Video Screencast Help

About the movement when I enable event forwarding.

Created: 26 Sep 2012 • Updated: 26 Sep 2012 | 2 comments

I have a plan to introduce Symantec security information manager.

<server role>
A role of the server-A is Correlation.
A role of the server-B is Archiving and Collector.

I will forward the event from server-B to server-A.
I want to know about the movement of logging when you enable event forwarding.

when I enable event forwarding,
1. The log is forwarded. Later than the log when you enable.
2. The log is forwarded. Including log earlier than when you have enabled.

Which do you move?

Please tell me.

Regards,

Masakatsu

Comments 2 CommentsJump to latest comment

Avkash K's picture

It will forward all the logs which will be received post enabling the new forwarding rule.

 

Events before the rule introduction won't be affected.

 

Regards,

Avkash K

GarethR's picture

On Server B which is performing archiving, you should also create a forwarding to Correlation Service rule over port 10010 (rather than event service port 10012).

Events before the forwarding rule is enabled can be moved to another archive, but not to the correlation service AFAIK.

Gareth Rhys

Managed Services, SSIM, SCSP, SEP