Creating a New Outbound Routing Rule
Procedure
- Access Administration > Message Routing from the navigation menu.
- Click the Create New Rule button to create a new routing rule.
- In the Rule Name field, enter a name for the routing rule and click Next.
-
In the
Add Log Sources section, click the down arrow next to
Select and pick a log source filter:
- If you picked Name, enter a Source Name, a specific Source Name or a Name Mask. Wild cards are accepted in this field.
- If you picked Collector Domain, enter the name of the Collector Domain.
- If you picked IP Address, enter a Source IP Address, a specific IP Address or an IP Address Mask. Wild cards are accepted in this field.
- If you picked Group, enter a Group Name, or click the down arrow to the right of the text field and select “All” or one of the other Group names displayed in the drop-down box.
-
If you picked
Type, enter a Source Type (a specific device type), or click the down arrow to the right of the text field and select
All or one of the other Device Types displayed in the drop-down box.
Note:
- If you select mixed log types from a user-defined Group, the available options such as Protocols and Settings can be different compared to a rule that contains only a single log type.
- When adding a large number of devices of the same log type, use the system-defined Group option. Select one or more Groups as long as they are of the same log type, and then click the << Add selected log sources button.
- If required, add a second filter by clicking the + sign and repeating step 4 as often as you like.
- To delete a filter, click the - sign to remove the last selection made (repeat if needed).
- Select a log source by clicking its name. You can select multiple rows.
- Click <<Add selected log sources to move the selected log sources to the left.
- Click Next.
-
In the
Destination IP field, type the IP address of the destination to which you want to forward messages.
This can be another LogLogic appliance, a LogLogic Security Event Management (SEM) appliance, or another machine (with correct port configuration). This is a mandatory field.
- In the Destination Port field, type the port number to which you want to forward messages.
-
From the
Destination Type drop-down menu, select where you want to forward messages:
If you choose a file-based log source such as Blue Coat ProxySG from the Source Device drop-down menu, and Other Destination from Destinations Type, then the Insert Syslog Header Yes/No radio buttons are displayed. Selecting Yes adds <109> at the beginning of the message. The prefix <109> at the beginning of the message is the syslog priority for audit information events. It is included to prevent triggering of intrusion detection systems and firewalls that detect syslog without a proper header.
-
From the
Protocol drop-down menu, select the protocol to use for forwarding messages:
Option Description UDP Syslog Traditional syslog using the UDP protocol TCP Syslog Traditional syslog using the TCP protocol. Also known as Syslog-NG New-line (\n) characters are used to break logs in the TCP stream during message forwarding. If a message contains \n, the message breaks up with only the first portion of the message being delivered to the downstream appliance. It is good practice to select a different forwarding protocol if you know your log messages contain characters of this type.
LogLogic TCP LogLogic's buffered syslog. Uses a proprietary TCP-based protocol and uploads logs in batches every minute SNMP Forwards incoming SNMP traps to another SNMP trap receiver. This option is available only for log sources configured as an SNMP trap source. - Select the Enable check box to activate message forwarding.
-
Using the
Format Settings:
- Select the Insert Syslog Header radio button (Yes/No) to activate or deactivate Syslog headers.
- Optionally, specify the
Format Rule Definition configuration rule file to format messages prior to forwarding. All messages that match the forwarding rule will be formatted.
For detailed description about defining the configuration rule file and how messages are formatted, see Appendix C: Definition of Configuration Rule Files.
-
Using the
LogLogic Forwarding Settings:
- From the
Forwarding Type drop-down menu, select whether real-time log files are transferred Daily or Continuously.
Selecting daily minimizes the timeframe for performance impact on the network and related systems. However, continuous forwarding allows more immediate use of the log data on the appliance.
If you select daily forwarding, set the following:
- Start Time—Time that daily real-time log file transport starts.
- End Time—Time that daily real-time log file transport ends.
Any log files not transported by the end time are the first transferred the next day.
- Max Bytes/Sec—The maximum transfer rate allowed for log file transport. 0 means unlimited. The acceptable range is 0 through 125000000.
- From the
Forwarding Type drop-down menu, select whether real-time log files are transferred Daily or Continuously.
-
Other Settings:
- Select a
Compression radio button (Yes/No) to activate or deactivate compression for message routing. For LX or MX appliances using LogLogic TCP, it is good practice to select
Yes. The default is
No.
Compression is available only when using LogLogic TCP.
Note:- You can enable compression or authentication and encryption in the following steps only when the routing destination is another LogLogic appliance.
- Setting Compression to Yes or enabling Authentication and Encryption for any single source/protocol/destination configuration causes all subsequent traffic from the same source sent with the same protocol to the same destination to be either compressed or authenticated and encrypted. The system does not allow for both encrypted and clear traffic to go to the same IP via the same protocol when sent from the same source. Likewise, all traffic must be either compressed or non-compressed, but not both types.
- Select an
Enable Authentication and Encryption radio button (Yes/No) to activate or deactivate authentication and encryption for additional security.
Using authentication ensures that the data is received by the correct LogLogic appliance.
Note:- Authentication and Encryption cannot be selected separately.
- The Authentication and Encryption option is not available when forwarding messages with the UDP protocol.
- When you select the Enable Authentication and Encryption option, the authentication is performed using the SSH protocol. The toor user of the upstream appliance must be authorized to login via SSH to the downstream appliance without entering a password. To configure, type the CLI command system keycopy on the upstream appliance and follow the instructions displayed on screen to add the public key of the upstream appliance to the downstream appliance.
- Select a
Compression radio button (Yes/No) to activate or deactivate compression for message routing. For LX or MX appliances using LogLogic TCP, it is good practice to select
Yes. The default is
No.
- Click Next to define the message Filters including Severity, and Facility or click Finish to accept the default message filters. In this case, skip the following steps and go to step 20.
-
Select the existing search filter from the
Search Filter drop-down menu.
Note: If you want to add a new search filter, use the Search > All Search Filters menu. For more information, see the Adding a Search Filter section in the TIBCO LogLogic® Log Management Intelligence User Guide.
- Click the Forward all except filter matches check box to forward those messages that do not match the defined search filter.
-
Select the
Message Severity and
Facility filters that you wish to select or
Select All if you want everything forwarded.
By default, all check boxes are selected for syslog-based log sources. For complete details about your Message Severity and Facility options, see your firewall documentation.
Message Severity - Standard Descriptions Type Description Emergency System is unusable Alert An alert condition exists Critical The system is in critical condition Error An error condition exists Warning A warning condition exists Notice A normal but significant condition Informational Information message without any serious conditions that exist Debug Messages generated to debug the application Note: To find out how each vendor uses severity values with respect to their messages, see your vendor documentation.The facility specifies the subsystem that produced the message. For example, all mail programs log with the mail facility (LOG_MAIL) if they log using syslog.
Note: Filtering criteria here applies only to syslog forwarding, not file transfer sources. For details about file transfer, see Adding a Log Source for File Transfer. -
Click
Finish.
The Message Routing screen appears showing the newly added Routing Rule.