Creating a New Outbound Routing Rule

Procedure

  1. Access Administration > Message Routing from the navigation menu.
  2. Click the Create New Rule button to create a new routing rule.
  3. In the Rule Name field, enter a name for the routing rule and click Next.
  4. In the Add Log Sources section, click the down arrow next to Select and pick a log source filter:
    • Name
    • Collector Domain
    • IP Address
    • Group
    • Type
    1. If you picked Name, enter a Source Name, a specific Source Name or a Name Mask. Wild cards are accepted in this field.
    2. If you picked Collector Domain, enter the name of the Collector Domain.
    3. If you picked IP Address, enter a Source IP Address, a specific IP Address or an IP Address Mask. Wild cards are accepted in this field.
    4. If you picked Group, enter a Group Name, or click the down arrow to the right of the text field and select “All” or one of the other Group names displayed in the drop-down box.
    5. If you picked Type, enter a Source Type (a specific device type), or click the down arrow to the right of the text field and select All or one of the other Device Types displayed in the drop-down box.
      Note:
      • If you select mixed log types from a user-defined Group, the available options such as Protocols and Settings can be different compared to a rule that contains only a single log type.
      • When adding a large number of devices of the same log type, use the system-defined Group option. Select one or more Groups as long as they are of the same log type, and then click the << Add selected log sources button.
    • If required, add a second filter by clicking the + sign and repeating step 4 as often as you like.
    • To delete a filter, click the - sign to remove the last selection made (repeat if needed).
  5. Select a log source by clicking its name. You can select multiple rows.
    Note: From the Administration > System Settings > General tab, if you have selected Optimize Device Selection List > Show Only Device Groups option, Available Devices lists only Device Groups.
  6. Click <<Add selected log sources to move the selected log sources to the left.
  7. Click Next.
  8. In the Destination IP field, type the IP address of the destination to which you want to forward messages.
    This can be another LogLogic appliance, a LogLogic Security Event Management (SEM) appliance, or another machine (with correct port configuration). This is a mandatory field.
  9. In the Destination Port field, type the port number to which you want to forward messages.
  10. From the Destination Type list, select where you want to forward messages:
    • LogLogic LMI Appliance
    • LogLogic SEM Appliance
    • LogLogic® Unity
    • Other Destination
    If you choose a file-based log source such as Blue Coat ProxySG from the Source Device list, and Other Destination from Destinations Type, then the Insert Syslog Header Yes/No radio buttons are displayed. Selecting Yes adds <109> at the beginning of the message. The prefix <109> at the beginning of the message is the syslog priority for audit information events. It is included to prevent triggering of intrusion detection systems and firewalls that detect syslog without a proper header.
  11. From the Protocol list, select the protocol to use for forwarding messages:
    Option Description
    UDP Syslog Traditional syslog using the UDP protocol
    TCP Syslog Traditional syslog using the TCP protocol. Also known as Syslog-NG

    New-line (\n) characters are used to break logs in the TCP stream during message forwarding. If a message contains \n, the message breaks up with only the first portion of the message being delivered to the downstream appliance. It is good practice to select a different forwarding protocol if you know your log messages contain characters of this type.

    LogLogic TCP Buffered syslog provided by TIBCO LogLogic®. Uses a proprietary TCP-based protocol and uploads logs in batches every minute
    Note: If you select LogLogic TCP protocol, you can specify the Other Settings options.
    SNMP Forwards incoming SNMP traps to another SNMP trap receiver. This option is available only for log sources configured as an SNMP trap source.
    Note: Compared to the UDP protocol, the TCP protocol uses significantly more CPU processing power and hence decreases the maximum message rate the appliance supports.
    Note: Depending on the selected Destination Type and Protocol values, some of the Format Settings, LogLogic Forwarding Settings and Other Settings options may be available.
  12. Select the Enable check box to activate message forwarding.
  13. Using the Format Settings:
    Note: The Insert Syslog Header option is only enabled for File-based log messages.
    • Select the Insert Syslog Header radio button (Yes/No) to activate or deactivate Syslog headers.
    • (Optional) Specify the Format Rule Definition configuration rule file to format messages prior to forwarding. All messages that match the forwarding rule are formatted.

      For detailed description about defining the configuration rule file and how messages are formatted, see Definition of Configuration Rule Files.

  14. Using the LogLogic Forwarding Settings:
    Note: This setting is available only when forwarding real-time logs to a LogLogic appliance using LogLogic TCP protocol.
    • From the Forwarding Type list, select whether real-time log files are transferred Daily or Continuously.

      Selecting daily minimizes the time frame for performance impact on the network and related systems. However, continuous forwarding allows more immediate use of the log data on the appliance.

