Decoder: Configure Syslog Forwarding to Destination

Document created by RSA Information Design and Development on Jul 27, 2016Last modified by RSA Information Design and Development on Sep 28, 2016
Version 4Show Document
  • View in full screen mode
 

In addition to collecting Syslog messages, you can configure the Log Decoder to forward Syslog messages to another Syslog receiver. Security Analytics forwards Syslog messages after it has parsed the messages and before it writes the messages to the Log Decoder.

Note: You must configure Syslog Forwarding using the steps defined in this topic under Procedure using the Explore view.

Prerequisites

The Log Decoder must be in the Started state.

Procedure

To configure Syslog Forwarding:

  1. Configure Log Decoder Configure Application Rules to tag Syslog messages with meta that instructs Security Analytics to forward the messages:
    1. In the Services view, select a Log Decoder, and in the Actions column, select Actions menu cropped > View > Explore
    2. Go to the /decoder/config/rules/application node, right-click application, and click Properties.
    3. In the Properties view, specify the add command with the following parameters:
      rule=<query> name=<name> (Example 1, rule=*name=receiver1, Example 2, rule="device.type='winevent_nic'" name=receiver1)
    4. Click Send.
      104LDecExplorePropField.png
      Security Analytics creates the name=receiver1 rule=* order=<n> rule. Security Analytics inserts the order number (for example, order=49) based on when you set up the rule.
      10411ExplorePropFieldResult.png
    5. Go to the /decoder/config/rules/application node and click the name=receiver1 rule=* order=49 rule.
    6. Add alert forward parameters to the rule's parameters.
      10411ExplorePropFieldResultAlertFwd.png
      All other rule parameters have the same meaning as they do in other application rules.

      The following Application rule example selects all logs with the * rule. It creates an alert meta with the value "receiver1" and tags the entire log for forwarding it to the syslog forwarding destination. You can define as many different forwarding rules as you need with the same name or unique names.
  1. Define Syslog forwarding destinations and enable forwarding.
    1. In the Services view, select a Log Decoder, and in the Actions column, select Actions menu cropped > View > Explore.
    2. In the /decoder/config/logs.forwarding.destination parameter, specify the destination. For example:
      TLS Connections: receiver1=tls:receiver1.netwitness.local:6514
      UDP Connections: receiver1=udp:receiver1.netwitness.local:514
      TCP Connections: receiver1=tcp:receiver1.netwitness.local:514

      10411LogsForwDestination.png

Note: You can configure:
    - Multiple rules to forward logs to the same destination.
    - Multiple rules to forward logs to multiple destination.

For TLS connections, the certificate of the forwarding destination must be validated. The certificate authority that signed the destination's certificate must be present in the Log Decoder's CA trust store and the certificate must reside on the destination or Syslog receiver. Refer to Configure Certificates in the Log Collection Guide for information about manipulating the Log Decoder's CA trust store.

  1. In the /decoder/config/logs.forwarding.enabled parameter, specify true.
    10411LogsForwEnabled.png
You are here: Additional Procedures > Configure Syslog Forwarding to Destination

Attachments

    Outcomes