Current view: XPLG V7 (Latest). Available: XPLG V6 and XPLG V5

Skip to end of metadata
Go to start of metadata

The Syslog forwarder can send via Syslog either Raw Data (as originated from sources) and automatically convert it to CEF (Common Event Format) format.

To send data over Syslog (Raw Data) Forwarder:

  1. Go to Manager > Left Navigation Panel > Data > Collection Polices-> Edit a collection policy-> Data Forwarding.
  2. Add New Syslog Forwarder, for each forwarder the following should be configured:
    1. Name: the name of the Syslog Forwarder
    2. Description: the description of the Syslog Forwarder
    3. Enabled: the Syslog forwarder is enabled by default. Uncheck for disabling.
    4. Host: the remote host to which data should be sent.
    5. Port: the port that will be used by the Syslog Forwarder to send data.
    6. Protocol: the Syslog can forward data on either UDP or TCP
    7. Data Filter Query: Enter a data filter query
  3. Advanced Settings:
    Its possible to replace during forward specific character based on the needs - the replace is done via regular expression. 2 common examples:
    1. If you handle in your logs data multiline events and you wish to send the event in a single line format (as some receivers require) you can replace each end of line with a specific separator:

      {
      "replaceAll":"\n|\r",
      "replaceWith": " - "
      }

      The forwarded data will be sent in a single line format, where the value "-" will be placed in each original end of line.

    2. Another very powerful example is masking forwarded data. For example, if you have a log with sensitive data such as CC number or passwords, its possible to mask it during forwarding:
      Log event example:
      2020-10-19 11:00:00 David-Whong password=myPassw0rd standard user

      In XpoLog forwarder:

      {
      "replaceAll":"password=[^\s]+|\n|\r",
      "replaceWith": "-***- "

      }
      Forwarded data:
      XPLG:[1603119482000] [user] [INFO] [jet.xplg.com] []: 2020-10-19 11:00:00 David-Whong -***-  standard user

      The password section was replaced with -***- and won't be sent to the receiver.

  4. Save the Syslog Forwarder.
  5. Data sent from the Syslog Forwarder will be sent to the configured device.

 

To send data over Syslog (CEF Format) Forwarder:

  1. Go to Manager > Left Navigation Panel > Data > Collection Polices-> Edit a collection policy-> Data Forwarding.
  2. Add New CEF (Syslog) Forwarder, for each forwarder the following should be configured:
    1. Name: the name of the Syslog Forwarder
    2. Description: the description of the Syslog Forwarder
    3. Enabled: the Syslog forwarder is enabled by default. Uncheck for disabling.
    4. Host: the remote host to which data should be sent.
    5. Port: the port that will be used by the Syslog Forwarder to send data.
    6. Protocol: the Syslog can forward data on either UDP or TCP
    7. Data Filter Query: Enter a data filter query
  3. Advanced Settings:
    By default, if XpoLog receives data in CEF format already, it will include the CEF header in the CEF fields (vendor, product, version, id, name, severity and format version), if not by default it will add log name, server name, etc. in the created CEF header during forwarding.
    If you wish to forward only specific log fields, its possible to customize the log and select only the fields to be displayed - only these fields will be forwarded.
  4. Save the Syslog Forwarder.
  5. Data sent from the Syslog Forwarder will be sent to the configured device.

Note: it is possible to configure multiple Syslog Forwarders in the same collection policy.

  • No labels