Skip to content

How to forward syslog data

Syslog is a standard protocol used to send log messages or event notifications between different network devices, applications, and systems. A Syslog event may contain important information such as system errors, warnings, or status updates, which can help system administrators monitor and troubleshoot network issues. The DataForwarder program takes this information and forwards it to another server for further processing, storage, or analysis.

For example, to forward a TCP syslog, follow the steps described below:

Authentication

To access Web Interface, open a web browser and type the application's IP address or DNS name. The default address initially assigned to Web Interface is: https://CyberquestIPAddress (example).

The browser automatically redirects you to CYBERQUEST's authentication page:

In order to forward a TCP syslog data navigate to Settings > Applications Settings and select DataForwarder option, and will open the page:

For TCPSyslog, you need to complete the following:

DataForwarder_forwardTCPSyslog - complete with 1 if you want to activate, or 0 to deactivate. In our case we need to activate, in order to forward the TCP Syslog data (please, be sure that is set active to the other host too).

DataForwarder_forwardTCPSyslog_host - the server you want to forward TCP syslog data to.

DataForwarder_forwardTCPSyslog_port - the port of the server on which you forward TCP syslog data.

DataForwarder_source_RMQ_host - Where the CQ server gets its data from (you need to set to the other host where you want to forward the data).

DataForwarder_source_RMQ_username - RMQ username.

DataForwarder_source_RMQ_password - RMQ password.

ADD Filter Rule

The next step to forward the data is to create a Filter Rule, from Settings > Rules and select Filter Rules option and the page will open:

To create a filter rule, press button, a window will open that allows you to create a new filter rule:

Identifying the events that should be forwarded to another server. This might involve setting up filters (e.g.: EventID, SrcIP, DestIP, UserName etc.) that look for specific conditions or patterns in the data, and then automatically trigger the forwarding process when those conditions are met.

When you finished creating the job, press "Save" button to save changes or "Cancel" button to close the window without saving.

ADD DA Rule

The last step, is to add DA Rule from Settings > Rules and select DA Rule option. To add a DA Rule, press a window will open that allows you to create a new DA Rule:

You have to activate all the questions about services:

  • Send data to short term storage? - send to Online DataStorage;
  • Send to data corelation? - send events to the Data Correlation service;
  • Forward Event? - to forwarda events;
  • Active? - to be active the DA Rule.

When you finished creating the job, press "Save" button to save changes or "Cancel" button to close the window without saving.

How to identify forwarded events

  • If the event is a syslog event, the DataForwarder sends the event exactly as it is.

  • If the event is not Syslog, the DataForwarder identifies it and sends it as a syslog message, and the DataServer assigns it a tag and a computer from the description.

  • If the event has no description, it sends it as JSON.