Message forwarding

This topic contains the following sections:

Setting up message forwarding (version 5.9.02)

You can use network forwarders to send messages based on message forwarding rules. Use the following procedure to configure the forwarding rules.

Before you begin

Ensure that you have set up network forwarders.

To configure message forwarding rules

  1. Navigate to the Messages > Config > Forwarding page.
    If no forwarding rules are configured, the following page is displayed:
    no_msgFwd.png
  2. Click Add New Forwarding Rule, or click Edit to reconfigure an existing forwarding rule.
    The following page is displayed for a new forwarding rule:
    add_msgFwd.png
  3. From the Enable list, select to enable the message rule.
  4. From the Forwarder list, select the network forwarder to use for forwarding messages.

  5. (Optional) Using one or more of the following fields, specify filters to determine whether to forward a message:

    • Match Facility
    • Match Severity
    • Match Keyword
    • Match Address Group
    • Message Prefix

    Messages that match the filters are forwarded, and the product tests the filters in the order presented.

  6. Click Save.
    The Message Forwarding Rules list displays the new rule, which is now ready to use.
Example

The following example shows three configured rules:

example_msgFwd.png

  • Server name TCP:10.10.218.96:5003 forwards messages only if they match the Security syslog facility and have the keyword ssh in the message text.
  • Server name TCP:198.168.43.16:269 forwards messages only if they match the Local4 facility and have the severity field set to info or Informational.
  • Server name UDP:198.168.44.51:3399 applies no filters. The product forwards all messages to the configured receiver.

BMC Defender Server captures and catalogs all messages, regardless of the forwarding rules.

Message forwarding (version 5.9.01)

An important function of the server is to forward messages to other locations. This permits BMC Defender Server to operate as a collector in a larger management strategy. The system includes support for four general-purpose message forwarders and an additional forwarder for each Aux file on the system.

As an operator, you can configure message forwarding to another syslog server.

To configure message forwarding to another syslog server

  1. Navigate to the Messages > Config > Forwarding page.
  2. Click Add New Forwarding Rule to configure a new forwarding rule, or click Edit to reconfigure an existing forwarding rule.
  3. Set the destination addresses for the syslog messages, and enable the forwarding using one of several different modes as follows:
    • Enable Relay—This forwarding mode is mainly useful for forwarding messages to another BMC Defender Server. The setting causes the messages to be forwarded to the specified Send To destination, where the original IP address of the device is preserved as part of the message. This setting is usually useful only if the destination address is another BMC Defender Server since it relies on the special BMC Defender Server message prefix notation to preserve the original device IP address.
    • Enable Relay-ENC—This forwarding mode is identical to the Relay option as discussed, except messages are encrypted using BMC Defender Server basic pseudo-one-time pad encryption, enhancing security. This setting is useful only if the destination address is another BMC Defender Server.
    • Enable Forward—This forwarding mode causes the messages to be forwarded to an arbitrary Send To destination, where the original IP address of the device that sent the message is includes as the first word of the message. This setting is mainly useful when messages forward to a third-party SIEM system or data collector.
    • Enable Proxy—This forwarding mode is similar to the Enable Forward setting as discussed, except the message is sent without any modification to the header. No hostname or time value inserts as part of the message, and no simple formatting (such as removing tab characters) applies to the message. This setting has application in certain situations such as element managers, or certain test situations.

When a forwarder configures for Msg-01 to Msg-04, any message that appears in the Messages > Search screen is automatically forwarded. All four of these forwarders are identical, and available to forward messages to four different syslog receivers.

When a forwarder configures for Aux-01 to Aux-16, only the messages that are logged in an Auxiliary file (that are assigned in the Messages > Config > Filters screen) is forwarded.

Example

If the operator wants to direct all the messages of a firewall to another syslog receiver or BMC Defender Server system, the operator filters these messages to the Aux-1 file, and then forwards the messages onward by configuring the Aux-1 forwarder.


Related topics

Configuring-network-forwarders-to-send-messages-to-a-remote-server-version-5-9-02

Additional-forwarding-techniques

Forwarding-to-support-multi-tier-operation

Other-interactive-and-administrative-screens

Configuring-network-listeners-to-receive-messages-from-a-remote-server-version-5-9-02

Using BMC Defender Server applications

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*