Search another article?
Syslog forwarding from sgbox to another server
This article explain how to forward logs/events received from SGBox to another server using syslog protocol.
First off all you need to download the “SGBox syslog forwarder” application or ask support via ticket to unlock it.
Remember that this application reads data from internal repository and forwards log, events or incidents to an external syslog server.
From SCM > Application > Tools click install on SGBox syslog forwarder application.
Launch the application and configure it
| IP Address | Only IP addresses are allowed in the “Remote syslog server address” |
| Class ID | The field Class ID allows to specify one or more classes to retrieve logs and events from. User can specify a class by specifying its class id (LM->Configuration->Class, the # column). Comma separated class IDs are allowed to identify more hosts and events that should be forwarded. As an alternative, user can create a single new class containing all the hosts/events that should be forwarded; this solution is less readable, but allowed |
| Protocol | Protocol can be TCP or UDP. Use TCP if possible, since it is more a reliable protocol |
| Port | Destination Port |
| Send RAW data from hosts in this classes corresponding to the selected events | tells SGBox to forward just the logs used to generate an event (i.e. in a “logon” class, only the raw data that represents a logon will be forwarded). |
| Send all RAW data from hosts in this classes | tells SGBox to forward all the logs from the hosts that belong to the selected class (more verbose) |
| Send events (JSON format) | tells SGBox to forward only the events that were generated by the events extraction system. Incidents (events that were generated by correlation rules) can be forwarded as well and you need to specify the classes they are bound to, in the Class ID field (again, in LM->Configuration->Class) |
Additional information:
- Data is sent by using rfc5424.
- Raw data and events are sent with the same origin and timestamp as the original raw log and event.
- Raw data is sent in plain text
- Events are sent in json format