This page describes how to create, manage, and download forwarder configurations
using the Google SecOps user interface (UI).
Forwarder configuration is a two-step process:
Add forwarder configuration: This establishes the framework for your configuration.
Add collector configuration: This defines the source of data that the forwarder will ingest. Without at least one collector, the forwarder does not have any data to work with.
Once you've added one or more collectors, the forwarder configuration is complete. You can then download it and deploy it onto a machine or device that has the forwarder software installed.
For information about how to install and configure the Google SecOps forwarder,
system requirements, and details about configuration settings, see Install and configure the forwarder.
Add forwarder configuration
Instead of adding a new forwarder, you can clone one or more existing
forwarders. For details, see Clone forwarders.
To add a new forwarder, follow these steps:
In the navigation bar, click Settings.
Under Settings, click Forwarders.
Click Add new forwarder.
In the Forwarder name field, type a name.
Optional: Expand the Configuration values section and specify the values. For information about the configuration settings, see Determine the configuration.
Click Submit.
The forwarder is added and Add collector configuration window appears.
Add collector configuration
You can add one or more collectors to an existing forwarder. To add a new collector to a forwarder, follow these steps:
In the navigation bar, click Settings.
Under Settings, click Forwarders.
On the Forwarders page, find the forwarder you want. If the list of
forwarders is long, use the Search field.
Hold the pointer over the forwarder for which you want to add a collector. The more_vertexpand menu icon displays.
Click the more_vertexpand menu icon.
Select Add new collector.
In the Collector name field, type a name.
Click the Log type field to view a list of log types, and do one of
the following:
If you don't see the log type you want, start typing its name in the
box to view more suggestions. For a complete list of supported log types,
see
Supported data sets.
Select a log type from the list.
Optional: Expand the Configuration values section and specify the values. For information about the configuration settings, see Determine the configuration.
Optional: Expand the Advanced settings section and specify any of
the following:
Max seconds per batch: The number of seconds between batches. The
default is 10.
Max bytes per batch: The number of bytes queued before the forwarder
batch upload. The minimum is 204800 bytes, which is 200 KB.
The maximum is 1048576 bytes, which is 1MB. The default is
1,048,576 bytes, which is 1MB.
Recommended: Disk buffer: Set the toggle to on to enable disk
buffering for the collector. For details about disk buffering,
see Disk buffering.
When enabled, you can specify the following settings:
Directory path: The directory path for files written.
Maximum Buffered File Size (in bytes): The maximum disk size used by the collector
before backlogged messages are buffered to disk. The default is 1,073,741,824.
The maximum is 4,294,967,296.
Click the Collector type field and select a collector type. Each
collector type has its own settings that you can configure. For details
about the collector types and their settings, see
Determine the configuration.
Click Submit.
Download configuration files
Downloading the forwarder configuration files requires at least one collector. If you try to download a forwarder without a collector, you get an error.
You can download the forwarder configuration (.conf) file, authentication (_auth.conf) file, or both, for any forwarder listed in your Google SecOps instance as long as it has at least one collector. After downloading the files, deploy them on the Windows or Linux system where the Google SecOps forwarder resides.
To download forwarder configuration files:
In the navigation bar, click Settings.
Under Settings, click Forwarders. The page displays the list of forwarders.
On the Forwarders page, find the forwarder you want. If the list of
forwarders is long, use the Search field.
Hold the pointer over the forwarder for which you want to download configuration files. The more_vertexpand menu icon displays.
Click the more_vertexpand menu icon.
Select Download.
In the Download forwarder configuration dialog, do one of the following:
To download the forwarder configuration file, click the download icon next to the .conf file type.
To download the forwarder authentication file, click the download icon next to the _auth.conf file type.
To download both files, click Download all.
Manage forwarders
List the forwarders in a Google SecOps instance
In the navigation bar, click Settings.
Under Settings, click Forwarders. The page displays the list of forwarders.
Optional: Sort the list by clicking the Name or Last updated column.
Optionally, use the search field to narrow the results in your list.
Clone forwarders
Cloning lets you create a copy of one or more forwarder configurations.
To clone a forwarder configuration, follow these steps:
On the Forwarders page, select the checkbox for each forwarder that you want to clone.
Click the more_vertexpand menu icon.
Select Clone.
Click Clone. A copy of each forwarder configuration is added.
Edit a forwarder configuration
In the navigation bar, click Settings.
Under Settings, click Forwarders. The page displays the list of forwarders.
Hold the pointer over the forwarder for which you want to edit the configuration. The more_vertexpand menu icon displays.
Click the more_vertexpand menu icon.
Select Edit forwarder configuration.
Make your changes to the configuration. For more information, see the configuration steps in the procedure for adding forwarders.
Click Update.
Delete forwarders
On the Forwarders page, select the checkbox for each forwarder that you want to delete.
Click the more_vertexpand menu icon.
Select Delete.
In the Delete Forwarder dialog, click Delete.
Manage collectors
List the collectors in a Google SecOps instance
In the navigation bar, click Settings.
Under Settings, click Forwarders. The page displays the list of forwarders.
Click the expander arrow next to the Name column heading. This expands all of the forwarders, displaying up to five collectors for each forwarder.
