Log Collection Deployment: Configure Log Routing for Specific Protocols

Document created by RSA Information Design and Development on Oct 23, 2017
Version 1Show Document
  • View in full screen mode

This topic tells you how to define where specific protocol event messages are routed by configuring multiple Local Collectors in a destination group. This can help you to direct event data to specific locations according to protocol type.

After completing this procedure, you will have set up multiple destinations, in a destination group, to which Security Analytics distributes protocol event data.

Return to Procedures


Define Routing of Protocol Event Data

When pushing to more than one Local Collector, you can choose to route specific protocol event data to multiple Local Collectors by specifying multiple destinations within a Destination Group. A Destination Group is a collection of Local Collectors, such that event data can be distributed to all members of the group.

The following figure shows you how to route event messages from a collection protocol.


Access the Services view.


Select a remote collector.

Click AdvcdExpandBtn.PNGunder Actions and select View > Config to display the Log Collection configuration parameter tabs.


Select the Local Collectors tab, select Destinations in Select Configuration drop-down menu, and click Icon-Add.png to display in Destination Groups to display the Add Remote Destinations dialog.

Set up a separate Destination for each Local Collector and designate the protocols for which you want to push event messages to that Local Collector.

Newly added primary and load-balanced Local Collector configuration is displayed in the Local Collector tab.

Configure Event Message Routing from a Collection Protocol

  1. In the Security Analytics menu, select Administration > Services.
  2. In Services, select a Remote Collector.
  3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
    The Service Config view is displayed with the Log Collector General tab open.
  4. Select the Local Collectors tab.
  5. In the Destination Groups panel, click Icon-Add.png.
    The Add Remote Destination dialog displays.
  6. Set up a separate Destination for each Local Collector and designate the protocols for which you want to push event messages to that Local Collector. The following examples shows the addition of two Destination Local Collectors (Destination1 and Destination2). This configuration sends:
  • Check Point, File, and ODBC event data to Destination1
  • Syslog and Windows event data to Destination2.
  1. Type the Destination Name.
  2. Type the Group Name. If you do not type a Group Name, the Destination Name is taken as the Group Name.
  3. Select the collection protocol from the drop-down list.
  4. Select a Local Collector (for example, LC1)

  5. Click OK. Destination1 is created and displayed in the Destination Groups panel.
  6. Select the new group (for example, Destination1) in the Destination Groups panel, and click Icon-Add.png in the Local Collector panel.
  7. In the Local Collector panel, click Icon-Add.png and complete the Add Remote Destination dialog as illustrated in the following figure.

    The Check Point, File, ODBC, Syslog, and Windows collection protocols are being load balanced between two Local Collectors (LC1 and LC2). Both Local Collectors are active and collecting event data.

Previous Topic:Configure Replication
You are here
Table of Contents > Log Collection Deployment Guide > Procedures > Configure Local and Remote Collectors > Push Events to Local Collectors > Configure Log Routing for Specific Protocols