Enable log forwarding
On the SEM Console Settings page, enable log forwarding to direct your raw (unnormalized) log messages to a dedicated server. This option allows you to forward log data to third-party systems and other SIEM tools.
When you configure connectors to send original log data to SEM, the messages are then auto-forwarded to the designated location. To use this feature, configure the rawlogs and applicable connectors accordingly.
When enabled, you can switch between storing logs in the raw logs database and forwarding logs with syslog protocols (RFC3164 and RFC 5244). There is no option to filter logs based on IP address, connectors, rules, etc.
- Rules do not fire on raw (unnormalized) log data. Rules can only fire on normalized data.
- Raw (unnormalized) log messages do not appear in Monitor view in the console.
- If you enable original log storage (raw database storage), and you enable connectors to send data to both databases, SEM storage requirements may double for the same retention period, and extra resource reservations of at least two additional CPUs and 8-16GB of RAM may be required.
- Open the connector for editing in the Connector Configuration window for the SEM Manager or SEM Agent, as applicable:
If the connector has already been configured, stop the connector by clicking gear > Stop, and then click gear > Edit.
If the connector has not been configured, create a new instance of the connector by clicking gear > New next to the connector you want to configure.
On the SEM Console, navigate to Configure > Node.
Select an agent node, and then click Manage node connectors.
- Select a node connector, click Stop, and then click Edit.
- Under Output, select Raw or Raw + Normalized.
- Click Save, and then click Start.
- On the SEM Console, click the Settings button.
- On the Settings page, click the Log Forwarding tab.
- To enable log forwarding for adjusted connectors, select the Enable log forwarding for adjusted connectors check box.
Log Forwarding can only be enabled for connectors whose Output setting includes raw logs.
- Enter the destination IP address or host name, and then enter the destination port.
- Make a selection from each of the following drop-down lists (the standard settings appear by default):
- Protocol: UDP or TCP
- RFC format: 3164 or 5424
- Severity: The severity level is applied to all forwarded logs
- Facility: The destination application
- Enter an App name (optional), and then click Save.
- To return to the SEM Console, click the Events tab.