Create Log Distribution Receivers

 To create a Log Distribution Receiver:

1. On the main toolbar, click Deployment Manager.
2. On the Tools menu, click Distribution, click Log Distribution Services, and then click Receiver Manager.
   The Log Distribution Receiver Manager window appears.
3. On the File menu, click New.
   The Syslog Receiver Properties dialog box appears.

4. Complete the Receiver Name and Network Settings located at the top of the dialog box and the Description field below the tab.

   Property	Description
   Receiver Name	Enter a display name for the LDS Receiver.
   Network Settings
   Remote Host IP	IP Address of the external syslog receiver.
   Remote Port	Enter the port where the external syslog receiver should listen. Default value = 514.
   Network Protocol	Used by the external syslog receiver, either TCP, UDP Default = UDP.
   TCP Delimiter	This field is only enabled when the Network Protocol = TCP. The default delimiter is “\n” (newline). If your site uses a different delimiter, enter it here. For example, Windows-based syslog receivers may require the delimiter “\r\n”. Syslog receivers that accept syslog messages over TCP require a message delimiter to indicate the end of each message. You may enter multiple characters, but the entire entry is considered one delimiter. It may be a text string such as “ENDLOG”, special escape characters such as “\r” (carriage return) or “\t” (tab), or a string of escape characters. The remote syslog receiver scans for the message delimiter and removes it.
   Text Encoding	Select the data encoding method that the external syslog receiver should use. Options include ASCII, UTF-8, or Windows-1252. Default = ASCII.
   Truncate message to 1024 bytes (RFC 3164)	When selected, the syslog message is shortened to 1024 bytes. By default, the check box is selected to match the behavior of the previous version of LogRhythm. We recommend disabling to prevent truncating the message.
   Metadata	If the network protocol is TCP and messages are not being truncated, you can select from the following options for sending data: Raw Log Only (default). Send only the raw log Metadata Only. Send only the following metadata fields, in this order — CommonEventName, DirectionName, EntityName, ImpactedEntityName, ImpactedHostName, ImpactedLocationName, ImpactedNetworkName, ImpactedZoneName, LogSourceName, MpeRuleName, MsgClassName, MsgSourceTypeName, OriginEntityName, OriginHostName, OriginLocationName, OriginNetworkName, OriginZoneName, ProtocolName, RootEntityName, ServiceName Metadata + Raw Log. Send metadata as noted above, and include the raw log in the final field (RAWLOG is the key) Note the following: If any logs were spooled before upgrading the version of LogRhythm that supports sending metadata, spooled logs contain only raw log data and are sent as raw logs, regardless of the metadata setting. Upon shutdown, logs queued for sending will be spooled to disk. Upon startup, LDS sends spooled logs according to the metadata setting. If the metadata setting is changed between spooling and distribution, the setting at the time of distribution is used.
   Change CR/LF to whitespace	When selected, carriage returns and line feeds are converted to whitespace. By default, the check box is not selected to match the behavior of the previous version of LogRhythm where the CR/LF characters were eliminated without leaving any whitespace. We recommend enabling this option to improve readability.
   Change TAB to whitespace	When selected, tabs are converted to whitespace. By default, the check box is not selected to match the behavior of the previous version of LogRhythm where the TAB characters were eliminated without leaving any whitespace. We recommend enabling this option to improve readability.
   Description	Enter any information you want to add about this Log Distribution Receiver.

5. Complete the fields on the Syslog Sources tab.

   Property	Description
   Syslog Sources Tab
   When forwarding a message from a syslog source	Each option displays its associated header format below it. The ellipsis (...) at the end indicates where the original log message is inserted. Select one of the following options: Insert a syslog header in front of the original message. Device Mode: Select when the syslog receiver requires an RFC 3164-compliant header and the incoming log messages does not have one. This always builds a new syslog header in the outgoing message where: <PRI> is restored from the LogRhythm PRI in the raw log. Example: <LOC4:INFO> TIMESTAMP is determined by the Timestamp settings; the MsgDate, or Normal Date and Time Zone. HOSTNAME is the Host Virtualization value resolved by the Agent (default). TAG is the fixed process identifier and = logrhythm because the process that generated the message is unknown. CONTENT (…) is the complete restored log message Relay the message according to the RFC 3164 relay rules. Relay Mode: Select to either forward RFC 3164-compliant messages without modification, and forward non-compliant messages after correcting the header format. These conditions apply: * If valid PRI and Timestamp: - Relay original message. * If valid PRI but missing or invalid Timestamp: - TIMESTAMP value determined from settings on Timestamp tab. - TAG is the fixed process identifier and is omitted. * If PRI is missing or unidentifiable: - PRI is fixed value <13> - TIMESTAMP value determined from settings on Timestamp tab - HOSTNAME determined by Host Virtualization or Host Resolution Precedence if the appropriate box is checked on the Hostname tab. Ensure that the outgoing message has a valid syslog priority. Repeater Mode: Select if the syslog message sources do not require any modification. Use this in environments where syslog devices send messages that are not compliant with RFC 3164, but where the receiver is configured to accept the non-compliant format. <PRI> is restored from the LogRhythm PRI in the raw log. Example, &lt;LOC4:INFO&gt; The rest of the outgoing message is the remainder of the original syslog message.

