Adding Destinations to the All Sources Rule

The All Sources routing rule (All Sources) forwards a copy of all incoming log messages to multiple destinations.

For example, an ST appliance receiving messages from multiple firewalls can be configured to forward all of the messages to one or more destinations as per the All Sources rule.

If you add a new log source, it is automatically added to this rule. You can add more destinations to the All Sources rule by using the Add Destination link. You can edit or remove the added destinations.

Procedure

  1. Click the Add Destination link.
    The Add Destination window appears. By default, LogLogic Forwarding Settings, and Other Settings options are disabled. When you specify the Destination Type and/or Protocol, some of these options are enabled.
  2. In the Destination IP field, type the IP address of the destination to which you want to forward messages.
    This can be another LogLogic appliance, a LogLogic Security Event Management (SEM) appliance, or another machine (with correct port configuration). This is a mandatory field.
  3. In the Destination Port field, type the port number to which you want to forward messages.
  4. From the Destination Type list, select where you want to forward messages:
    • LogLogic LMI Appliance
    • LogLogic SEM Appliance
    • LogLogic® Unity
    • Other Destination
  5. From the Protocol list, select the protocol to use for forwarding messages:
    Option Description
    UDP Syslog Traditional syslog using the UDP protocol
    TCP Syslog Traditional syslog using the TCP protocol. Also known as Syslog-NG

    New-line (\n) characters are used to break logs in the TCP stream during message forwarding. If a message contains \n, the message breaks up with only the first portion of the message being delivered to the downstream appliance. It is good practice to select a different forwarding protocol if you know your log messages contain characters of this type.

    LogLogic TCP Buffered syslog provided by TIBCO LogLogic®. Uses a proprietary TCP-based protocol and uploads logs in batches every minute
    Note: If you select LogLogic TCP protocol, you can specify the Other Settings options.
    Note: Compared to the UDP protocol, the TCP protocol uses significantly more CPU processing power and hence decreases the maximum message rate the appliance supports.
  6. Select the Enable check box to activate message forwarding.
  7. Using the Format Settings:
    Note: The Insert Syslog Header option is disabled for All Sources rule.
    • Set the Destination Parsing (Yes/No) to enable or disable destination parsing. When enabled, the system automatically generates default rules for each protocol for all destinations.
      Note:
      • The Destination Parsing option is enabled when you select LogLogic LMl Appliance as the Destination Type. When you enable this option and click Add, three rules are added, one for each protocol type. Based on its log source type, a message is forwarded using one of the three routing rules. All syslog logs are forwarded using TCP protocol. All file-pulled logs are forwarded using LogLogic TCP protocol, and all SNMP trap messages are forwarded using SNMP protocol.

        When three rules are added (after enabling the Destination Parsing option), you can go back to Edit Destination window to select the configuration rule file for the rules which are using the LogLogic TCP and TCP syslog protocols. The Format Rule Definition field is disabled for the rule using SNMP protocol.

        If the Destination Parsing option is enabled, the Format Rule Definition option to format messages prior to forwarding is disabled, and vice versa.

      • If you do not enable the Destination Parsing option, only the specified rule for the selected protocol is added. In this case, messages from some of the log source type may not be forwarded if the selected protocol is not compatible with the log source type. For example, syslog source type cannot be forwarded using SNMP protocol.
    • (Optional) Specify the Format Rule Definition configuration rule file to format messages prior to forwarding. All messages that match the forwarding rule are formatted.

      For detailed description about defining the configuration rule file and how messages are formatted, see Definition of Configuration Rule Files.

      Message Routing – Newly-added destination with three rules

      The Tunnel Status column displays the status of the connection between the source and destination when message routing is configured and the Enable Authentication and Encryption option is set to Yes. One of the following values is displayed:

      Value Description
      Unknown Initialization in progress. The status is not updated on the page.
      Unconfigured Forwarding is configured not to use encryption or authentication.
      Starting Tunneling is being established by initiating a downstream connection. The connection has not been completed yet.
      Connected The tunnel connection has been established.
      An error message Forwarding either failed to establish a tunnel or forwarding through the tunnel failed.
  8. LogLogic Forwarding Settings:
    You cannot specify any options. The options are disabled for All Sources Rule.
  9. Other Settings: This section is disabled when using UDP Syslog.
    • Set the Compression (Yes/No) to activate or deactivate compression for message routing. For LogLogic LX Appliances or LogLogic MX Appliances using LogLogic TCP, it is good practice to select Yes. The default is No.
      • Compression is available only when using LogLogic TCP.
      • You can enable compression or authentication and encryption in the following steps only when the routing destination is another LogLogic LMI appliance.
      • Setting Compression to Yes or enabling Authentication and Encryption for any single source/protocol/destination configuration causes all subsequent traffic from the same source sent with the same protocol to the same destination to be either compressed or authenticated and encrypted. The system does not allow for both encrypted and clear traffic to go to the same IP via the same protocol when sent from the same source. Likewise, all traffic must be either compressed or non-compressed, but not both types.
    • Set the Enable Authentication and Encryption (Yes/No) to activate or deactivate authentication and encryption for additional security.

      Using authentication ensures that the data is received by the correct LogLogic LMI appliance.

      • Authentication and encryption cannot be selected separately.
      • The Enable Authentication and Encryption option is not available when forwarding messages with the UDP protocol.

      • When you activate the Enable Authentication and Encryption option, the authentication and encryption are performed by using the SSH protocol. The toor user of the upstream appliance must be authorized to login via SSH to the downstream appliance without entering a password. To configure, type the CLI command system keycopy on the upstream appliance and follow the instructions displayed on screen to add the public key of the upstream appliance to the downstream appliance.

        If you select the Enable Authentication and Encryption option with TCP Syslog as the routing protocol, then for messages that do not contain a syslog priority, the log source is identified as 127.0.0.1_General instead of the actual IP address of the source device. For messages that contain a syslog priority, the log source is correctly identified with its original source IP. This causes all events without a syslog priority from multiple sources to have their logs associated to the single source 127.0.0.1.

        If you do not select the Enable Authentication and Encryption with TCP Syslog as the routing protocol, then for messages that do not contain a syslog priority, the log source is identified as <upstream LMI IP Address>_General instead of the actual IP address of the source device. For messages that contain a syslog priority, the log source is correctly identified with its original source IP. This causes all events without a syslog priority from multiple sources to have their logs associated to the single, upstream LogLogic LMI IP address source.

        Enable Authentication and Encryption Routing protocol Messages contain Syslog priority? Log source is identified as
        Selected TCP Syslog No 127.0.0.1_General
        Yes Original source IP address
        Not selected TCP Syslog No <upstream LMI IP Address>_General
        Yes Original source IP address
  10. Click Add to add the destination to the All Source rule.
    If you selected the Enable Authentication and Encryption option while creating the rule, then after rule creation you must perform the following steps for the changes to take effect:
    1. Run the system keycopy command.
    2. Disable and reenable the rule from the Message Routing page.
    The Message Routing screen appears showing the newly added destination to the existing All Source rule.

Result

You can enable, disable, or delete the rules; or edit, add, or remove the destinations in the rules.