Overview of Google Security Operations SIEM forwarders

Google Security Operations SIEM forwarder is a software component that runs on a machine or device on your network, such as a server. Google Security Operations SIEM forwarder can collect log data and network interface packets and forward that data to your Google Security Operations SIEM instance.

Each deployed Google Security Operations SIEM forwarder requires a forwarder configuration file. A forwarder configuration file specifies various settings that define how to transfer data to your Google Security Operations SIEM instance, such as data compression. A forwarder configuration file also specifies one or more collector configurations. Each collector configuration specifies the collector's ingestion mechanism (for example, File, Kafka, PCAP, Splunk, Syslog, or WebProxy), log type, and other settings.

You can use many collectors on the same forwarder to ingest data from a variety of mechanisms and log types. For example, you can configure a forwarder with two syslog collectors listening for PAN_FIREWALL and CISCO_ASA_FIREWALL data on separate ports, respectively.

To create, manage, and download forwarder configuration using the Google Security Operations user interface, see Manage forwarder configurations through the Google Security Operations UI.

To create, manage, and download forwarder configuration programmatically, see Forwarder Management API.

To install and configure a forwarder on each platform, see:

  1. Google Security Operations SIEM forwarder for Linux

  2. Google Security Operations SIEM forwarder for Windows on Docker

  3. Google Security Operations SIEM forwarder executable for Windows

To learn how a particular dataset is ingested using forwarders, see the following: