Add-On Parameters
To configure the add-on parameters, you need to edit the Settings.xml file in the add-on folder. You must define connection details: Auditor Server host, endpoint, etc.
Most parameters are optional; you can skip or define parameters depending on your execution scenario and security policies.
The service uses the default values unless parameters are explicitly defined
(<parameter>\*\*\_value_\*\*</parameter>).
Parameters in Settings.xml can be grouped as follows:
- General parameters that affect add- on execution. They are listed in the table below.
- Settings for a certain event source (within the Source section) that can override general settings.
- Internal parameters that should not be modified in most cases. They are listed in the topic.
| Parameter | Default value | Description |
|---|---|---|
| General parameters | ||
| ListenUdpPort | 514 | Specify UDP port for listening to the incoming syslog events. |
| NetwrixAuditorEndpoint | https://localhost: 9699/netwrix/api/ v1/activity_records | Auditor Server IP address and port number followed by endpoint for posting Activity Records. Assumes that the add-on runs on the computer hosting Auditor Server and uses default port 9699. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., 172.28.6.15, EnterpriseNAServer, WKS.enterprise.local). To specify a non-default port, provide a server name followed by the port number (e.g., WKS.enterprise.local:9999). Do not modify the endpoint part (/netwrix/api . . . . ) |
| NetwrixAuditor CertificateThumbprint | NOCHECK | Netwrix Auditor Certificate Thumbprint Property. Possible values: - Empty—Check the certificate via Windows Certificate Store. - AB:BB:CC.—Check the certificate thumbprint identifier. - NOCHECK—Do not check the certificate. Make sure to select this parameter if you plan to specify servers by their IP. |
| NetwrixAuditorPlan | — | Unless specified, data is written to Netwrix_Auditor_API database and is not associated with a specific monitoring plan. Specify a name of associated monitoring plan in Auditor. In this case, data will be written to a database linked to this plan. If you select a plan name in the add-on, make sure a dedicated plan is created in Auditor, the Netwrix API data source is added to the plan and enabled for monitoring. Otherwise, the add-on will not be able to write data to the Audit Database. |
| NetwrixAuditorPlanItem | — | Unless specified, data is not associated with a specific monitoring plan and thus cannot be filtered by item name. Specify an item name here. Make sure to create a dedicated item in Auditor in advance. |
| EventStorePath | — | Select where to store temporary files of syslog messages before the add-on sends them to Auditor Server. Netwrix recommends to store these files in the same directory with the add-on (SyslogService.exe). |
| LogLevel | warning | Specify logging level: - none - info - warning (used by default) - error - debug |
| WriteCriticalIssues ToEventLog | 0 | Instructs the add-on to write important events (like service start or critical issue) not only to its own log but also to Netwrix event log. - 1=yes - 0=no (default) |
| Parameters within SourceList You can specify parsing rules for each specific event source and define parameters to override general settings, such as time zone, default plan name, etc. | ||
| NetwrixAuditorPlan | — | When specified, overrides the general settings. |
| NetwrixAuditorPlanItem | — | When specified, overrides the general settings. |
| AppNameRegExp | — | Custom regular expression pattern that will be used to retrieve the application name from your syslog messages. The add-on will match the application name and the files with syslog parsing rules to be applied. The pattern you provide here must match the application name in your custom rule file. Unless specified, RFC 3164/5424 format is used. |
| AppNameGroupID | — | Define application name value by Group ID only if messages are not formatted in accordance with RFC 3164/5424. Otherwise, leave the default value. |
| RuleFileList PathFile | cyberark-v2.xml | Specify paths to XML file(s) with regular expression parsing rules. You can create a custom file or use rules provided out of the box. Currently, the cyberark-v2.xml rule file is shipped with this add-on. You can specify several rule files. The service will check if the AppName parameter in the first rule file matches the AppNameRegExp and AppNameGroupID regular expression in this file. If not, the service will proceed to the next rule file. |
| AcceptList Address | — | Specify a list of IP addresses of syslog events sources. The service will collect and process events from these sources only. Events collected from any other source will be ignored. The Address parameter may be followed by optional attributes that override parameters specified above: - naplan—A name of associated monitoring plan - naplanitem—A name of associated item For example: <Address naplan="NFSmonitoring" naplanitem="NFS">172.28.3.15 </Address> |
Remember to save Settings.xml after editing is complete.
After you modify parameters in the Settings.xml file, remember to save the changes and then restart the add-on main service (SyslogService.exe) for them to take effect.
Add-on Internal Parameters
Internal parameters listed in the table below are intended for performance tuning. In most cases the default values should be used.
| Parameter | Default value | Description |
|---|---|---|
| EventsFromMemoryFirst | 1 | Instructs the add-on to save events to temporary storage only if there is no free space in queues: - 1=yes - 0=no |
| ConcurrentSend | -1 | Specifies the number of threads for concurrent forwarding of events to Auditor. Default value is -1 (switch off concurrent forwarding). |
| SenderSleepTime | 30 | Specifies the retry interval in seconds to send messages to Auditor (30 - 3600 seconds). |
| TaskLimit | 8 | Specifies the number of threads and queues for concurrent handling of events. |
| QueueSizeLimit | 100 | Specifies the maximum number of events to keep in queue before saving to temporary storage or sending to Netwrix API. |
| QueueTimeLimit | 5 | Specifies the length of timeout before events from queue (not full) are saved to temporary storage or sent to Netwrix API: - From 5 to 300 – timeout in seconds. - -1 – disable timeout. |