Documentation forSecurity Event Manager

Enable log forwarding

On the SEM Console Settings page, enable log forwarding to direct your raw (unnormalized) log messages to a dedicated server. This option allows you to forward log data to third-party systems and other SIEM tools.

When you configure connectors to send original log data to SEM, the messages are then auto-forwarded to the designated location. To use this feature, configure nDepth log retention and applicable connectors accordingly.

When enabled, you can switch between storing logs in the raw logs database and forwarding logs with syslog protocols (RFC3164 and RFC 5244). There is no option to filter logs based on IP address, connectors, rules, etc.

  • Rules do not fire on raw (unnormalized) log data. Rules can only fire on normalized data.
  • Raw (unnormalized) log messages do not appear in Monitor view in the console.
  • If you enable original log storage (raw database storage), and you enable connectors to send data to both databases, SEM storage requirements may double for the same retention period, and extra resource reservations of at least two additional CPUs and 8-16GB of RAM may be required.

Configure SEM Manager to store original log files in their own database

The following procedure must be completed prior to configuring any connector to send log messages to your SEM appliance.

  1. Open the CMC command line. For steps, see Log in to the SEM CMC command line interface.
  2. At the cmc> prompt, enter manager.

  3. At the cmc::manager> prompt, enter configuredepth and follow the prompts to configure your SEM Manager to use an nDepth server:
    1. Enter y at the Enable nDepth? prompt.

    2. If you are prompted with Run nDepth locally? (Recommended), enter y. This will configure a separate database on your SEM appliance to store original log files.

    3. If your SEM implementation consists of several appliances, follow the prompts to complete the process for your dedicated database or nDepth appliance. For additional information about this process, contact Support.

  4. Back at the cmc::manager> prompt, enter exit to return to the previous prompt.

  5. At the cmc> prompt, enter ndepth.

  6. At the cmc::nDepth> prompt, enter start. This command will start the Log Message search/storage service.

  7. Enter exit to return to the previous prompt.

  8. Enter exit to log out of your SEM appliance.

Configure connectors to send original log data to SEM

  1. Open the connector for editing in the Connector Configuration window for the SEM Manager or SEM Agent, as applicable:
    • If the connector has already been configured, stop the connector by clicking gear > Stop, and then click gear > Edit.

    • If the connector has not been configured, create a new instance of the connector by clicking gear > New next to the connector you want to configure.

  1. On the SEM Console, navigate to Configure > Node.

  2. Select an agent node, and then click Manage node connectors.

  3. Select a node connecter, click Stop, and then click Edit.

  4. Under Output, select Raw or Raw + Normalized.

  5. Click Save, and then click Start.

Establish log forwarding settings

  1. On the SEM Console, click the Settings button.

  2. On the Settings page, click the Log Forwarding tab.

  1. To enable log forwarding for adjusted connectors, select the Enable log forwarding for adjusted connectors check box.

    Log Forwarding can only be enabled for connector output set to nDepth.

  2. Enter the destination IP address or host name, and then enter the destination port.
  3. Make a selection from each of the following drop-down lists (the standard settings appear by default):
    • Protocol: UDP or TCP
    • RFC format: 3164 or 5424
    • Severity: The severity level is applied to all forwarded logs
    • Facility: The destination application
  4. Enter an App name (optional), and then click Save.
  5. To return to the SEM Console, click the Events tab.