Enable log forwarding

On the LEM Events Console Settings page, enable log forwarding to direct your raw (unnormalized) log messages to a dedicated server. This option allows you to forward log data to third-party systems and other SIEM tools.

When you configure connectors to send original log data to LEM, the messages are then auto-forwarded to the designated location. To use this feature, configure nDepth log retention and applicable connectors accordingly.

When enabled, you can switch between storing logs in the raw logs database (nDepth) and forwarding logs with syslog protocols (RFC3164 and RFC 5244). There is no option to filter logs based on IP address, connectors, rules, etc.

  • Rules do not fire on raw (unnormalized) log data. Rules can only fire on normalized data.
  • Raw (unnormalized) log messages do not appear in Monitor view in the console.
  • If you enable original log storage (raw database storage), and you enable connectors to send data to both databases, LEM storage requirements may double for the same retention period, and extra resource reservations of at least two additional CPUs and 8-16GB of RAM may be required.

Configure LEM Manager to store original log files in their own database

The following procedure must be completed prior to configuring any connector to send log messages to your LEM appliance.

  1. Open the CMC command line. For steps, see Log in to the LEM CMC command line interface.
  2. At the cmc> prompt, enter manager.

  3. At the cmc::manager> prompt, enter configurendepth and follow the prompts to configure your LEM Manager to use an nDepth server:
    1. Enter y at the Enable nDepth? prompt.

    2. If you are prompted with Run nDepth locally? (Recommended), enter y. This will configure a separate database on your LEM appliance to store original log files.

    3. If your LEM implementation consists of several appliances, follow the prompts to complete the process for your dedicated database or nDepth appliance. For additional information about this process, contact Support.

  4. Back at the cmc::manager> prompt, enter exit to return to the previous prompt.

  5. At the cmc> prompt, enter ndepth.

  6. At the cmc::nDepth> prompt, enter start. This command will start the Log Message search/storage service.

  7. Enter exit to return to the previous prompt.

  8. Enter exit to log out of your LEM appliance.

Configure connectors to send original log data to LEM

  1. Open the connector for editing in the Connector Configuration window for the LEM Manager or LEM Agent, as applicable:
    • If the connector has already been configured, stop the connector by clicking gear > Stop, and then click gear > Edit.

    • If the connector has not been configured, create a new instance of the connector by clicking gear > New next to the connector you want to configure.

  2. In the Connector Details pane, change the Output value to Alert, nDepth. Leave the nDepth Host and nDepth Port values alone unless otherwise instructed by Support.

    The Output values are defined as:

    • Alert: Sending data to the alert database

    • nDepth: Sending data to the RAW (original log) database

    For help, see The Connector Configuration form fields for data-gathering (sensor) connectors.

  3. If you are finished configuring the connector, click Save.
  4. Start the connector by clicking gear > Start.

  5. Click Close to close the Connector Configuration window.

  6. Repeat these steps for each connector you want to send original log data to your LEM appliance.

    Learn more about using connector profiles to create forwarding policies here.

Establish log forwarding settings

  1. In the LEM Events Console, click the Settings button.

  2. On the Settings page, click the Log Forwarding tab.

  1. To enable log forwarding for adjusted connectors, select the Enable log forwarding for adjusted connectors check box.

    Log Forwarding can only be enabled for connector output set to nDepth.

  2. Enter the destination IP address or host name, and then enter the destination port.
  3. Make a selection from each of the following drop-down lists (the standard settings appear by default):
    • Protocol: UDP or TCP
    • RFC format: 3164 or 5424
    • Severity: The severity level is applied to all forwarded logs
    • Facility: The destination application
  4. Enter an App name (optional), and then click Save.
  5. To return to the LEM Events Console, click Monitor.