Hello,
we followed this guide:
https://community.netwitness.com/t5/netwitness-platform-online/configure-syslog-forwarding-to-destination/ta-p/669178
We created two rules in the app rules on the decoder configuration, then we checked the boxes for the alert and the forward options. After that, we enabled the forwarding by navigating to Explore -> Decoder -> Config -> Log Forwarding Destination.
This is the string we used (IP address is obfuscated): destination1=udp:10.x.x.x:514:retainsource
After that, we changed the "logs.forwarding.enabled" setting from false to true. The rules are matching correctly; under the "Investigate" tab, we can see the rules are correctly matching. However, the events are not being forwarded to the external source. When performing a packet dump on the decoder, I see no traffic being forwarded to this destination.
For testing purposes, we used a netcat command and the packet is correctly sent to the destination, indicating that the issue lies with the forwarding configuration or rules.
We don't currently know why it's not working
