Documentation forKiwi Syslog Server NG

Add an action to forward messages to another host

This documentation is for legacy Kiwi Syslog Server versions 9.8.2 and older. See the KSSNG version of Add an action to forward messages to another host for the newest version of the following documentation.

You can add a Kiwi Syslog Server action to forward the received message to another syslog host using the specified syslog protocol. This is beneficial if you need to pass log messages to team members that resides in a different location than your host machine. For example, your company has teams in both the United States and in Japan who monitor log messages.

  1. From the Kiwi Syslog Service Manager, choose File > Setup.
  2. Add a rule, or locate an existing rule.
  3. Right-click Actions below the rule, and click Add Action.
  4. Click the default action name , and enter a descriptive name.
  5. From the Action menu, select Forward to another host.

  6. Specify the remote host IP address or host name. To send messages to multiple hosts, separate each host name or IP address with a comma. For example:

    Myhost.com, SecondHost.net, 203.75.21.3, ABC:567:0:0:8888:9999:1111:0

  7. Specify the protocol.

    The Kiwi Reliable Delivery Protocol (KRDP) works between two Kiwi Syslog Servers to reliably deliver syslog messages over a TCP transport.

  8. Specify the port number. Recommended values are:
    • UDP: Port 514
    • TCP: Port 1468 or port 601
    • KRDP: Port 1468
  9. Configure any of the following optional values.
    New Facility Forces outgoing messages to use a specified facility. In most cases, accept the default value of - No change -.
    New Level Forces outgoing messages to use a specified level. In most cases, accept the default value of - No change -.
    KRDP connection identifier

    Specifies the unique name assigned to the KRDP connection. Each connection between the source and destination syslog Server needs to be identified. When the connection is broken and re-established, the sequence numbers can be exchanged and lost messages can be resent. A separate set of message sequence numbers are kept against each connection identifier.

    For example: Source:RemoteOffice1 or SyslogServer1

    The string of text used uniquely identifies the source of the connection to the destination syslog Server.

    If you have more than one "Forward to another host" action configured, you can use the same connection identifier on all actions. This means that a single KRDP connection is made between the source and destination syslog Servers. If you specify a different connection identifier, multiple KRDP sessions are created.

    To ensure that the identifier is unique, we recommend the use of the %MACAddress variable. This variable is replaced by the first MAC address of the machine.

    For example: Source:RemoteOffice1-%MACAddress

    When running, the ID would look like: Source:RemoteOffice1-AA-BB-CC-DD-EE-FF-00. The MAC Address is globally unique to each network card.

    Send with RFC3164 header information

    Adds the standard RFC3164 header information to the outgoing message. The format is:

    <Priority>Date Hostname PID Message text

    The Priority is a value between 0 and 191.

    The Date is in the format of Mmm DD HH:NN:SS (July 4 12:44:39). Note there is no year specified. The PID is a program identifier up to 32 characters in length.

    Retain the original source address of the message

    Normally, the syslog protocol is unable to maintain the original sender's address when forwarding syslog messages. This is because the sender's address is taken from the received UDP or TCP packet.

    Kiwi Syslog solves this problem by placing a tag in the message text that contains the original sender's address. By default, the tag looks like Original Address=192.168.1.1. That is, the Original Address= tag, followed by the IP address, followed by a " " (space) delimiter or tag.

    These tags are inserted only if the "Retain the original source address of the message" option is selected.

    If the "Spoof Network Packet" option is used, then the Original Address= tag is not used. The Syslog packet is forwarded to the destination address as though it has been sent from the originating IP address.

    Use a fixed source IP address

    Uses a fixed IP address in the Original Address= tag. This can be useful when you want to identify outgoing messages as coming from a particular host. For example, if you have more than one remote syslog servers sending messages to one central location. If each of the remote syslogs use the 10.0.0.x address range, the received messages appear from the same host. Specifying a different source IP address for each remote syslog could help in identifying the incoming messages better.

    If the "Spoof Network Packet" option is used, then the Original Address= tag is not used. The Syslog packet is forwarded to the destination address as though it has been sent from the specified fixed IP address.

    Spoof Network Packet

    This option only applies to syslog messages forwarded via UDP protocol with IPv4 address only.

    The network packet is spoofed to appear as though the forwarded message has come directly from the originating devices' IP address, and not the address of the Syslog Server. Kiwi Syslog Server uses the Selected Network Adapter to send the spoofed UDP/IP packet.

    This feature is only available in a licensed edition of Kiwi Syslog Server. It requires NpCap (with NpCap Loopback Adapter) installation.

  10. Test the action.
  11. Click Apply.