This is what I intend to be the first of a series of posts on configuring WLS. Configuration before installation is done via the initial.xml file, post-installation configuration changes are done via the registry; the names and basic structure remain the same.

The first and only required change to the initial.xml file is changing the “Network” section to match your environment. Also, only non-default settings need to be set; any missing settings will be set to defaults on start-up by WLS. The term Network was chosen instead of server since it defines a source network and where hosts that meet the definition should send their logs. Multiple networks can be defined, allowing for single configuration deployment across an enterprise and server redundancy in the event a server becomes unreachable for an extended period.

Global network settings

• FailedSendTimeout: If ALL configured and qualified networks are out of range or connectivity attempts have failed, wait x seconds before retrying.
• SendAsync: Use asynchronous sockets to send data
• SocketTimeout: If no data has been sent for X seconds, close the socket

Per-instance network settings

• The registry key name is how this will be referred to in the logs; name it appropriately.
• AcceptInvalidCertificates: Allow expired, non matching domains, etc
• ClientCertificate: Only applicable if UseSSL is enabled.
  • Blank: (default) No client certificate
  • UseLocal: Retrieve the client certificate from the local certifcate store
  • File path to use a certificate on disk
• IPRange: The IP range that the local host’s IP address MUST fall within to use this “network”
  • Any – Any IPv4 or IPv6 address
  • 0.0.0.0/0 – Any IPv4 address
  • ::/0 – Any IPv6 address
  • Valid CIDR
  • Min-max IP range
• LogFormat
  • syslog (default)
  • json
• Priority: If the hosts IP address falls into multiple ranges, this determines which order to try and use them. If multiple same priority networks qualify, alphabetical order is used.
• Protocol
  • TCP (default)
  • UDP
• ServerNameOrIP: The host name or ip address of the destination server
• ServerPort: The port on the destination server
• UseSSL: Use SSL when sending logs

Examples!

Example 1

I run a local Splunk instance for testing and want my logs sent to it regardless of my IP address. I’ll set the IPRange to “Any” to allow any IPv4 or IPv6 source range and define the local server configuration. That’s it, all other values are defaults.

<Network>
  <FailedSendTimeout>300</FailedSendTimeout>
  <SendAsync>1</SendAsync>
  <SocketTimeout>5</SocketTimeout>
  <LocalSplunk>
    <IPRange>Any</IPRange>
    <ServerNameOrIP>localhost</ServerNameOrIP>
    <ServerPort>514</ServerPort>
  </LocalSplunk>
</Network>

Example 2

I have a work laptop that when used internally, should log directly to the log server without encryption; if it’s taken off-network, it should use an externally visible log server with SSL.

Note: If the laptop obtains an IP in the range defined by “Inside” while off the work network, it will not send data unless the server is available and a connection succeeds; when that fails, it will use the next range – “Outside”.

<Network>
  <FailedSendTimeout>300</FailedSendTimeout>
  <SendAsync>1</SendAsync>
  <SocketTimeout>5</SocketTimeout>
  <Inside>
    <IPRange>192.168.0.1/24</IPRange>
    <Priority>0</Priority>
    <ServerNameOrIP>MyInsideServer.domain.com</ServerNameOrIP>
    <ServerPort>514</ServerPort>
  </Inside>
  <Outside>
    <IPRagnge>Any</IPRange>
    <Priority>1</Priority>
    <ServerNameOrIP>MyOutsideServer.domain.com</ServerNameOrIP>
    <ServerPort>9514</ServerPort>
    <UseSSL>1</UseSSL>
  </Outside>
</Network>