6. Click the Non-Syslog Sources tab and complete the fields.

   Property	Description
   Non-Syslog Tab
   When forwarding a message from a non-syslog source: See Non-Syslog Priority Calculation for information on how Priority <PRI> is determined.	Each option displays its associated header format below it. The ellipsis (…) at the end indicates where the original log message is inserted.Select one of the following options. Insert a syslog header in front of the original message. Device Mode: Select if the syslog receiver requires each message to have an RFC 3164-compliant syslog header. All header values are resolved according to the UI settings. TAG is "logrhythm" Insert a syslog header (without a tag field) in front of the original message. Device Mode (without tag): Select if the syslog receiver requires a syslog header, but does not require a tag as part of the header. All header values are resolved according to the UI settings. TAG is omitted CONTENT (…) is the complete original raw log message Insert a syslog priority in front of the original message. Repeater Mode (with priority): Select if messages must be forwarded without modification other than to ensure that they include a syslog priority. <PRI> is determined by the UI settings CONTENT (…) is the complete original raw log message Re-send the original log message without any modification. Repeater Mode (verbatim): Select if messages must be forwarded without modification. Receivers must identify the original log source host by parsing the log message content. CONTENT (…) is the complete original raw log message

7. Click the Priority tab and complete the fields.

   Property	Description
   Priority Tab
   Facility   See Non-Syslog Priority Calculation for information on how Priority <PRI> is determined .	When forwarding a message from a syslog source, LDS always preserves the original Priority value. When forwarding a message from a non-syslog source, use a Priority value based on your selection from the Facility drop-down list. Example: - Settings: Facility=Local4, Severity=[Log Msg Class ID] - Original Values: Facility=20, Msg Class ID=2600 - Resolved Values: Facility=20, Severity=1 - Syslog Priority Formula: Priority=Facility * 8 + Severity - Calculation: Priority = 20 * 8 + 1 = 161 - Result: PRI = <161>

8. Click the Timestamp tab and complete the fields.

   Property	Description
   Timestamp Tab
   When inserting a time-stamp into the syslog header of an outgoing message:	This field is only enabled if Device mode is selected on the Syslog Sources or the Non-Syslog Sources tab. The corresponding Mode is indicated in the screen tip. When inserting a timestamp into the syslog header of an outgoing message, select one of the following. Use the Msg Date. Uses the local time of the system when the log was received.
   Insert the LogRhythm Normal Date (with year) after the new syslog header.	Check to select. Adds another date that includes the year in addition to the date created in the preceding property.
   Convert LogRhythm Normal Dates to this time zone	Select the time zone you want from the drop-down list.

9. Click the Hostname tab and complete the fields.

   Property	Description
   Hostname Tab
   Use the following Host Resolution Precedence for non-syslog sources:	Use the Host Resolution Precedence to specify your order of preference for identifying the LDS log source host. LDS tries to resolve the log source host using the first item in the list. If that is not successful, it proceeds down the list until log source is identified. The default order is: LogRhythm Host IP Address LogRhythm Host DNS Name LogRhythm Host Windows Name LogRhythm Host Name LogRhythm Data Processor Name To change the order of the list to your preference, select an item and click the Up/Down arrows to reposition it.
   Use this Host Resolution Precedence instead of the default host identifier for syslog sources.	Check this field to use the order you set for non-syslog sources in the box above to also apply to syslog sources. When this check box is unchecked, LDS automatically uses the Host identifier specified in the Log Source Virtualization settings.

   

   The following example shows how an LDS Receiver works with Host identifiers. The screen shots show that the name and identifiers for this host were configured as:

   LogRhythm Host Name = NY_DMZ_VPN1

   LogRhythm Host Windows Name = ny_msw_VP1

   LogRhythm Host DNS Name = ny_dns_VP1The last screen shot shows how the order of precedence was set in the Hostname tab of the LDS Receiver Manager. Notice that LogRhythm Host DNS Name is the first item in the list.

   With these settings, the LogRhythm Host DNS Name resolves to ny_dns_vpn1. If the LDS Receiver is configured to build a new syslog header when it forwards a message, the resulting message header could look similar to this:

   <164>Sep 5 17:35:12 ny_dns_vpn1 LogRhythm: Access denied to user bluto on interface DMZ01

10. Click OK to return to the Log Distribution Receiver Manager window.
    The new receiver is selected with Status = Disabled.

11. To enable the new Receiver immediately, right-click and click Enable.

    

    Even after an LDS Receiver is enabled, you must create an LDS Receiver Policy that includes the Receiver before it is active. For more information, see Log Distribution Policy Manager.