Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

 

 

 

Home > Success Center > Kiwi Syslog Server > Action - Forward to another host

Action - Forward to another host

Table of contents
Created by Dhalia Turiaga, last modified by Erin Stenzel on Dec 14, 2016

Views: 1 Votes: 1 Revisions: 5

Updated July 21, 2016 

Overview

This will forward the received message to another Syslog host using the UDP or TCP syslog protocol.

Environment

Kiwi Syslog 9.x

Server: Windows Server 2012, 2012 R2, 2008, 2008 R2, 2003, 2003 R2 
Workstation: Windows 8.1, 8, 7, Vista, XP

Steps

Destination IP address or hostname

 

This is where you specify the remote host IP address or hostname to forward the messages to.

 

You can send messages to multiple hosts by separating each hostname or IP address with a comma.

 

For example: Myhost.com, SecondHost.net, 203.75.21.3, ABC:567:0:0:8888:9999:1111:0

 

 

Protocol

 

Syslog messages can be sent using UDP (default), TCP, or KRDP.

 

The Kiwi Reliable Delivery Protocol (KRDP) works between two Kiwi Syslog Servers to reliably deliver syslog messages over a TCP transport.

 

 

New Port

 

This specifies the port number to send the message to. Recommended values are:

UDP:        Port 514

TCP:        Port 1468 or port 601

KRDP:        Port 1468

 

 

New Facility/New Level

 

This allows you to force all outgoing messages to use a new Facility or Level. In most cases this option should be set to "- No change -". This will forward messages with the same Facility and Level that they arrived with.

 

 

KRDP connection identifier

 

This specifies the unique name assigned to the KRDP connection. Each connection between the source and destination syslog Server needs to be identified. When the connection is broken and re-established, the sequence numbers can be exchanged and any lost messages can be resent. A separate set of message sequence numbers are kept against each connection identifier.

 

Examples are: Source:RemoteOffice1 or SyslogServer1

 

The string of text used will uniquely identify the source of the connection to the destination syslog Server.

 

If you have more than one "Forward to another host" action configured, you can use the same connection identifier on all actions. This will mean that only a single KRDP connection is made between the source and destination syslog Servers. If you specify a different connection identifier, multiple KRDP sessions will be created.

 

To ensure that the identifier is unique, we recommend the use of the %MACAddress variable. This variable will be replaced by the first MAC address of the machine.

 

Examples are: Source:RemoteOffice1-%MACAddress

When running, the ID would look like: Source:RemoteOffice1-AA-BB-CC-DD-EE-FF-00

The MAC Address is globally unique to each network card.

 

 

Send with RFC3164 header information

 

This will add the standard RFC3164 header information to the outgoing message. The format is:

 

<Priority>Date Hostname PID Message text

 

The Priority is a value between 0 and 191

The Date is in the format of Mmm DD HH:NN:SS (July  4 12:44:39). Note there is no year specified.

The PID is a program identifier up to 32 characters in length

 

 

Retain the original source address of the message

 

Normally, the syslog protocol is unable to maintain the original senders address when forwarding/relaying syslog messages. This is because the senders address is taken from the received UDP or TCP packet.

 

The way Kiwi Syslog gets around this problem is to place tags in the message text that contains the original senders address.  By default, the tags looks like Original Address=192.168.1.1.  That is, the "Original Address=" tag, followed by the IP address, followed by a space delimiter.

 

These tags are only inserted if the "Retain the original source address of the message" option is checked.

 

These tags can also be overidden by way of two registry settings, named OriginalAddressStartTag and OriginalAddressEndTag.

For more information on overiding the default originating address start and end tags, please see - Originating Address - Custom Start and End tags

 

Note:  If the "Spoof Network Packet" option is used, then the "Original Address=" tag will not be used.  The Syslog packet will be fowarded to the destination address as though it has been sent from the originating IP address.

 

Use a fixed source IP address

 

This option will use a fixed IP address in the Original Address= tag. This can be useful when you want to identify all outgoing messages as from a particular host. For example, if you have many remote syslog Servers sending messages to one central location. If each of the remote syslogs use the 10.0.0.x address range, all the received messages will appear from the same host. Specifying a different source IP address for each remote syslog could help in identifying the incoming messages better.

 

Note:  If the "Spoof Network Packet" option is used, then the "Original Address=" tag will not be used.  The Syslog packet will be fowarded to the destination address as though it has been sent from the specified fixed IP address.

 

Spoof Network Packet  

This feature is only available in the licensed version, requires WinPcap 4.1+ installation.

This option only applies to syslog messages forwarded via UDP protocol with IPv4 address only.

 

This option only applies to syslog messages forwarded via UDP protocol.

The network packet will be spoofed to appear as though the fowarded message has come directly from the originating devices' IP address, and not the address of the Syslog Server.  Kiwi Syslog Server will use the Selected Network Adapter to send the spoofed UDP/IP packet.

 

Important Note:

This option also requires that WinPcap version 4.1 and above is installed.  WinPcap (Windows Packet Capture library) is available for download from: WinPcap, The Packet Capture and Network Monitoring Library for Windows  (© 2016 VMware, Inc., available at http://www.winpcap.org/, obtained on July 21, 2016.)

 

Test button

 

Use the Test button to send a test Syslog message to the host(s) specified.

 

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.

 

 

 

Last modified
11:28, 14 Dec 2016

Tags

Classifications

Public