Configuring Log-Message Forwarding

For an introduction to Log-Message Forwarding, see What is Log-Message Forwarding?.

To configure TLC to forward log messages to one or more Forwarding Destinations:

1. In the side bar, select Resources >Configuration ManagerConfiguration Manager.
2. In the side bar of the Configuration Manager, select ResourcesResources >ManagersManagers.
3. In the workspace, double-click the Manager.
4. Select the Advanced Settings tab.
5. To specify the Forwarding Destination(s):
a. ClickAddAdd. TLC adds a row to the Advanced Options table.
b. In the new row, mouse over the Advanced Option column to display the drop-down arrow.
c. Select Log-Message Forwarding - Destinations from the drop-down.
d. In the Value column, enter:

<ip_address>:<port>:<protocol>

Where: 

<ip_address> is the IP address of a Forwarding Destination,

<port> is the Forwarding Destination port to which log messages will be forwarded, and

<protocol> is the communication protocol to be used to forward log messages (either TCP or UDP).

Note 

UDP is faster than TCP. However, TCP is more reliable and secure.

To enter multiple Forwarding Destinations, separate the destinations with commas. For example:

172.10.0.2:1468:tcp,172.10.0.3:1468:tcp

e. Click Apply. TLC sends a test message to the Forwarding Destination(s) and presents a dialog summarizing the test results. If the test is unsuccessful, TLC will not save your entry. Verify the accuracy of your entry in the Value column.
6. (Optional) To specify a maximum number of characters in log messages to be forwarded to the Forwarding Destination: 
a. ClickAddAdd. TLC adds a row to the Advanced Options table.
b. In the new row, mouse over the Advanced Option column to display the drop-down arrow.
c. Select Log-Message Forwarding - Forwarding message length from the Advanced Option drop-down.
d. In the Value column, enter a number from 1,024 to 65,000 and press ENTER.
e. Click Apply.

Note 

If a log message contains more characters than this value, the Manager will remove the content exceeding this limit prior to forwarding the message to the Forwarding Destination(s).

7. (Optional) This step only applies if you want TLC to spoof the items in forwarded UDP packets identified in Table 88

To spoof one of these items, complete the following steps:

a. Install WinPCap 4.1.3 on the TLC Manager:

https://www.winpcap.org/install/default.htm

b. In the Advanced Options table of the Manager properties dialog, clickAddAdd. TLC adds a row to the table.
c. Complete the fields in the new table row (see Table 88) and press ENTER.
d. Click Apply.

Table 88. Spoofing items in forwarded UDP packets

To spoof ...

Advanced Options

Value

... source IP addresses:

advSettings:EF|udpSpoofPacketSrcIp

Note: The source IP address of outgoing network packets will appear as the address of the original Monitored Asset.

True

... the source Port number:

advSettings:EF|udpSpoofSourcePort

Note: By default, the port will be a random number between 56000 and 56999.

The desired Port number (other than 0)

... the default gateway:

advSettings:EF|udpSpoofGateway

The desired IP address

Tips 

If you uninstall WinPCap from a TLC Manager running Windows 2012 or Windows 2016, TLC will continue to forward UDP packets with spoofed addresses. To complete the uninstallation process, delete the following files and restart the system:

%SYSTEM_32%\Packet.dll

%SYSTEM_32%\wpcap.dll

If a forwarded UDP packet does not present the IP address of the original Monitored Asset as the source IP address, open the TLC log file:

C:\<TLC_Manager_install_dir>\Logs\/tlc.log

Where <TLC_Manager_install_dir> is the installation directory for TLC Manager.

If the log file contains the following entry, WinPCap 4.1.3 is not installed on the TLC Manager:

!!ERROR: An error occurred while forwarding a custom UDP packet. "Please verify that WinPCap is installed and restart your TLC Manager service.

Tip

Your changes will not take effect until you push updates to your Managers (see Pushing Updates to your Managers).