Data Forwarding

Sending Syslog Messages to Other Hosts

The Log Correlation Engine can be the focal point of your entire log aggregation strategy. If a Storage Area Network, syslog server, or some other type of log aggregation solution is deployed in your network, the Log Correlation Engine can be configured to send a copy of any received message to one or more syslog servers. These messages include any message received from any client.

To configure the Log Correlation Engine to forward these messages:

  1. Log in to Log Correlation Engine via the user interface.

  2. Click on the Configuration section of the Log Correlation Engine interface.
  3. Then select Advanced, and in that section locate Data Forwarding.
  4. In the Syslog Forwarding section of Data Forwarding, enter a line for each syslog server.

The actual syslog service is not used to forward the messages. All packet generation is handled by the lced process.

The format of each entry into the Syslog Forwarding section is IP:port,exclude-header as shown below. The IP is the address of the syslog server to which the messages are sent. The port indicates the UDP port in which the receiving syslog server is listening. The exclude-header option determines if the Log Correlation Engine appends a custom header to indicate if the messages are sent from the Log Correlation Engine server or not. When omitted or set to 0, the header is appended. When set to 1, the header is not added and only the original log message is sent without indication that it was forwarded from the Log Correlation Engine server. If 2 is used the log will be sent in CEF (Common Event Format) format.

The following is an example of the Syslog Forwarding section that forwards messages to multiple syslog servers utilizing UDP. The first line forwards to UDP port 1234 and appends an Log Correlation Engine server header to each entry. The second forwards to UDP port 514, and an Log Correlation Engine server header is not appended to each entry. The third forwards to UDP port 514 and the log will be sent in CEF format.

The following is an example section of the TCP Syslog Forwarding section that forwards messages to multiple syslog servers. The first line forwards to TCP port 601 and appends a Log Correlation Engine server header to each entry with an ASCII 10 (Line Feed) delimiter. The second forwards to TCP port 601, and a Log Correlation Engine server header is not appended to each entry. The third forwards to TCP port 1234 and the log will be sent in CEF (Common Event Format) format.

Log Correlation Engine has the ability to forward logs in CEF format. However, the log is received by Log Correlation Engine whether it is a log message from an Log Correlation Engine Client, Syslog server, IDS or any other compatible log format Log Correlation Engine will convert the original log generated into CEF format. Shown below is a normal syslog message received by an Log Correlation Engine server followed by the forwarded CEF formatted message.

Apr 16 11:05:52 jetjaguar sudo: rongula : TTY=pts/0 ; PWD=/home/rongula ; USER=foo ; COMMAND=/bin/bash

CEF:0|Tenable|LCE|4.4.0|1404|Unix-Successful_Sudo|5|dpt=0 dst=192.0.2.23 spt=0 src=192.0.2.66 duser=rongula proto=0 msg=Apr 16 11:05:52 jetjaguar sudo: rongula : TTY\=pts/0 ; PWD\=/home/rongula ; USER\=foo ; COMMAND\=/bin/bash

Syslog Compliant Messages

Logs forwarded by the Log Correlation Engine will retain the original syslog alert level and facility, if one was present. If one was not present, the Log Correlation Engine assigns a log level of auth.warning.

Typically, Log Correlation Engine clients do not send syslog compliant messages. If a Log Correlation Engine client were configured to monitor a log file that retained an original message’s syslog alert level and facility, then this would be retained if forwarded by the Log Correlation Engine.

This allows for a remote syslog server that is receiving events from the Log Correlation Engine to process the received messages and place them in specific files. Depending on the type of syslog server, it may be possible to place logs from a router into one file, operating system logs into another and so on.

Content of Forwarded syslog Messages

When the Log Correlation Engine forwards a message, it also adds any matched information to the log file as shown below if configured to do so:

Jun 30 17:45:36 lce: [not-matched] 0.0.0.0:0 -> 192.0.2.1:0 ::

<37>sshd(pam_unix)[15322]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=192.0.2.1

The “::” characters are used to separate Log Correlation Engine’s heading from the original message. In this case, the message would also have been sent with a syslog facility/severity of <37> since that was the facility of the original message.

Additionally, notice that the Log Correlation Engine tagged the example event above with a not-matched keyword. This means that the Log Correlation Engine did not possess a .prm file to process the log. If it did, the matched event name would be present in the same location.

If configured to strip the Log Correlation Engine headers from the forwarded syslog messages, only the original log message is sent to the remote syslog server.

TCP Syslog Server Reconnect Interval

The TCP Syslog Server Reconnect Interval sets the interval that the Log Correlation Engine will wait before making a reconnection attempt to the TCP syslog server that lost its connection.

TCP Syslog

This list of decimal ASCII character codes tells Log Correlation Engine how to delimit TCP syslogs. By default only the standard linefeed character (ASCII decimal 10) is recognized but other products may use special characters.