Page Contents

Raw Syslog Forwarder

Raw Syslog Forwarder¶

Raw Syslog Forwarders collect and forward raw logs from a Logpoint to a remote target.

Raw Syslog Forwarders¶

You can enable IP Spoofing to directly add the log collection devices in the target Logpoint instead of adding them in the raw syslog forwarder and still distinguish the Logpoint where the logs are collected.

To use Raw Syslog Forwarders:

Add targets
Add devices

Targets¶

Targets are the devices where the raw syslog messages are forwarded.

Adding a Target¶

Go to Settings >> Configuration from the navigation bar and click Raw Syslog Forwarder.

../_images/LP_Config_RSF_List_AddTargets.png

Raw Syslog Forwarders¶

Click Targets.

../_images/LP_Config_RSF_RemoteTarget_List.png

Remote Targets¶

Click Add IP.

../_images/LP_Config_RSF_RemoteTarget_Add.png

Add a Remote Target¶

Enter the Name, IP address, and Port number for the input port of the target.
Select the Protocol to send the syslog message.

Note

Choosing TCP disables IP spoofing.
Click Submit.

Note

You can add more than one target.

Editing a Target¶

Go to Settings >> Configuration from the navigation bar and click Raw Syslog Forwarder.
Click Targets.
Click the Name of the required target.

../_images/LP_Config_RSF_RemoteTarget_List_Edit.png

Remote Targets¶

Update the information.
Click Submit.

Deleting a Target¶

To delete a target, make sure that it is not in use.

Go to Settings >> Configuration from the navigation bar and click Raw Syslog Forwarder.
Click Targets.
Click Delete.

../_images/LP_Config_RSF_RemoteTarget_List_Delete.png

Remote Targets¶

Click Yes.

Devices¶

Logpoint collects and forwards the raw syslog messages from the Devices.

Adding Devices¶

Go to Settings >> Configuration from the navigation bar and click Raw Syslog Forwarder.

Devices¶

Click Add.

Configure Devices¶

Double-click the devices or device groups to select them.

Note

If you select All for a device group, any device added to it in the future is automatically selected as a target.
Select the Remote Target(s).
Provide a regex Pattern to match before forwarding logs. Only the logs matching the specified pattern are forwarded. For example:
- [ 0-9 ]+ forwards a log only if a digit is present in logs.
- [ a-z A-Z 0-9 ]+ forwards a log only if it contains either a-z, A-Z, or 0-9.
- \S+ forwards all the logs.
Click Submit.

The Raw Syslog Forwarder now collects logs from the chosen devices and forwards the raw logs to the chosen targets.

Editing Devices¶

Go to Settings >> Configuration from the navigation bar and click Raw Syslog Forwarder.
Click the Device of the required Raw Syslog Forwarder.

Devices¶

Update the information.
Click Submit.

Deleting Devices¶

Go to Settings >> Configuration from the navigation bar and click Raw Syslog Forwarder.
Click Delete.

Raw Syslog Forwarders¶
1. To delete multiple Raw Syslog Forwarders, select the concerned forwarders, click More and select Delete Selected.
Raw Syslog Forwarders¶
1. To delete all the forwarders, click More and select Delete All.
Raw Syslog Forwarders¶
Click Yes.

Viewing Logs in Remote Target¶

Logs Forwarded From Localhost¶

To view logs from localhost, you must add the IP of the Raw Syslog Forwarder in the remote target. You must also configure its Syslog Collector.

While forwarding localhost logs, Logpoint adds additional data in the header and sends the original message in the following format:

<13> {local date time} {hostname} {original message}

Example:

Original Message	Forwarded message
2016-01-29_06:00:20.70969 Starting report_jobs.	<13> Jan 29 06:00:25 localhost 2016-01-29_06:00:20.70969 Starting report_jobs.

Note

13 is the PRIVAL representing log audit.

Logs Forwarded from a Device¶

You have to add a device and configure its syslog collector to view the logs forwarded from that device.

Note

A remote target only supports UDP for a regular device. It supports both TCP and UDP for localhost.

Helpful?