      If you select daily forwarding, set the following:

    • Start Time—Time that daily real-time log file transport starts.
    • End Time—Time that daily real-time log file transport ends.

      Any log files not transported by the end time are the first transferred the next day.

    • Max Bytes/Sec—The maximum transfer rate allowed for log file transport. 0 means unlimited. The acceptable range is 0 through 125000000.
  15. Other Settings: This section is disabled when using UDP Syslog.
    • Set the Compression (Yes/No) to activate or deactivate compression for message routing. For LogLogic LX Appliances or LogLogic MX Appliances using LogLogic TCP, it is good practice to select Yes. The default is No.
      • Compression is available only when using LogLogic TCP.
      • You can enable compression or authentication and encryption in the following steps only when the routing destination is another LogLogic LMI appliance.
      • Setting Compression to Yes or enabling Authentication and Encryption for any single source/protocol/destination configuration causes all subsequent traffic from the same source sent with the same protocol to the same destination to be either compressed or authenticated and encrypted. The system does not allow for both encrypted and clear traffic to go to the same IP via the same protocol when sent from the same source. Likewise, all traffic must be either compressed or non-compressed, but not both types.
    • Set the Enable Authentication and Encryption (Yes/No) to activate or deactivate authentication and encryption for additional security.

      Using authentication ensures that the data is received by the correct LogLogic LMI appliance.

      • Authentication and encryption cannot be selected separately.
      • The Enable Authentication and Encryption option is not available when forwarding messages with the UDP protocol.

      • When you activate the Enable Authentication and Encryption option, the authentication and encryption are performed by using the SSH protocol. The toor user of the upstream appliance must be authorized to login via SSH to the downstream appliance without entering a password. To configure, type the CLI command system keycopy on the upstream appliance and follow the instructions displayed on screen to add the public key of the upstream appliance to the downstream appliance.

        If you select the Enable Authentication and Encryption option with TCP Syslog as the routing protocol, then for messages that do not contain a syslog priority, the log source is identified as 127.0.0.1_General instead of the actual IP address of the source device. For messages that contain a syslog priority, the log source is correctly identified with its original source IP. This causes all events without a syslog priority from multiple sources to have their logs associated to the single source 127.0.0.1.

        If you do not select the Enable Authentication and Encryption with TCP Syslog as the routing protocol, then for messages that do not contain a syslog priority, the log source is identified as <upstream LMI IP Address>_General instead of the actual IP address of the source device. For messages that contain a syslog priority, the log source is correctly identified with its original source IP. This causes all events without a syslog priority from multiple sources to have their logs associated to the single, upstream LogLogic LMI IP address source.

        Enable Authentication and Encryption Routing protocol Messages contain Syslog priority? Log source is identified as
        Selected TCP Syslog No 127.0.0.1_General
        Yes Original source IP address
        Not selected TCP Syslog No <upstream LMI IP Address>_General
        Yes Original source IP address
  16. Click Next to define the message Filters including Severity, and Facility or click Finish to accept the default message filters. In this case, skip the following steps and go to step 20.
    Note: For file-based log sources, select the desired filter you created earlier from the Search Filter list. Boolean searches are not supported for file transfer sources; only three kinds of search filters are supported: “Use Words”, “Use Exact Phrase”, and “Regular Expression”.
  17. Select the existing search filter from the Search Filter list.
    Note: If you want to add a new search filter, use the Search > All Search Filters menu. For more information, see Adding a Search Filter in the TIBCO LogLogic® Log Management Intelligence User Guide.
  18. Click the Forward all except filter matches check box to forward those messages that do not match the defined search filter.
  19. Select the Message Severity and Facility filters that you wish to select or Select All if you want everything forwarded.
    By default, all check boxes are selected for syslog-based log sources. For complete details about your Message Severity and Facility options, see your firewall documentation.
    Message Severity - Standard Descriptions
    Type Description
    Emergency System is unusable
    Alert An alert condition exists
    Critical The system is in critical condition
    Error An error condition exists
    Warning A warning condition exists
    Notice A normal but significant condition
    Informational Information message without any serious conditions that exist
    Debug Messages generated to debug the application
    Note: To find out how each vendor uses severity values with respect to their messages, see your vendor documentation.

    The facility specifies the subsystem that produced the message. For example, all mail programs log with the mail facility (LOG_MAIL) if they log using syslog.

    Note: Filtering criteria here applies only to syslog forwarding, not file transfer sources. For details about file transfer, see Adding a Log Source for File Transfer.
  20. Click Finish.
    If you selected the Enable Authentication and Encryption option while creating the rule, then after rule creation you must perform the following steps for the changes to take effect:
    1. Run the system keycopy command.
    2. Disable and reenable the rule from the Message Routing page.
    The Message Routing screen appears showing the newly added Routing Rule.