Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Command Center for Security 6.2.

Setting up network forwarders to send messages to a remote server

An important function of the server is to forward messages to other locations. This permits BMC Defender Server to operate as a collector in a larger management strategy.

For example, one of the main reasons for forwarding messages is to support multitier management as a method of scaling or organizing data. One common multitier strategy is to send all syslog messages to a central collector, keep some of the data locally, and send other parts of the data to a higher-level collector. In the case of BMC Defender Server, the operator simply configures the correlation rules and alerting for a single BMC Defender Server site, and then forwards ticket information to a higher-level manager. That manager is not necessarily another copy of BMC Defender Server. This permits massive scaling of information when multiple servers exist in an enterprise.

In this scenario, each copy of BMC Defender Server is responsible for a particular class of device, department, user set, or other logical partition of data. Correlated results are forwarded up to a top-level manager.

This strategy supports massive scaling of  CPU and disk resources. Additionally, this type of distributed system keeps the data segregated (which might be an important security concern) and reduces network congestion and traffic by limiting the distance over which messages must transmit.

Note

BMC Defender Server is especially well suited for this management strategy because it installs quickly, is completely web-based, and can co-exist with other software systems (reducing the need to buy hardware or install appliances.) This type of strategy can easily accommodate applications that require many 100,000 events per second, involving potentially millions of devices and users.

You set up message forwarding by adding network forwarders and message forwarding rules:

  • Network forwarders are clients that connect to a remote server and send messages to it. Network forwarders connect by using a server’s IP address and port number. 
  • Message forwarding rules are user-defined filters that control which messages the forwarders send. 

Use network forwarders to send messages based on message forwarding rules. Use the following procedures in the order shown to add network forwarders and then add message forwarding rules.


Tip

These procedures provide a way to forward large amounts of data to another server or syslog collector. Consider the following alternatives if you need to send data more selectively:

  • Message forwarding using Correlation actions—The operator can configure one or more Correlation > Action programs to selectively forward raw message information to another syslog server using either syslog or SNMP. These forwarders provide more flexibility than the Messages > Config > Forwarding screen, including the ability to reformat messages and match very precise conditions. However, this technique should not be used to forward large amounts of data, since over-use of this function can overload the action queue. Generally, this technique can be used to forward 10 to 50 messages a second maximum and best implemented for occasionally occurring events.
  • Ticket forwarding using actions—The operator can configure one or more Ticket > Action programs to forward BMC Defender Server tickets using a variety of techniques, including syslog and SNMP. (These discuss in BMC-Defender-Server-automation.) The same flexibility and limitations exist for ticket forwarding as message forwarding, as described. This type of forwarding is especially useful in two-tier management strategies, as discussed.

Related topics

Configuring-message-screens-in-the-system

Setting-up-a-network-listener-to-receive-messages-from-a-remote-server

Using BMC Defender Server applications

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*