Decoder: Configure Syslog Forwarding to Destination

Document created by RSA Information Design and Development Employee on Nov 23, 2016Last modified by RSA Information Design and Development Employee on Mar 28, 2017
Version 4Show Document
  • View in full screen mode

This topic provides instructions for forwarding collected Syslog messages from a Log Decoder to another Syslog receiver.

In addition to collecting Syslog messages, you can configure the Log Decoder to forward Syslog messages to another Syslog receiver. Security Analytics forwards Syslog messages after it has parsed the messages and before it writes the messages to the Log Decoder.

Note: You must configure Syslog Forwarding using the steps defined in this topic under Procedure using the Explore view.


The Log Decoder must be in the Started state.


To configure Syslog Forwarding:

  1. Configure Log Decoder application layer rules (Application rules) to tag Syslog messages with meta that instructs Security Analytics to forward the messages:
    1. In the Services view, select a Log Decoder, and in the Actions column, select Actions menu cropped > View > Explore
    2. Go to the /decoder/config/rules/application node, right-click application, and click Properties.
    3. In the Properties view, specify the add command with the following parameters:
      rule=<query> name=<name> (Example 1, rule=*name=receiver1, Example 2, rule="device.type='winevent_nic'" name=receiver1)
    4. Click Send.
      Security Analytics creates the name=receiver1 rule=* order=<n> rule. Security Analytics inserts the order number (for example, order=49) based on when you set up the rule.
    5. Go to the /decoder/config/rules/application node and click the name=receiver1 rule=* order=49 rule.
    6. Add alert forward parameters to the rule's parameters.
      All other rule parameters have the same meaning as they do in other application rules.

      The following Application rule example selects all logs with the * rule. It creates an alert meta with the value "receiver1" and tags the entire log for forwarding it to the syslog forwarding destination. You can define as many different forwarding rules as you need with the same name or unique names.
  1. Define Syslog forwarding destinations and enable forwarding.
    1. In the Services view, select a Log Decoder, and in the Actions column, select Actions menu cropped > View > Explore.
    2. In the /decoder/config/logs.forwarding.destination parameter, specify the destination. For example:
      TLS Connections: receiver1=tls:receiver1.netwitness.local:6514
      UDP Connections: receiver1=udp:receiver1.netwitness.local:514
      TCP Connections: receiver1=tcp:receiver1.netwitness.local:514


You can configure:
    - Multiple rules to forward logs to the same destination.
    - Multiple rules to forward logs to multiple destination.

For TLS connections, the certificate of the forwarding destination must be validated. The certificate authority that signed the destination's certificate must be present in the Log Decoder's CA trust store and the certificate must reside on the destination or Syslog receiver. Refer to the Configure Certificates topic in the Log Collection Configuration Guide for information about manipulating the Log Decoder's CA trust store.

  1. In the /decoder/config/logs.forwarding.enabled parameter, specify true.

Related Topic

You are here
Table of Contents > Additional Procedures > Configure Syslog Forwarding to Destination