Manage forwarder configurations through the UI

Supported in:

This page describes how to create, manage, and download forwarder configurations using the Google Security Operations user interface (UI).

Forwarder configuration is a two-step process:

  1. Add forwarder configuration: This establishes the framework for your configuration.
  2. Add collector configuration: This defines the source of data that the forwarder will ingest. Without at least one collector, the forwarder does not have any data to work with.

Once you've added one or more collectors, the forwarder configuration is complete. You can then download it and deploy it onto a machine or device that has the forwarder software installed.

For information about how to install and configure the Google Security Operations forwarder, system requirements, and details about configuration settings, see Install and configure the forwarder.

Add forwarder configuration

Instead of adding a new forwarder, you can clone one or more existing forwarders. For details, see Clone forwarders.

To add a new forwarder, follow these steps:

  1. In the navigation bar, click Settings.
  2. Under Settings, click Forwarders.
  3. Click Add new forwarder.
  4. In the Forwarder name field, type a name.

  5. Optional: Expand the Configuration values section and specify the values. For information about the configuration settings, see Determine the configuration.

  6. Click Submit.

    The forwarder is added and Add collector configuration window appears.

Add collector configuration

You can add one or more collectors to an existing forwarder. To add a new collector to a forwarder, follow these steps:

  1. In the navigation bar, click Settings.
  2. Under Settings, click Forwarders.
  3. On the Forwarders page, find the forwarder you want. If the list of forwarders is long, use the Search field.
  4. Hold the pointer over the forwarder for which you want to add a collector. The expand menu icon displays.
  5. Click the expand menu icon.
  6. Select Add new collector.
  7. In the Collector name field, type a name.

  8. Click the Log type field to view a list of log types, and do one of the following:

    • If you don't see the log type you want, start typing its name in the box to view more suggestions. For a complete list of supported log types, see Supported data sets.
    • Select a log type from the list.

  9. Optional: Expand the Configuration values section and specify the values. For information about the configuration settings, see Determine the configuration.

  10. Optional: Expand the Advanced settings section and specify any of the following:

    • Max seconds per batch: The number of seconds between batches. The default is 10.
    • Max bytes per batch: The number of bytes queued before the forwarder batch upload. The default is 1,048,576.

  11. Recommended: Disk buffer: Set the toggle to on to enable disk buffering for the collector. For details about disk buffering, see Disk buffering. When enabled, you can specify the following settings:

    • Directory path: The directory path for files written.
    • Maximum Buffered File Size (in bytes): The maximum disk size used by the collector before backlogged messages are buffered to disk. The default is 1,073,741,824. The maximum is 4,294,967,296.

  12. Click the Collector type field and select a collector type. Each collector type has its own settings that you can configure. For details about the collector types and their settings, see Determine the configuration.

  13. Click Submit.

Download configuration files

Downloading the forwarder configuration files requires at least one collector. If you try to download a forwarder without a collector, you get an error.

You can download the forwarder configuration (.conf) file, authentication (_auth.conf) file, or both, for any forwarder listed in your Google Security Operations instance as long as it has at least one collector. After downloading the files, deploy them on the Windows or Linux system where the Google Security Operations forwarder resides.

To download forwarder configuration files:

  1. In the navigation bar, click Settings.
  2. Under Settings, click Forwarders. The page displays the list of forwarders.

  3. On the Forwarders page, find the forwarder you want. If the list of forwarders is long, use the Search field.

  4. Hold the pointer over the forwarder for which you want to download configuration files. The expand menu icon displays.

  5. Click the expand menu icon.

  6. Select Download.

  7. In the Download forwarder configuration dialog, do one of the following:

    • To download the forwarder configuration file, click the download icon next to the .conf file type.
    • To download the forwarder authentication file, click the download icon next to the _auth.conf file type.
    • To download both files, click Download all.

Manage forwarders

List the forwarders in a Google Security Operations instance

  1. In the navigation bar, click Settings.
  2. Under Settings, click Forwarders. The page displays the list of forwarders.
  3. Optional: Sort the list by clicking the Name or Last updated column.

Optionally, use the search field to narrow the results in your list.

Clone forwarders

Cloning lets you create a copy of one or more forwarder configurations.

To clone a forwarder configuration, follow these steps:

  1. On the Forwarders page, select the checkbox for each forwarder that you want to clone.

  2. Click the expand menu icon.

  3. Select Clone.

  4. Click Clone. A copy of each forwarder configuration is added.

Edit a forwarder configuration

  1. In the navigation bar, click Settings.
  2. Under Settings, click Forwarders. The page displays the list of forwarders.

  3. Hold the pointer over the forwarder for which you want to edit the configuration. The expand menu icon displays.

  4. Click the expand menu icon.

  5. Select Edit forwarder configuration.

  6. Make your changes to the configuration. For more information, see the configuration steps in the procedure for adding forwarders.

  7. Click Update.

Delete forwarders

  1. On the Forwarders page, select the checkbox for each forwarder that you want to delete.

  2. Click the expand menu icon.

  3. Select Delete.

  4. In the Delete Forwarder dialog, click Delete.

Manage collectors

List the collectors in a Google Security Operations instance

  1. In the navigation bar, click Settings.
  2. Under Settings, click Forwarders. The page displays the list of forwarders.
  3. Click the expander arrow next to the Name column heading. This expands all of the forwarders, displaying up to five collectors for each forwarder.
  4. If a forwarder has more than five collectors, click the See all collectors link.

Edit a collector configuration

  1. In the navigation bar, click Settings.
  2. Under Settings, click Forwarders. The page displays the list of forwarders.

  3. Click the expander arrow of the forwarder for which you want to edit a collector.

  4. If there are more than five collectors, click the See all collectors link.

  5. Hold the pointer over the collector for which you want to edit the configuration. The Edit option displays.

  6. Click Edit.

  7. Make your changes to the configuration. For more information, see the configuration steps in the procedure for adding collectors.

  8. Click Update.

Delete a collector

  1. In the navigation bar, click Settings.
  2. Under Settings, click Forwarders. The page displays the list of forwarders.

  3. Click the expander arrow of the forwarder for which you want to delete a collector.

  4. If there are more than five collectors, click the See all collectors link.

  5. Hold the pointer over the collector for which you want to edit the configuration. The Delete option displays.

  6. Click Delete.

  7. To confirm, click Delete in the Delete collector dialog.