Sending Syslog Messages to Other Hosts
The LCE can be the focal point of your entire log aggregation strategy. If a Storage Area Network,
syslog server, or some other type of log aggregation solution is deployed in your network, the LCE can be configured to send a copy of any received message to one or more
syslog servers. These messages include any message received from any client.
To configure the LCE to forward these messages:
Log in to LCE via the user interface.
- Click on the Configuration section of the LCE interface.
- Then select Advanced, and in that section locate Data Forwarding.
- In the Syslog Forwarding section of Data Forwarding, enter a line for each
The actual syslog service is not used to forward the messages. All packet generation is handled by the lced process.
The format of each entry into the Syslog Forwarding section is
IP:port,exclude-header as shown below. The IP is the address of the
syslog server to which the messages are sent. The port indicates the UDP port in which the receiving syslog server is listening. The exclude-header option determines if the LCE appends a custom header to indicate if the messages are sent from the LCE server or not. When omitted or set to 0, the header is appended. When set to 1, the header is not added and only the original log message is sent without indication that it was forwarded from the LCE server. If 2 is used the log will be sent in CEF (Common Event Format) format.
The following is an example of the Syslog Forwarding section that forwards messages to multiple
syslog servers utilizing UDP. The first line forwards to UDP port 1234 and appends an LCE server header to each entry. The second forwards to UDP port 514, and an LCE server header is not appended to each entry. The third forwards to UDP port 514 and the log will be sent in CEF format.
The following is an example section of the TCP Syslog Forwarding section that forwards messages to multiple
syslog servers. The first line forwards to TCP port 601 and appends a LCE server header to each entry with an ASCII 10 (Line Feed) delimiter. The second forwards to TCP port 601, and a LCE server header is not appended to each entry. The third forwards to TCP port 1234 and the log will be sent in CEF (Common Event Format) format.
LCE has the ability to forward logs in CEF format. However, the log is received by LCE whether it is a log message from an LCE Client, Syslog server, IDS or any other compatible log format LCE will convert the original log generated into CEF format. Shown below is a normal syslog message received by an LCE server followed by the forwarded CEF formatted message.
Apr 16 11:05:52 jetjaguar sudo: rongula : TTY=pts/0 ; PWD=/home/rongula ; USER=foo ; COMMAND=/bin/bash
CEF:0|Tenable|LCE|4.4.0|1404|Unix-Successful_Sudo|5|dpt=0 dst=192.0.2.23 spt=0 src=192.0.2.66 duser=rongula proto=0 msg=Apr 16 11:05:52 jetjaguar sudo: rongula : TTY\=pts/0 ; PWD\=/home/rongula ; USER\=foo ; COMMAND\=/bin/bash
Syslog Compliant Messages
Logs forwarded by the LCE will retain the original
syslog alert level and facility, if one was present. If one was not present, the LCE assigns a log level of auth.warning.
Typically, LCE clients do not send
syslog compliant messages. If a LCE client were configured to monitor a log file that retained an original message’s
syslog alert level and facility, then this would be retained if forwarded by the LCE.
This allows for a remote
syslog server that is receiving events from the LCE to process the received messages and place them in specific files. Depending on the type of
syslog server, it may be possible to place logs from a router into one file, operating system logs into another and so on.
Content of Forwarded syslog Messages
When the LCE forwards a message, it also adds any matched information to the log file as shown below if configured to do so:
Jun 30 17:45:36 lce: [not-matched] 0.0.0.0:0 -> 192.0.2.1:0 ::
<37>sshd(pam_unix): authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=192.0.2.1
The “::” characters are used to separate LCE’s heading from the original message. In this case, the message would also have been sent with a
syslog facility/severity of <37> since that was the facility of the original message.
Additionally, notice that the LCE tagged the example event above with a
not-matched keyword. This means that the LCE did not possess a .prm file to process the log. If it did, the matched event name would be present in the same location.
If configured to strip the LCE headers from the forwarded syslog messages, only the original log message is sent to the remote syslog server.
TCP Syslog Server Reconnect Interval
The TCP Syslog Server Reconnect Interval sets the interval that the LCE will wait before making a reconnection attempt to the TCP syslog server that lost its connection.
This list of decimal ASCII character codes tells LCE how to delimit TCP syslogs. By default only the standard linefeed character (ASCII decimal 10) is recognized but other products may use special characters.