Adding Destinations to the All Sources Rule
The All Sources routing rule (All Sources) forwards a copy of all incoming log messages to multiple destinations.
If you add a new log source, it is automatically added to this rule. You can add more destinations to the All Sources rule by using the Add Destination link. You can edit or remove the added destinations.
Procedure
-
Click the
Add Destination link.
The Add Destination window appears. By default, LogLogic Forwarding Settings, and Other Settings options are disabled. When you specify the Destination Type and/or Protocol, some of these options are enabled.
-
In the
Destination IP field, type the IP address of the destination to which you want to forward messages.
This can be another LogLogic appliance, a LogLogic Security Event Management (SEM) appliance, or another machine (with correct port configuration). This is a mandatory field.
- In the Destination Port field, type the port number to which you want to forward messages.
- From the Destination Type list, select where you want to forward messages:
- From the Protocol list, select the protocol to use for forwarding messages:
- Select the Enable check box to activate message forwarding.
-
Using the
Format Settings:
- Set the
Destination Parsing (Yes/No) to enable or disable destination parsing. When enabled, the system automatically generates default rules for each protocol for all destinations.
Note:
- The
Destination Parsing option is enabled when you select LogLogic LMl Appliance as the Destination Type. When you enable this option and click
Add, three rules are added, one for each protocol type. Based on its log source type, a message is forwarded using one of the three routing rules. All syslog logs are forwarded using TCP protocol. All file-pulled logs are forwarded using LogLogic TCP protocol, and all SNMP trap messages are forwarded using SNMP protocol.
When three rules are added (after enabling the Destination Parsing option), you can go back to Edit Destination window to select the configuration rule file for the rules which are using the LogLogic TCP and TCP syslog protocols. The Format Rule Definition field is disabled for the rule using SNMP protocol.
If the Destination Parsing option is enabled, the Format Rule Definition option to format messages prior to forwarding is disabled, and vice versa.
- If you do not enable the Destination Parsing option, only the specified rule for the selected protocol is added. In this case, messages from some of the log source type may not be forwarded if the selected protocol is not compatible with the log source type. For example, syslog source type cannot be forwarded using SNMP protocol.
- The
Destination Parsing option is enabled when you select LogLogic LMl Appliance as the Destination Type. When you enable this option and click
Add, three rules are added, one for each protocol type. Based on its log source type, a message is forwarded using one of the three routing rules. All syslog logs are forwarded using TCP protocol. All file-pulled logs are forwarded using LogLogic TCP protocol, and all SNMP trap messages are forwarded using SNMP protocol.
- (Optional) Specify the
Format Rule Definition configuration rule file to format messages prior to forwarding. All messages that match the forwarding rule are formatted.
For detailed description about defining the configuration rule file and how messages are formatted, see Definition of Configuration Rule Files.
The Tunnel Status column displays the status of the connection between the source and destination when message routing is configured and the Enable Authentication and Encryption option is set to Yes. One of the following values is displayed:
Value Description Unknown Initialization in progress. The status is not updated on the page. Unconfigured Forwarding is configured not to use encryption or authentication. Starting Tunneling is being established by initiating a downstream connection. The connection has not been completed yet. Connected The tunnel connection has been established. An error message Forwarding either failed to establish a tunnel or forwarding through the tunnel failed.
- Set the
Destination Parsing (Yes/No) to enable or disable destination parsing. When enabled, the system automatically generates default rules for each protocol for all destinations.
-
LogLogic Forwarding Settings:
You cannot specify any options. The options are disabled for All Sources Rule. -
Other Settings: This section is disabled when using UDP Syslog.
- Set the
Compression (Yes/No) to activate or deactivate compression for message routing. For
LogLogic LX Appliances or
LogLogic MX Appliances using LogLogic TCP, it is good practice to select
Yes. The default is
No.
- Compression is available only when using LogLogic TCP.
- You can enable compression or authentication and encryption in the following steps only when the routing destination is another LogLogic LMI appliance.
- Setting Compression to Yes or enabling Authentication and Encryption for any single source/protocol/destination configuration causes all subsequent traffic from the same source sent with the same protocol to the same destination to be either compressed or authenticated and encrypted. The system does not allow for both encrypted and clear traffic to go to the same IP via the same protocol when sent from the same source. Likewise, all traffic must be either compressed or non-compressed, but not both types.
- Set the
Enable Authentication and Encryption (Yes/No) to activate or deactivate authentication and encryption for additional security.
Using authentication ensures that the data is received by the correct LogLogic LMI appliance.
- Authentication and encryption cannot be selected separately.
- The Enable Authentication and Encryption option is not available when forwarding messages with the UDP protocol.
- When you activate the
Enable Authentication and Encryption option, the authentication and encryption are performed by using the SSH protocol. The
toor user of the upstream appliance must be authorized to login via SSH to the downstream appliance without entering a password. To configure, type the CLI command
system keycopy on the upstream appliance and follow the instructions displayed on screen to add the public key of the upstream appliance to the downstream appliance.
If you select the Enable Authentication and Encryption option with TCP Syslog as the routing protocol, then for messages that do not contain a syslog priority, the log source is identified as 127.0.0.1_General instead of the actual IP address of the source device. For messages that contain a syslog priority, the log source is correctly identified with its original source IP. This causes all events without a syslog priority from multiple sources to have their logs associated to the single source 127.0.0.1.
If you do not select the Enable Authentication and Encryption with TCP Syslog as the routing protocol, then for messages that do not contain a syslog priority, the log source is identified as <upstream LMI IP Address>_General instead of the actual IP address of the source device. For messages that contain a syslog priority, the log source is correctly identified with its original source IP. This causes all events without a syslog priority from multiple sources to have their logs associated to the single, upstream LogLogic LMI IP address source.
- Set the
Compression (Yes/No) to activate or deactivate compression for message routing. For
LogLogic LX Appliances or
LogLogic MX Appliances using LogLogic TCP, it is good practice to select
Yes. The default is
No.
-
Click
Add to add the destination to the All Source rule.