Configuring Log-Message Forwarding

For an introduction to Log-Message ForwardingA TLC feature used to forward copies of log messages to one or more third-party, log-archive tools (known as Forwarding Destinations)., see What is Log-Message Forwarding?.

To configure TLC to forward log messages to one or more Forwarding Destinations:

1.

In the side bar, select Resources >Configuration ManagerIn the Configuration Manager, you can create and configure TLC Resources (Monitored Assets, AssetA Log Source in your TLC environment. See Monitored Assets and Discovered Assets. Groups, Managers, Locations, Event-Management Databases), normalization objects (NormalizationThe process of standardizing log messages for use by TLC. Standardized messages are known as Normalized Messages. Rules, Aliases, and Normalized-Message Filters), and correlation objects (CorrelationThe examination of Normalized Messages for events of interest, along with the ability to initiate appropriate responses; for example, sending an email notification to specified recipients. Engines, Rules, Lists, and Actions)..

2.

In the side bar of the Configuration Manager, select Resources >Managers.

3.

In the workspace, double-click the Manager.

4.

Select the Advanced Settings tab.

5.

To specify the Forwarding DestinationA third-party, log-archive tool to which log messages are forwarded by the Log-Message Forwarding feature.(s):

a.

ClickAdd. TLC adds a row to the Advanced Options table.

b.

In the new row, mouse over the Advanced Option column to display the drop-down arrow.

c.

Select Log-Message Forwarding - Destinations from the drop-down.

d.

In the Value column, enter:

<ip_address>:<port>:<protocol>

Where: 

<ip_address> is the IP address of a Forwarding Destination,

<port> is the Forwarding Destination port to which log messages will be forwarded, and

<protocol> is the communication protocol to be used to forward log messages (either TCP or UDP).

Note	UDP is faster than TCP. However, TCP is more reliable and secure.

To enter multiple Forwarding Destinations, separate the destinations with commas. For example:

172.10.0.2:1468:tcp,172.10.0.3:1468:tcp

e.

Click Apply. TLC sends a test message to the Forwarding Destination(s) and presents a dialog summarizing the test results. If the test is unsuccessful, TLC will not save your entry. Verify the accuracy of your entry in the Value column.

6.

(Optional) To specify a maximum number of characters in log messages to be forwarded to the Forwarding Destination:

a.

ClickAdd. TLC adds a row to the Advanced Options table.

b.

In the new row, mouse over the Advanced Option column to display the drop-down arrow.

c.

Select Log-Message Forwarding - Forwarding message length from the Advanced Option drop-down.

d.

In the Value column, enter a number from 1,024 to 65,000 and press ENTER.

e.

Click Apply.

Note	If a log messageA data record generated by a Log SourceAny log-generating application, operating-system service, database instance, or device from which TLC collects log messages. and collected by TLC. contains more characters than this value, the Manager will remove the content exceeding this limit prior to forwarding the message to the Forwarding Destination(s).

7.

(Optional) To configure TLC to continue trying to send log messages to third-party storage devices in the event that the connection socket between the TLC ManagerTripwire LogCenter Manager is the core software in your TLC environment. TLC Manager collects and processes log messages from a wide variety of systems and devices. and a device is blocked, complete the following steps:

a.

ClickAdd. TLC adds a row to the Advanced Options table.

b.

In the new row, mouse over the Advanced Option column to display the drop-down arrow.

c.

Select Log Message Forwarding - Retry if Socket is Blocked from the Advanced Option drop-down.

d.

In the Value column, enter True.

e.

Click Apply.

Note	If this option is False and the connection socket is blocked when TLC attempts to send a log message to a third-party storage device, TLC will drop the log message.

8.

(Optional) This step only applies if you want TLC to spoof the items in forwarded UDP packets identified in Table 89.

To spoof one of these items, complete the following steps:

a.

Install WinPCap 4.1.3 on the TLC Manager:

https://www.winpcap.org/install/default.htm

b.

In the Advanced Options table of the Manager properties dialog, clickAdd. TLC adds a row to the table.

c.

Complete the fields in the new table row (see Table 89) and press ENTER.

d.

Click Apply.

Table 89. Fields in the Advanced Options table

To spoof ...	Advanced Options	Value
... a source IP address:	advSettings:EF|udpSpoofPacketSrcIp Note: The source IP address of outgoing network packets will appear as the address of the original Monitored AssetAn object in the TLC Configuration Manager that represents a Log Source from which TLC collects log messages directly..	True
... a port number:	advSettings:EF|udpSpoofSourcePort Note: By default, the port will be a random number between 56000 and 56999.	The desired port number (other than 0)
... the default gateway between a TLC Manager and a storage device:	advSettings:EF|udpSpoofGateway	The IP address of the default gateway
... the source MAC address of a network interface (NIC) other than the default NIC:	advSettings:EF|udpSpoofAdapterIndex This setting will override the destination gateway with the gateway MAC address of the specified NIC index. Note: If the specified NIC ('Current' above) has no value for the gateway IP address, TLC will use the MAC address from the default NIC available for UDP package creation.	Integer

TLC will log information about all available NICs during each start up of the TLC Manager.

For example:

1/30/2020 8:10:31 AM : Log Message Forwarder - Network Adapters available

for IP Spoofing:

1/30/2020 8:10:31 AM : Network Adapter #0 ID: {7B5724BA-6EDE-4C7A-A1AA-

F438C52CEF1A} (Current)

1/30/2020 8:10:31 AM : Network Adapter #0 Name: VMware PCI Ethernet

Adapter

1/30/2020 8:10:31 AM : Network Adapter #0 IP Address: 192.168.80.51

1/30/2020 8:10:31 AM : Network Adapter #0 Gateway: 192.168.80.1

1/30/2020 8:10:31 AM : Network Adapter #1 ID: {065F0C42-703A-11DE-9954-

806E6F6E6963}

1/30/2020 8:10:31 AM : Network Adapter #1 Name: VMware PCI Ethernet

Adapter 2

1/30/2020 8:10:31 AM : Network Adapter #1 IP Address: 192.168.70.51

1/30/2020 8:10:31 AM : Network Adapter #1 Gateway: 192.168.70.1

Tips

If you uninstall WinPCap from a TLC Manager running Windows 2012 or Windows 2016, TLC will continue to forward UDP packets with spoofed addresses. To complete the uninstallation process, delete the following files and restart the system: %SYSTEM_32%\Packet.dll %SYSTEM_32%\wpcap.dll If a forwarded UDP packet does not present the IP address of the original Monitored Asset as the source IP address, open the TLC log file: C:\<TLC_Manager_install_dir>\Logs\/tlc.log Where <TLC_Manager_install_dir> is the installation directory for TLC Manager. If the log file contains the following entry, WinPCap 4.1.3 is not installed on the TLC Manager: !!ERROR: An error occurred while forwarding a custom UDP packet. "Please verify that WinPCap is installed and restart your TLC Manager service.

Tip	Your changes will not take effect until you push updates to your Managers (see Pushing Updates to your Managers).