Syslog Forwarder

Owned by Haim Koschitzky
Last updated: May 01, 2022 by Noga Aviram (Unlicensed)
2 min read

To send data over Syslog Forwarder:

  1. Go to Manager > Left Navigation Panel > Data > Data Forwarding > New Data Forwarder:

  2. Enter a name for this forwarder.

  3. Mark or define the sources which will be sent via this forwarder.

  4. Set the Scheduler for this forwarder. (default and most recommended is ‘Send data on arrival’ - real-time)

  5. Create Data Flows on the data (Optional). Read More>

  6. Add a new Syslog Forwarder. For each Syslog Forwarder the following should be configured:

    1. Name: The name of the Syslog Forwarder.

    2. Description: The description of the Syslog Forwarder.

    3. Enabled: The Syslog forwarder is enabled by default, uncheck for disabling.

    4. Syslog RFC 3164/5424 Account: Choose the relevant Syslog account for this forwarder. To create a Syslog RFC 3164/5424 Account, follow the article: Creating An Account.

    5. Use data source host: The events will be sent with the log's host.

    6. Facility.

    7. App Name (Optional).

    8. Advanced: Its possible to replace during forward specific character based on the needs - the replace is done via regular expression. 2 common examples: If you handle in your logs data multiline events and you wish to send the event in a single line format (as some receivers require) you can replace each end of line with a specific separator: {
      "replaceAll":"\n|\r",
      "replaceWith": " - "
      }

      The forwarded data will be sent in a single line format, where the value "-" will be placed in each original end of line. Another very powerful example is masking forwarded data. For example, if you have a log with sensitive data such as CC number or passwords, its possible to mask it during forwarding: Log event example:
      2020-10-19 11:00:00 David-Whong password=myPassw0rd standard user

      In XpoLog forwarder:

      {
      "replaceAll":"password=[^\s]+|\n|\r",
      "replaceWith": "-***- "

      }
      Forwarded data:
      XPLG:[1603119482000] [user] [INFO] [http://jet.xplg.com ] []: 2020-10-19 11:00:00 David-Whong -***-  standard user

      The password section was replaced with -***- and won't be sent to the receiver.

    9. Active Flows: Use one of the existing flows or send ‘All data’.

  7. Save the Syslog Forwarder.

  8. Data from this Syslog Forwarder will be sent to the configured device.