What is Log-Message Forwarding?

Tripwire LogCenter collects log messages from a variety of Log Sources. By default, TLC stores log messages in the Audit Logger (see What is the Audit Logger?). However, with Log-Message Forwarding, you may configure your Managers to forward collected log messages via Syslog to one or more third-party storage devices, such as an ArcSight system (a.k.a. Forwarding Destinations). If you configure a Manager for Log-Message Forwarding (see Configuring Log-Message Forwarding), the Manager will forward all collected log messages to the specified Forwarding Destinations (in addition to storing the messages in the Audit Logger).

Video

Notes 

When a Manager forwards a log message to a Forwarding Destination, TLC first applies a Syslog header appropriate for the Forwarding Destination.

The Log-Message Forwarder buffer can store up to 30,000 log messages for each Forwarding Destination. If the number of log messages exceeds 30,000, TLC drops any additional log messages. TLC also drops any log messages in the buffer when the TLC Manager service is stopped.

With the Log-Message Forwarder Status Layout Panel in the Dashboard, you can monitor the events-per-second (EPS) rate of log messages forwarded by a Manager, along with the size of the Manager's Log-Message Forwarder buffer. For more information, see What are the Dashboard, Manager Layouts, and Database Layouts?.