Setting up a network forwarder

To add a network forwarder

Complete the following procedure for each network forwarder that you want to use:

1. Navigate to the System > Network > Config page.
   If no forwarders are configured, the following page is displayed:
   
   After you configure forwarders, the page displays the forwarders and statistics about the sent messages.

2. Click Add New Forwarder.
   The following page is displayed for a new forwarder:
   

   Tip

   You can reconfigure an existing forwarder by clicking Edit on the System > Network > Config page.

3. (Optional) On the Add Network Forwarder page, enter a description (up to 80 characters) to distinguish the network forwarder from others.
   The description is displayed on pages where you can select from a list of configured forwarders.
   If you leave the Description box empty, the product assigns a default description in the following format: protocol:ipAddress:portNumber .

4. From the Enable list, select one of the following options:

   Option	Description
   Disable	Disables message forwarding This is the default value. Use this when you perform troubleshooting tasks on your system and you want to keep the configured forwarder to enable at a later time.
   Forward	Sends the message to the forward destination with the original time and IP address On the receiving end, the message is displayed as if it were sent from the forwarder and contains the original IP address of the message origin. The message contains the time the message was originally received and the original IP address in the following format: <priority> originalTime originalIP message Use this option to provide messages that are compatible with syslog-ng, which you can use with BMC or third-party syslog receivers.
   Relay	Sends a message to the forward destination with the original IP address, a relay flag, and the original message When another instance of BMC Defender SIEM Correlation Server or BMC AMI Command Center for Security receives the message, it displays the message as though it came directly from the original destination. The message has the following format:  ipaddr://ipAddress relay://<priority> message Use this option to clone data to another instance of BMC Defender SIEM Correlation Server or BMC AMI Command Center for Security.For more information, see Setting-up-a-network-listener-to-receive-messages-from-a-remote-server.
   Relay-Enc	Short for relay-encoding, sends the entire message through the regular encoding of the product On the receiving end, the product decodes the message and, like the Relay option, it displays the message as though it came directly from the original destination. Use this option only for BMC Defender SIEM Correlation Server or BMC AMI Command Center for Security. Otherwise, the message will be displayed as a string of random characters.
   Fwd-3164	Similar to the Forward option, sends the message and includes the forwarder's host name and the date and time the message was forwarded The message has the following format: <priority>relayTime relayHost originalTime originalIP message
   Proxy	Sends an exact copy of the received message The receiver sees a copy of the message as it was originally received. If the message was encoded, it remains encoded. The message contains no indication of its origin.

5. From the Protocol list, select one of the following network protocols:

   • UDP (default)
   • TCP
   • TCP-TLS—See Setting-up-a-TLS-connection-for-TCP-listeners-and-forwarders to complete the TLS options.

6. In the IP Address box, enter the remote server's IP address for the connection and message delivery.
   For the address, use Internet Protocol version 4 (IPv4) format.

   Tip

   Alternatively, you can use a network host name if you have available domain name server (DNS) lookup services.

7. In the Port box, enter the port number of the remote server for the connection and message delivery.
8. Select a Message Framing character option:
   • CR—Carriage return (default)
   • LF—Line feed
   • CRLF—Carriage return plus line feed
   • NULL
   • OCTET—Octet counting
   • None
9. In the Message Buffer Size box, adjust the number of messages to buffer if the forwarder loses connection with the remote server.
   If the maximum number of messages is reached, new messages replace the oldest messages, which are discarded and not forwarded. The number of buffered messages depends on system resources and the number of forwarders in use; the buffer size is independent for each forwarder.
   The range is from 1,000 to 20,000,000 messages. 
   (SPE2110) The default value is 100,000.
   (Before SPE2110) The default value is 1,000,000.
10. (SPE2210) (For TCP and TCP-TLS protocols) From the Restart Forwarder Connections option, select Yes (default) to automatically restart a broken connection between the network forwarder and the remote server and modify the following options as required:
    • Connection Retry Delay—Number of seconds to wait between attempts to reconnect
      Valid values are 1 to 3600. The default value is 5.
    • Max Connection Retries—Maximum number of attempts to reconnect
      Valid values are 0 to 50. The default value is 0, which means there is no limit to the number of connection attempts.
11. (SPE2210) (For TCP and TCP-TLS protocols) From the Use Failover Address option, select Yes to move the message traffic to a backup server if the primary connection is broken. Modify the following options as required:
    • Retry Primary Before Failover Count—Number of attempts to reconnect to the primary server before attempting to connect to the failover server
      Valid values are 0 to 50. The default value is 0, which means that no attempt is made to reconnect to the primary server and the system automatically attempts to connect to the failover server.
    • Attempt to Revert to Primary Delay—Number of seconds to wait before attempting to connect to the primary server.
      Valid values are 1 to 86400. The default value is 60.
    • Failover IP Address—IP address or host name of the failover server to connect and send messages
      For the address, use Internet Protocol version 4 (IPv4) format.
    • Failover Port—Port number of the failover server to connect and send messages
      Valid values are 1 to 65535.
12. (For TCP and TCP-TLS protocols ) From the Enable Two-Way Messages option, select Yes to receive messages from the BMC AMI Datastream product.

