Add-On Parameters
To configure the add-on parameters, you need to edit the settings.xml file in the add-on folder. You must define connection details: Netwrix Auditor Server host, user credentials, etc.
Most parameters are optional, the service uses the default values unless parameters are explicitly
defined (
Parameters in settings.xml can be grouped as follows:
- General parameters that affect add- on execution. They are listed in the table below.
- Settings for a certain event source (within the Source section) that can override general settings.
- Internal parameters that should not be modified in most cases. They are listed in .
Parameter | Default value | Description |
---|---|---|
General parameters | ||
ListenTcpPort | 9905 | Specify TCP port for listening incoming syslog events. |
NetwrixAuditorEndpoint | https://localhost: 9699/netwrix/api/ v1/activity_records | Netwrix Auditor Server IP address and port number followed by endpoint for posting Activity Records. Assumes that the add-on runs on the computer hosting Auditor Server and uses default port 9699. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., 172.28.6.15, EnterpriseNAServer, WKS.enterprise.local). To specify a non-default port, provide a server name followed by the port number (e.g., WKS.enterprise.local:9999). Do not modify the endpoint part (/netwrix/api . . . . ) |
NetwrixAuditor CertificateThumbprint | NOCHECK | Netwrix Auditor Certificate Thumbprint Property. Possible values: - Empty —Check Netwrix Auditor certificate via Windows Certificate Store. - AB:BB:CC. —Check Netwrix Auditor Server certificate thumbprint identifier. - NOCHECK —Do not check Netwrix Auditor certificate. Make sure to select this parameter if you plan to specify servers by their IP. |
NetwrixAuditorUserName | Current user credentials | Unless specified, the add-on runs with the current user credentials. If you want the add-on to use another account to connect to Auditor Server, specify the account name in the DOMAIN\username format. The account must be assigned the Contributor role in Netwrix Auditor. |
NetwrixAuditorUserPassword | Current user credentials | Unless specified, the service runs with the current user credentials. Provide a different password if necessary. |
NetwrixAuditorDateTimeFormat | yyyy-MM-ddTHH:mm:ssZ | Netwrix Auditor time format. By default, set to zero offset. |
NetwrixAuditorPlan | — | Unless specified, data is written to Netwrix_Auditor_API database and is not associated with a specific monitoring plan. Specify a name of associated monitoring plan in Auditor. In this case, data will be written to a database linked to this plan. If you select a plan name in the add-on, make sure a dedicated plan is created in Auditor, the Netwrix API data source is added to the plan and enabled for monitoring. Otherwise, the add-on will not be able to write data to the Audit Database. |
NetwrixAuditorPlanItem | — | Unless specified, data is not associated with a specific plan and, thus, cannot be filtered by item name. Specify an item name. Make sure to create a dedicated item in Netwrix Auditor in advance. |
EventStorePath | — | Select where to store temporary files of syslog messages before the add-on sends them to Netwrix Auditor Server. Netwrix recommends not to store these files out of the service directory. |
LogLevel | error | Specify logging level: - none - info - warning - error (used by default) - debug |
WriteCriticalIssues ToEventLog | 0 | Instructs the add-on to write important events (like service start or critical issue) not only to its own log but also to Netwrix event log. - 1=yes - 0=no (default) |
Parameters within SourceList You can specify parsing rules for each specific event source and define parameters to override general settings, such as time zone, default plan name, etc. | ||
NetwrixAuditorPlan | — | When specified, overrides the general settings. |
NetwrixAuditorPlanItem | — | When specified, overrides the general settings. |
DefaultTsTimezone | — | Define the time zone of syslog events. By default, set to zero offset (UTC). |
AppNameRegExp | — | Define a custom regular expression pattern to retrieve the application name from your syslog messages. Unless specified, RFC 3164/5424 format is used. If you provide a pattern for application name, this name will be used to determine what rule file will be used to parse syslog messages. The pattern you provide here must match the application name in your custom rule file. |
AppNameGroupID | — | Define application name value by Group ID only if messages are not formatted in accordance with RFC 3164/5424. Otherwise, leave the default value. |
RuleFileList PathFile | qumulo.xml | Specify paths to XML file(s) with regular expression parsing rules. You can create a custom file or use rules provided out of the box. Currently, the qumulo.xml rules file is provided by Qumulo. You can specify several rule files. The service will check if the AppName parameter in the first rule file matches the AppNameRegExp and AppNameGroupID regular expression in this file. If not, the service will proceed to the next rule file. |
AcceptList Address | — | Specify a list of IP addresses of syslog events sources. The service will collect and process events from these sources only. Events collected from any other source will be ignored. The Address parameter may be followed by optional attributes that override parameters specified above: - naplan—A name of associated monitoring plan - naplanitem—A name of associated item - tstimezone—Timezone for Qumulo Cluster For example: <Address naplan="NFSmonitoring" naplanitem="NFS" tstimezone="GMT StandardTime">172.28.3.15 </Address> |
After you modify parameters in the settings.xml file, remember to save the changes and then restart (Undefined variable: Add-on.Addon_Qumulo) service (SyslogService.exe) for them to take effect.
Add-on Internal Parameters
Internal parameters listed in the table below are intended for performance tuning. In most cases the default values should be used.
Parameter | Default value | Description |
---|---|---|
EventsFromMemoryFirst | 1 | Instructs the add-on to save events to temporary storage only if there is no free space in queues: - 1=yes - 0=no |
ConcurrentSend | -1 | Specifies number of threads for concurrent forwarding of events to Auditor. Default value is -1 (switch off concurrent forwarding). |
ListenTcpAddress | 0.0.0.0 | Defines destination IP address. In case of multiple network cards, you can specify certain IP address here to listen to its messages only. |
SenderSleepTime | 30 | Specifies retry interval in seconds to send messages to Auditor (30 - 3600 seconds). |
TaskLimit | 8 | Specifies number of threads and queues for concurrent handling of events. |
QueueSizeLimit | 1000 | Specifies maximum number of events to keep in queue before saving to temporary storage or sending to Netwrix API. |
QueueTimeLimit | 5 | Specifies the length of timeout before events from queue (not full) are saved to temporary storage or sent to Netwrix API: - From 5 to 300 — timeout in seconds. - -1 — disable timeout. |