In addition to collecting Syslog messages, you can configure the Log Decoder to forward Syslog messages to another Syslog receiver. NetWitness Suite forwards Syslog messages after it has parsed the messages and before it writes the messages to the Log Decoder.
The Log Decoder must be in the Started state before you can configure Syslog Forwarding. To configure Syslog Forwarding:
- Configure Log Decoder application layer rules (Application rules) to tag Syslog messages with metadata that instructs NetWitness Suite to forward the messages:
- In the Services view, select a Log Decoder, and in the Actions column, select > View > Explore.
- Go to the /decoder/config/rules/application node, right-click application, and click Properties.
- In the Properties view, specify the add command with the following parameters:
Example 1: rule=*name=receiver1
Example 2: rule="device.type='winevent_nic'" name=receiver)
- Click Send.
NetWitness Suite creates the name=receiver1 rule=* order=<n> rule. NetWitness Suite inserts the order number (for example, order=49) based on when you set up the rule.
- Go to the /decoder/config/rules/application node and click the name=receiver1 rule=* order=49 rule.
- Add alert forward parameters to the rule parameters.
All other rule parameters have the same meaning as they do in other application rules.
The following Application rule example selects all logs with the * rule. It creates an alert meta with the value "receiver1" and tags the entire log for forwarding it to the syslog forwarding destination. You can define as many different forwarding rules as you need with the same name or unique names.
- Define Syslog forwarding destinations and enable forwarding.
- In the Services view, select a Log Decoder, and > View > Explore.
Syslog forwarding destinations are defined in the configuration node /decoder/config/logs.forwarding.destination.
This configuration node contains one or more name/value pairs. The name corresponds to the name parameter in the application rule that you used to tag logs with forwarding meta. The value is a colon-separated triple of transport, host, and port followed by an optional formatting parameter.
The first parameter indicates the transport protocol and must be one of udp, tcp, or tls. Specifying udp will forward logs via RFC 3164 / RFC 5426 UDP syslog protocol. Specifying tcp will forward logs via a TCP connection with RFC 6587 framing. Specifying tls will forward logs in accordance with RFC 5425.
The host is an IPv4 address, IPv6 address, or host name.
The port is the port to which the logs are sent. This is typically port 514 for UDP syslog, and 6514 for TLS connections. There is no standard port assignment for syslog over TCP.
Optionally, retainsource or rfc3164 can be specified at the and of the destination string to indicate that additional formatting and information should be included with each log forwarded. Specifying retainsource will include z-connector headers at the beginning of the log based and will be populated by the time, device.(ip|ipv6|host), and lc.cid meta and is best used for forwarding to other log decoders. The rfc3164 option will prepend a valid RFC3164 header to all events forwarded constructed of the syslog.pri, time, and device.(ip|ipv6|host) meta. In both cases, the original log text is unmodified.
Example forwarding destination:
Example forwarding over tcp to blackout on port 514 with z-connector headers:
In the /decoder/config/logs.forwarding.destination parameter, specify the destination. For example:
TLS Connections: receiver1=tls:receiver1.netwitness.local:6514
UDP Connections: receiver1=udp:receiver1.netwitness.local:514
TCP Connections: receiver1=tcp:receiver1.netwitness.local:514