How to forward syslog data

Syslog is a standard protocol used to send event messages between devices and systems. The DataForwarder service can forward events to a remote Syslog server (UDP/TCP), or via other formats. The steps below outline how to configure Syslog forwarding and limit which events are sent.

Authentication

To access the web interface, open a browser and enter the application's IP address or DNS name (for example, https://CyberquestIPAddress). The browser redirects to the CYBERQUEST authentication page:

Login page

Navigate to Settings

Go to Settings > Application Settings and select DataForwarder. Configure the following parameters as needed:

DataForwarder settings

Learn how to configure and adjust the parameters for optimal performance by modifying the DataForwarder settings. For detailed instructions, see Adjusting DataForwarder Settings.

Add a Filter Rule

To forward only specific events, create a Filter Rule: go to Settings > Rules > Filter Rules.

Filter Rules

Click the add button to create a new rule: Add filter rule

New filter rule

Define conditions that identify the events to forward (for example, EventID, SrcIP, DestIP, UserName). Click Save.

Add a DA Rule

Add a DA Rule under Settings > Rules > DA Rule to control routing:

DA Rule list

Send data to short term storage? - Optionally store events in Online DataStorage for temporary retention.
Send to data correlation? - Optionally route events to the Data Correlation service for analysis and insights.
Forward Event? - Required: Enable to forward events through the DataForwarder to external systems.
Active? - Required: Activate the DA Rule to make it operational.

Click Save.

How to identify forwarded events

Syslog events are forwarded without modification.
Non-Syslog events are reformatted as Syslog; the DataServer assigns a tag and computer from the description.
Events without description are sent as JSON.