The LOGNESS Windsender component of the LOGNESS Framework performs the forwarding of log stacks obtained from the source systems in a reliable manner with high availability and without log loss. During the planning of LOGNESS Windsender, the primary objective was to create a flexible log forwarding system of modular design which facilitates alignation of different source systems with ease.
Highlighted Functions of LOGNESS Windsender:
- Encyrpted, secure (SSL) log forwarding
- Support of standard syslog protocols
- Support of HA architecture, syncronuos and asyncronous operation
- Buffering and automatic forwarding of log stacks
- Heartbeat function for the monitoring of defects in the connection with source systems
- Support of enterprise infrastructure – Policy-based installation, configuration and updating
- Support of reading logs from files
Incorportaion of Unix systems into the logging infrastructure is facilitated by the use of syslog protocol and different syslog daemons common to Unix-based systems. In contrast, the event log of Microsoft Windows systems do not natively support the transmission of log messages to a remote server. The LOGNESS Windsender component of the LOGNESS Framework was designed to overcome this hardship with its primary functionality being the forwarding of log messages from the Event Log via TCP or TCP/SSL connection. Similarly to the LOGNESS Framework, the agent is based on a modular design, utilizing „source” and „assimilation” plugins in the process of receiving log messages from different sources and sending them to log collector servers.
The agent contains two assimilation plugins:
– The SocketSinkPlugin, which forwards log messages to the designated server via a TCP connection
– The SSLSocketSinkPlugin, which performs the same operation, but by utilizing a secure SSL connection
A secondary log server can be configured for both assimilation plugins to better aid the establishment of a high availability system infrastructure. In the unlikely event of both servers would fail, the log messages are buffered and stored until re-estabilishment of the connention(s) to eliminate the threat of log loss.
Aside from the Event Logs, the agent is capable of receiving logs from a multitude of sources, thanks to the „source” plugins:
- EventLogSourcePlugin, NewEventLogSourcePlugin and EventLogSourcePluginWrapper: these plugins make the reception of Event Log entries possible.
- FileLogSourcePlugin: Performs processing of any logfile in a log/row format.
- SQLTraceSourcePlugin: Responsible for acquisition of MSSQL Trace messages. The array of messages to be processed can be fine-tuned using the Trace Definition File, which can be configured as a parameter.
- TMGChangeLogSourcePlugin: Queries and processes the change management logs of Forefront Threat Management Gateway.
- HeartBeatSourcePlugin: Not being a real log source, this plugin periodically sends a certain message to the servers to aid monitoring of log source outages.