Routing Rules.
Configuring Selective Event Forwarding
Using the Custom Rule Wizard, you can configure rules to forward event data to one or more forwarding destinations as a rule response. The criteria for what data gets forwarded to a forwarding destination is based on the tests and building blocks included in the rule. This method provides you a means to configure highly selective event forwarding.
To configure selective event forwarding:
Step 1 Click the Log Activity tab.
Step 2 Click Rules.
Step 3 Edit or add a rule, ensuring that you select the Send to Forwarding Destinations option on the Rule Response page in the Rule Wizard. For more information on how to edit or add a rule, see the STRM Log Manager Users Guide.
When the rule is configured and enabled, all events matching the rule tests are automatically forwarded to the specified forwarding destinations.
Managing Forwarding Destinations
This section includes the following topics:
• Viewing Forwarding Destinations
• Editing a Forwarding Destination
• Delete a Forwarding Destination Bypass
Correlation
Select this check box if you want the log data that matches the current filters to bypass correlation.
When correlation is bypassed, the log data that matches the current filter is stored in the STRM Log Manager database, but it is not tested in the CRE.
Note: If you select the Bypass Correlation check box, the Drop check box is automatically cleared.
Table 9-2 Event Routing Rules Parameters (continued) Parameter Description
Viewing Forwarding Destinations
The Forwarding Destinations window provides valuable information on your forwarding destinations, including statistics for the data sent to each forwarding destination.
To view your forwarding destinations:
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click Data Sources.
Step 3 Click the Forwarding Destinations icon.
The Forwarding Destinations window provides the following information:
The Forwarding Destinations window toolbar provides the following functions:
Table 9-3 Forwarding Destination Window Parameters
Parameter Description
Name Specifies the name of this forwarding destination.
Event Format Specifies whether raw event data or normalized event data is sent to this forwarding destination.
Host / IP Address Specifies the IP address or host name of this forwarding destination host.
Port Specifies the receiving port on this forwarding destination host.
Protocol Specifies whether the protocol for this forwarding event data is TCP or UDP.
Seen Specifies how many total number events were seen for this forwarding destination.
Sent Specifies how many events have actually been sent to this forwarding destination.
Dropped Specifies how many events have been dropped before reaching this forwarding destination.
Enabled Specifies whether this forwarding destination is enabled or disabled. For more information, see Enabling and
Disabling a Forwarding Destination.
Creation Date Specifies the date that this forwarding destination was created.
Modification Date Specifies the date that this forwarding destination was last modified.
Table 9-4 Forwarding Destinations Window Toolbar
Function Description
Add Click Add to add a new forwarding destination. See Add Forwarding Destinations.
Edit Click Edit to edit a selected forwarding destination. See Editing a Forwarding Destination.
Managing Forwarding Destinations 147
Enabling and Disabling a Forwarding Destination
When you create a forwarding destination, it is enabled by default. Using the Enable/Disable icon, you can toggle the forwarding destination on or off.
To enable or disable a forwarding destination:
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration.
Step 3 Click the Forwarding Destinations icon.
Step 4 Select the forwarding destination you want to enable or disable.
Step 5 On the toolbar, click Enable/Disable.
Depending on the current status of the forwarding destination, the result of clicking Enable/Disable is as follows:
• If the Enabled status is False, the forwarding destination is now enabled.
• If the Enabled status is True, a confirmation message is displayed. A confirmation message is displayed, providing a list of associated rules. Click OK to confirm you want to disable the forwarding destination.
Resetting the Counters
The Seen, Sent, and Dropped parameters provide counts that continue to accumulate until you reset the counters. You may want to reset the counters to provide a more targeted view of how your forwarding destinations are performing.
To reset the counters:
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration.
Step 3 Click the Forwarding Destinations icon.
Step 4 On the toolbar, click Reset Counters.
The Seen, Sent, and Dropped parameters display a value of zero (0), until the counters start accumulating again.
Enable/Disable Click Enable/Disable to enable or disable a selected forwarding destination. For more information, see Enabling and Disabling a Forwarding Destination.
Delete Click Delete to delete a selected forwarding destination. See Delete a Forwarding Destination.
Reset Counters Click Reset Counters to reset the Seen, Sent, and Dropped parameters for all forwarding destinations back to zero (0).
See Resetting the Counters.
Table 9-4 Forwarding Destinations Window Toolbar (continued)
Function Description
Editing a Forwarding Destination
You can edit a forwarding destination to change the configured name, format, IP address, port, or protocol.
To edit a forwarding destination:
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration.
Step 3 Click the Forwarding Destinations icon.
Step 4 Select the forwarding destination you want to edit.
Step 5 On the toolbar, click Edit.
Step 6 Update the parameters, as necessary. See Table 9-1. Step 7 Click Save.
Delete a Forwarding Destination
You can delete a forwarding destination. If the forwarding destination is associated with any active rules, you must confirm that you want to delete the forwarding destination.
To delete a forwarding destination:
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration.
Step 3 Click the Forwarding Destinations icon.
Step 4 Select the forwarding destination you want to delete.
Step 5 On the toolbar, click Delete.
Step 6 Click OK.