Outbound Routing Rules

You can create a new routing rule to specify the source device (or device group) this rule applies to, the destinations to forward to, and the details of the communication pathway to the destination.

Note: The LogLogic appliances forward logs through UDP and TCP syslog and SNMP protocols to other destinations. The logs forwarded include syslog messages, file-pulled logs, and SNMP traps. For file-pulled logs, the user can set the forwarding speed. The user can turn headers On or Off on a per-routing-rule basis for file-pulled logs and SNMP traps, and can set the forwarding speed for file-pulled logs.
Warning: When using LogLogic TCP, the source and destination appliances must be of the same release and hotfix.

Data can be forward to a TIBCO LogLogic® Unity platform based on one or more rules. For more information refer to Forwarding Data to TIBCO LogLogic® Unity.

It is good practice to use the following for your Syslog-NG configuration to correctly collect logs: 

template(“<$PRI>$R_DATE $SOURCEIP $MSG\n”) template_escape(no)
Note: If you enable the Administration > System Settings > Auto-identify Log Sources option and you have several thousand log sources configured that need to be auto-identified, routing rules and alerts can slow the auto-identify process.

You can create up to 200 routing rules for each appliance. However, you must account for several factors which can affect the number of rules your appliance can manage:

  • message rate
  • filter (use of regular expressions)
  • tunneling
  • authentication (authentication is a one time occurrence)
  • compression
  • TCP transport

    LogLogic TCP should be used only when required, for example, over unreliable or slow WAN links or when file-based data must be kept in file format.

  • number of searches or reports being executed on the appliance
  • number of file-base transfer rules (which are not included in the inbound messager rate)
  • number of alerts (especially those with regular expressions)
  • whether HA is enabled
    Note: The log sources specified in each rule have an impact on performance. For example, 10,000 sources in 3 routing rules having their aggregate data set sent to 3 hosts has an additional overhead as compared to 100 log sources having their aggregate data sent to 3 hosts.