syslog header, followed by a message in XML format.
Jan 7 12:17:30 syslogng-ar Microsoft_Windows_security_auditing.[1252]: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-01-07T12:17:30.9035731Z'/><EventRecordID>385351</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='7832'/><Channel>Security</Channel><Computer>SYSLOGNG-AR.arsys.ng</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SYSLOGNG-AR$</Data><Data Name='SubjectDomainName'>ARSYS</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x2888</Data><Data Name='NewProcessName'>C:\Windows\System32\RuntimeBroker.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x3d0</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>sysar</Data><Data Name='TargetDomainName'>SYSLOGNG-AR</Data><Data Name='TargetLogonId'>0x8089d440</Data><Data Name='ParentProcessName'>C:\Windows\System32\svchost.exe</Data><Data Name='MandatoryLabel'>S-1-16-12288</Data></EventData><RenderingInfo Culture='en-US'><Message>A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: SYSLOGNG-AR$ Account Domain: ARSYS Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: sysar Account Domain: SYSLOGNG-AR Logon ID: 0x8089D440 Process Information: New Process ID: 0x2888 New Process Name: C:\Windows\System32\RuntimeBroker.exe Token Elevation Type: TokenElevationTypeDefault (1) Mandatory Label: S-1-16-12288 Creator Process ID: 0x3d0 Creator Process Name: C:\Windows\System32\svchost.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.</Message><Level>Information</Level><Task>Process Creation</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event>
And here is the same log message in fromwin.json. The name-value pairs from the XML log and the syslog header are formatted to JSON. The original XML message is also included, reformatted to fit a single line. The content of the MESSAGE macro is often discarded to save disk space, once you have a well-tested configuration.
{"winxml":{"Event":{"_xmlns":"http://schemas.microsoft.com/win/2004/08/events/event","System":{"Version":"2","TimeCreated":{"_SystemTime":"2025-01-07T12:17:30.9035731Z"},"Task":"13312","Provider":{"_Name":"Microso ft-Windows-Security-Auditing","_Guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}"},"Opcode":"0","Level":"0","Keywords":"0x8020000000000000","Execution":{"_ThreadIDD":"7832","_ProcessID":"4"},"EventRecordID":"385351", "EventID":"4688","Computer":"SYSLOGNG-AR.arsys.ng","Channel":"Security"},"RenderingInfo":{"_Culture":"en-US","Task":"\"Process Creation\"","Provider":"\"Microsoft Windows security auditing.\"","Opcode":"Info","Mes sage":"\"A new process has been created.\\n\\nCreator Subject:\\n\\tSecurity ID:\\t\\tS-1-5-18\\n\\tAccount Name:\\t\\tSYSLOGNG-AR$\\n\\tAccount Domain:\\t\\tARSYS\\n\\tLogon ID:\\t\\t0x3E7\\n\\nTarget Subject:\\n \\tSecurity ID:\\t\\tS-1-0-0\\n\\tAccount Name:\\t\\tsysar\\n\\tAccount Domain:\\t\\tSYSLOGNG-AR\\n\\tLogon ID:\\t\\t0x8089D440\\n\\nProcess Information:\\n\\tNew Process ID:\\t\\t0x2888\\n\\tNew Process Name:\\tC :\\\\Windows\\\\System32\\\\RuntimeBroker.exe\\n\\tToken Elevation Type:\\tTokenElevationTypeDefault (1)\\n\\tMandatory Label:\\t\\tS-1-16-12288\\n\\tCreator Process ID:\\t0x3d0\\n\\tCreator Process Name:\\tC:\\\\Windows\\\\System32\\\\svchost.exe\\n\\tProcess Command Line:\\t\\n\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\n\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\n\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\n\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\"","Level":"Information","Keywords":{"Keyword":"\"Audit Success\""},"Channel":"Security"},"EventData":{"Data":{"_Name":"SubjectUserSid,SubjectUserName,SubjectDomainName,SubjectLogonId,NewProcessId,NewProcessName,TokenElevationType,ProcessId,CommandLine,TargetUserSid,TargetUserName,TargetDomainName,TargetLogonId,ParentProcessName,MandatoryLabel","Data":"S-1-5-18,SYSLOGNG-AR$,ARSYS,0x3e7,0x2888,\"C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe\",%%1936,0x3d0,S-1-0-0,sysar,SYSLOGNG-AR,0x8089d440,\"C:\\\\Windows\\\\System32\\\\svchost.exe\",S-1-16-12288"}}}},"SOURCE":"s_win","SDATA":{"win@18372.4":{"EVENT_USERNAME":"SYSLOGNG-AR\\sysar","EVENT_TYPE":"Success Audit","EVENT_TASK":"Process Creation","EVENT_SOURCE":"Microsoft Windows security auditing.","EVENT_SID":"N/A","EVENT_REC_NUM":"385351","EVENT_PROVIDER":"Microsoft-Windows-Security-Auditing","EVENT_NAME":"Security","EVENT_LEVEL":"0","EVENT_ID":"4688","EVENT_HOST":"SYSLOGNG-AR.arsys.ng","EVENT_FACILITY":"16","EVENT_CATEGORY":"Process Creation"},"meta":{"sysUpTime":"174966","sequenceId":"1052"}},"PROGRAM":"Microsoft_Windows_security_auditing.","PRIORITY":"notice","PID":"1252","MESSAGE":"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-01-07T12:17:30.9035731Z'/><EventRecordID>385351</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='7832'/><Channel>Security</Channel><Computer>SYSLOGNG-AR.arsys.ng</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SYSLOGNG-AR$</Data><Data Name='SubjectDomainName'>ARSYS</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x2888</Data><Data Name='NewProcessName'>C:\\Windows\\System32\\RuntimeBroker.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x3d0</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>sysar</Data><Data Name='TargetDomainName'>SYSLOGNG-AR</Data><Data Name='TargetLogonId'>0x8089d440</Data><Data Name='ParentProcessName'>C:\\Windows\\System32\\svchost.exe</Data><Data Name='MandatoryLabel'>S-1-16-12288</Data></EventData><RenderingInfo Culture='en-US'><Message>A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tSYSLOGNG-AR$\r\n\tAccount Domain:\t\tARSYS\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tsysar\r\n\tAccount Domain:\t\tSYSLOGNG-AR\r\n\tLogon ID:\t\t0x8089D440\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x2888\r\n\tNew Process Name:\tC:\\Windows\\System32\\RuntimeBroker.exe\r\n\tToken Elevation Type:\tTokenElevationTypeDefault (1)\r\n\tMandatory Label:\t\tS-1-16-12288\r\n\tCreator Process ID:\t0x3d0\r\n\tCreator Process Name:\tC:\\Windows\\System32\\svchost.exe\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.</Message><Level>Information</Level><Task>Process Creation</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event>","HOST_FROM":"syslogng-ar","HOST":"syslogng-ar","FACILITY":"local0","DATE":"Jan 7 12:17:30"}
Troubleshooting
In most cases, you should see log messages appearing soon after configuring and restarting syslog-ng. If you do not receive log messages within a few minutes, you should definitely check your systems for possible problems. Here are some tips where to start:
-
Is the IP address of the server configured properly in the syslog-ng Windows Agent?
-
If you use SELinux, disable it or put it into permissive mode.
-
Disable the firewall or check if port 601 is allowed through.
What is next?
In this blog, we learned how to forward Active Roles logs from Windows to the syslog-ng PE server in XML format. On the server side, we parsed the incoming log messages and saved them to files.
You can already experiment further or wait until my next ARS + syslog-ng blog, where we will work with the name-value pairs parsed from the XML formatted logs.
-
If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.