Decoder: Configure Syslog Forwarding to Destination

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Oct 11, 2017
Version 6Show Document
  • View in full screen mode
 

In addition to collecting Syslog messages, you can configure the Log Decoder to forward Syslog messages to another Syslog receiver. NetWitness Suite forwards Syslog messages after it has parsed the messages and before it writes the messages to the Log Decoder.

Note: You must configure Syslog Forwarding using the steps defined in this topic under Procedure using the Explore view.

The Log Decoder must be in the Started state before you can configure Syslog Forwarding. To configure Syslog Forwarding:

  1. Configure Log Decoder application layer rules (Application rules) to tag Syslog messages with metadata that instructs NetWitness Suite to forward the messages:
    1. In the Services view, select a Log Decoder, and in the Actions column, select Actions menu  > View > Explore
    2. Go to the /decoder/config/rules/application node, right-click application, and click Properties.
    3. In the Properties view, specify the add command with the following parameters:
      rule=<query> name=<name>
      Example 1: rule=*name=receiver1
      Example 2: rule="device.type='winevent_nic'" name=receiver)
    4. Click Send.
      This is the result.
      NetWitness Suite creates the name=receiver1 rule=* order=<n> rule. NetWitness Suite inserts the order number (for example, order=49) based on when you set up the rule.
      This is the parameter.
    5. Go to the /decoder/config/rules/application node and click the name=receiver1 rule=* order=49 rule.
    6. Add alert forward parameters to the rule parameters.
      These are the parameters.
      All other rule parameters have the same meaning as they do in other application rules.

      The following Application rule example selects all logs with the * rule. It creates an alert meta with the value "receiver1" and tags the entire log for forwarding it to the syslog forwarding destination. You can define as many different forwarding rules as you need with the same name or unique names.
    1. Define Syslog forwarding destinations and enable forwarding.
      1. In the Services view, select a Log Decoder, and Actions menu  > View > Explore.
      2. Syslog forwarding destinations are defined in the configuration node /decoder/config/logs.forwarding.destination.
        This configuration node contains one or more name/value pairs. The name corresponds to the name parameter in the application rule that you used to tag logs with forwarding meta. The value is a colon-separated triple of transport, host, and port followed by an optional formatting parameter.
        name=(udp|tcp|tls):host:port[:(retainsource|rfc3164)]
        The first parameter indicates the transport protocol and must be one of udp, tcp, or tls. Specifying udp will forward logs via RFC 3164 / RFC 5426 UDP syslog protocol. Specifying tcp will forward logs via a TCP connection with RFC 6587 framing. Specifying tls will forward logs in accordance with RFC 5425.

        The host is an IPv4 address, IPv6 address, or host name.

        The port is the port to which the logs are sent. This is typically port 514 for UDP syslog, and 6514 for TLS connections. There is no standard port assignment for syslog over TCP.

        Optionally, retainsource or rfc3164 can be specified at the and of the destination string to indicate that additional formatting and information should be included with each log forwarded. Specifying retainsource will include z-connector headers at the beginning of the log based and will be populated by the time, device.(ip|ipv6|host), and lc.cid meta and is best used for forwarding to other log decoders. The rfc3164 option will prepend a valid RFC3164 header to all events forwarded constructed of the syslog.pri, time, and device.(ip|ipv6|host) meta. In both cases, the original log text is unmodified.

        Example forwarding destination:

        gears=tls:gears.netwitness.local:6514

        Example forwarding over tcp to blackout on port 514 with z-connector headers:

        fwdrule=tcp:blackout.netwitness.local:514:retainsour

      In the /decoder/config/logs.forwarding.destination parameter, specify the destination. For example:
      TLS Connections: receiver1=tls:receiver1.netwitness.local:6514
      UDP Connections: receiver1=udp:receiver1.netwitness.local:514
      TCP Connections: receiver1=tcp:receiver1.netwitness.local:514

      This is the logs.forwarding.destination setting.

Note:
You can configure:
    - Multiple rules to forward logs to the same destination.
    - Multiple rules to forward logs to multiple destination.

For TLS connections, the certificate of the forwarding destination must be validated. The certificate authority that signed the destination's certificate must be present in the Log Decoder's CA trust store and the certificate must reside on the destination or Syslog receiver. Refer to "Configure Certificates" in the Log Collection Configuration Guide for information about manipulating the Log Decoder's CA trust store. (Go to the Master Table of Contents for Version 11.0 to find NetWitness Suite 11.0 documents.)

  1. In the /decoder/config/logs.forwarding.enabled parameter, specify true.
    This is the logs.forwarding.enabled setting.
You are here
Table of Contents > Decoder and Log Decoder Additional Procedures > Configure Syslog Forwarding to Destination

Attachments

    Outcomes