Configure Syslog Forwarding to Destination

In addition to collecting Syslog messages, you can configure the Log Decoder to forward Syslog messages to another Syslog receiver.

Note: No configuration is necessary to collect Syslog messages on the Log Decoder.

NetWitness forwards Syslog messages after it has parsed the messages and before it writes the messages to the Log Decoder.

Note: You must configure Syslog Forwarding using the steps defined in this topic using the Explore view.

The Log Decoder must be in the Started state before you can configure Syslog Forwarding. To configure Syslog Forwarding:

  1. Configure Log Decoder application layer rules (Application rules) to tag Syslog messages with metadata that instructs NetWitness to forward the messages:

    1. In the Services view, select a Log Decoder, and in the Actions column, select netwitness_actiondd_33x16.png > View > Explore.
    2. Go to the /decoder/config/rules/application node, right-click application, and click Properties.
    3. In the Properties view, specify the add command with the following parameters:

      rule=<query> name=<name>

      Example 1: rule=* name=receiver1

      Example 2: rule="device.type='winevent_nic'" name=receiver)

    4. Click Send.


      NetWitnesscreates the name=receiver1 rule=* order=<n> rule. NetWitness inserts the order number (for example, order=49) based on when you set up the rule.


    5. Go to the /decoder/config/rules/application node and click the name=receiver1 rule=* order=49 rule.
    6. Add alert forward parameters to the rule parameters.

      rule=* name=receiver1 order=49 alert forward


      rule=* name=receiver1 forward

      All other rule parameters have the same meaning as they do in other application rules.

    The following Application rule example selects all logs with the * rule. It creates a transient alert meta with the value "receiver1" and tags the entire log for forwarding it to the syslog forwarding destination. You can define as many different forwarding rules as you need with the same name or unique names.

  2. Define Syslog forwarding destinations and enable forwarding.

    1. In the Services view, select a Log Decoder, and netwitness_actiondd_33x16.png > View > Explore.
    2. Syslog forwarding destinations are defined in the configuration node.


      This configuration node contains one or more name/value pairs. The name corresponds to the name parameter in the application rule that you used to tag logs with forwarding meta. The value is a colon-separated triple of transport, host, and port followed by an optional formatting parameter.


      The first parameter indicates the transport protocol and must be one of udp, tcp, or tls. Specifying udp will forward logs via RFC 3164 / RFC 5426 UDP syslog protocol. Specifying tcp will forward logs via a TCP connection with RFC 6587 framing. Specifying tls will forward logs in accordance with RFC 5425.

      The host is an IPv4 address, IPv6 address, or host name.

      The port is the port to which the logs are sent. This is typically port 514 for UDP syslog, and 6514 for TLS connections. There is no standard port assignment for syslog over TCP.

      Optionally, retainsource or rfc3164 can be specified at the and of the destination string to indicate that additional formatting and information should be included with each log forwarded. Specifying retainsource will include z-connector headers at the beginning of the log based and will be populated by the time, device.(ip|ipv6|host), and lc.cid meta and is best used for forwarding to other log decoders. The rfc3164 option will prepend a valid RFC3164 header to all events forwarded constructed of the syslog.pri, time, and device.(ip|ipv6|host) meta. In both cases, the original log text is unmodified.

      Example forwarding destination:


      Example forwarding over tcp to blackout on port 514 with z-connector headers:


      In the /decoder/config/logs.forwarding.destination parameter, specify the destination. For example:

      TLS Connections: receiver1=tls:receiver1.netwitness.local:6514

      UDP Connections: receiver1=udp:receiver1.netwitness.local:514

      TCP Connections: receiver1=tcp:receiver1.netwitness.local:514


      You can configure:
      - Multiple rules to forward logs to the same destination.
      - Multiple rules to forward logs to multiple destination.
      For TLS connections, the certificate of the forwarding destination must be validated. The certificate authority that signed the destination's certificate must be present in the Log Decoder's CA trust store and the certificate must reside on the destination or Syslog receiver. Refer to "Configure Certificates" in the Log Collection Configuration Guide for information about manipulating the Log Decoder's CA trust store. (Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.)

    3. In the /decoder/config/logs.forwarding.enabled parameter, specify true.