You must configure your appliance for the various forwarding protocols that LogLogic supports.
LogLogic supports the following forwarding protocols per log type:
Real-time logs can be forwarded using all except SNMP protocols.
File-based logs, including database collection (such as MSSQL or Oracle), can be forwarded using all except SNMP protocols. If you use a protocol other than LogLogic TCP, the source type of the logs are detected as general syslog source on the downstream appliance. If the downstream appliance is an LX or MX model, the file-based logs sent using a protocol other than LogLogic TCP are not parsed. LogLogic TCP cannot be used for sending to a non
LogLogic LMI host.
SNMP can only be forwarded using SNMP protocol. (In addition, SNMP logs are translated to ASCII format and internally routed to the Syslog port. These translated SNMP logs are just like real-time logs, and can be forwarded using “All Sources” forwarding rules.)
Note:LogLogic LMI does not support sending duplicate logs to the same destination when the same protocol is selected even with different ports. If you want to send the same set of data twice to the same destination, you must use different protocols.
Procedure
(Optional) Define Search Filters.
(Optional) Define Device Groups to be used as the routing rule source.
For the LogLogic TCP protocol, enable TCP port 5514 access on destination appliances for syslog sources and TCP port 4433 for file-based sources. See Chapter 24:
Network Access Control.
When forwarding logs through TCP syslog, the log source is only correctly discovered on the downstream
LogLogic LMI if syslog priority <N> is present at the beginning of the log. If syslog priority is not present, the log source is considered to be the upstream appliance. When forwarding is done through a secure tunnel, the downstream appliance considers logs to be sent by 127.0.0.1. Such logs will be automatically assigned type of LogLogic appliance.