13. (For TCP and TCP-TLS protocols) From the Enable TCP Keepalive option, select Yes to quickly detect network connection issues with a remote server.

    Adjust the following parameters as required:

    Parameter	Description
    TCP Keepalive Interval	Wait time in milliseconds to receive a message from a peer before sending another TCP keepalive packet Valid values are 100 to 20,000,000. The default value is 1,000.
    TCP Keepalive ACK Timeout	Wait time in milliseconds for the remote peer to acknowledge receipt of a sent TCP keepalive packet The system uses this timeout value to determine if the remote peer is still connected. Valid values are 100 to 20,000,000. The default value is 1,000.
    TCP Socket Send Timeout	Maximum wait time in milliseconds for a TCP data packet to be sent, used by the operating system networking Valid values are 100 to 20,000,000. The default value is 1,000.
    TCP Socket Receive Timeout	Duration in milliseconds for an incoming TCP packet to be fully received Valid values are 100 to 20,000,000. The default value is 1,000.

14. (For TCP and TCP-TLS protocols) From the Persistent TCP Connection option, select Yes to establish an immediate connection with a remote server without requiring a message filter or two-way messaging.
    Optionally, you can enter a Message Forwarding UDP Port number that accepts forwarded messages.

    Important

    If the Persistent TCP Connection option is set to Yes, a connection is established. In this way, you can monitor the connection without sending messages.

15. Click Save.
    The Network Forwarder list displays the new forwarder, which is now ready to use.

When you save your changes, the product updates the values in all places where the forwarder is displayed.

You might need to wait a few minutes for the settings to become active.

To set a network forwarder for response request messages

Response request messages require you to configure a network forwarder that enables communication from BMC AMI Command Center for Security to BMC AMI Datastream for z/OS. Configure a network forwarder for response requests with the following settings:

• Enable set to Forward
• Protocol set to TCP or TCP-TLS. Make sure that you coordinate the protocol with the TLS parameter setting of the AUTOMATE statement in the BMC AMI Datastream for z/OS $$$AUTO member.
• Message Framing set to NULL
• Message Buffer Size set to 10000
• Enable Two-Way Messages set to Yes
• Persistent TCP Connection set to Yes
• Message Forwarding UDP Port set to any available and unused port on the local Windows system

After a network forwarder is successfully saved, the specified Message Forwarding UDP Port opens on the local Windows system, on which BMC AMI Command Center for Security is running. The open UDP port facilitates interprocess communication within the product and listens for internally sourced messages.

For more information about response requests, see Sending-response-requests-to-BMC-AMI-Datastream.

Where to go from here

After you set up network forwarders, you can perform one or more of the following tasks:

• Set up message forwarding rules to send messages based on specified criteria. Ensure that Enable is selected in the message forwarding rules.
• Use the BMC Defender Thread Forwarder adapter to send messages to selected correlation threads.
• (Administrators) Configure an Automated Response request by initiating actions with Automated Response alerts .
• (Administrators) Create a Manual Response request by initiating actions with Manual Response.