If a forwarder has more than five collectors, click the See all collectors link.
Edit a collector configuration
In the navigation bar, click Settings.
Under Settings, click Forwarders. The page displays the list of forwarders.
Click the arrow_right expander arrow of the forwarder for which you want to edit a collector.
If there are more than five collectors, click the See all collectors link.
Hold the pointer over the collector for which you want to edit the configuration. The Edit option displays.
Click Edit.
Make your changes to the configuration. For more information, see the configuration steps in the procedure for adding collectors.
Click Update.
Delete a collector
In the navigation bar, click Settings.
Under Settings, click Forwarders. The page displays the list of forwarders.
Click the arrow_rightexpander arrow of the forwarder for which you want to delete a collector.
If there are more than five collectors, click the See all collectors link.
Hold the pointer over the collector for which you want to edit the configuration. The Delete option displays.
Click Delete.
To confirm, click Delete in the Delete collector dialog.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eForwarder configurations are managed through the Google Security Operations UI, requiring creation or recreation via the UI or API to utilize management features.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring a forwarder involves two steps: establishing the forwarder framework, and adding at least one collector to define the data source.\u003c/p\u003e\n"],["\u003cp\u003eThe UI allows users to add, clone, edit, and delete forwarders, as well as manage collectors, which involves defining the source of data for ingestion.\u003c/p\u003e\n"],["\u003cp\u003eOnce configured with at least one collector, forwarder configuration files can be downloaded for deployment on machines with the forwarder software.\u003c/p\u003e\n"],["\u003cp\u003eCollectors can be configured with advanced settings such as batch timing, batch size, disk buffering, and other settings specific to the selected log and collector types.\u003c/p\u003e\n"]]],[],null,["# Manage forwarder configurations through the UI\n==============================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** Forwarder configuration files **not** created with the Google Security Operations UI or the forwarder management API cannot be managed with the Google SecOps UI. You need to re-create those configurations using the Google SecOps UI or the forwarder management API to take advantage of the forwarder management features.\n\nThis page describes how to create, manage, and download forwarder configurations\nusing the Google SecOps user interface (UI).\n\nForwarder configuration is a two-step process:\n\n1. Add forwarder configuration: This establishes the framework for your configuration.\n2. Add collector configuration: This defines the source of data that the forwarder will ingest. Without at least one collector, the forwarder does not have any data to work with.\n\nOnce you've added one or more collectors, the forwarder configuration is complete. You can then download it and deploy it onto a machine or device that has the forwarder software installed.\n\nFor information about how to install and configure the Google SecOps forwarder,\nsystem requirements, and details about configuration settings, see [Install and configure the forwarder](/chronicle/docs/install/install-forwarder).\n\nAdd forwarder configuration\n---------------------------\n\nInstead of *adding* a new forwarder, you can *clone* one or more existing\nforwarders. For details, see [Clone forwarders](#clone-forwarders).\n\nTo add a new forwarder, follow these steps:\n\n1. In the navigation bar, click **Settings**.\n2. Under **Settings** , click **Forwarders**.\n3. Click **Add new forwarder**.\n4. In the **Forwarder name** field, type a name.\n5. Optional: Expand the **Configuration values** section and specify the values. For information about the configuration settings, see [Determine the configuration](/chronicle/docs/install/install-forwarder#determinedata).\n\n6. Click **Submit**.\n\n The forwarder is added and **Add collector configuration** window appears.\n\nAdd collector configuration\n---------------------------\n\nYou can add one or more collectors to an existing forwarder. To add a new collector to a forwarder, follow these steps:\n\n1. In the navigation bar, click **Settings**.\n2. Under Settings, click **Forwarders**.\n3. On the **Forwarders** page, find the forwarder you want. If the list of forwarders is long, use the **Search** field.\n4. Hold the pointer over the forwarder for which you want to add a collector. The more_vert **expand menu icon** displays.\n5. Click the more_vert **expand menu icon**.\n6. Select **Add new collector**.\n7. In the **Collector name** field, type a name.\n8. Click the **Log type** field to view a list of log types, and do one of\n the following:\n\n - If you don't see the log type you want, start typing its name in the box to view more suggestions. For a complete list of supported log types, see [Supported data sets](/chronicle/docs/supported-datasets).\n - Select a log type from the list.\n9. Optional: Expand the **Configuration values** section and specify the values. For information about the configuration settings, see [Determine the configuration](/chronicle/docs/install/install-forwarder#determinedata).\n\n10. Optional: Expand the **Advanced settings** section and specify any of\n the following:\n\n - **Max seconds per batch:** The number of seconds between batches. The default is `10`.\n - **Max bytes per batch:** The number of bytes queued before the forwarder batch upload. The minimum is `204800 bytes`, which is `200 KB`. The maximum is `1048576 bytes`, which is `1MB`. The default is `1,048,576 bytes`, which is `1MB`.\n11. Recommended: **Disk buffer:** Set the toggle to **on** to enable disk\n buffering for the collector. For details about disk buffering,\n see [Disk buffering](/chronicle/docs/install/install-forwarder#diskbuffering).\n When enabled, you can specify the following settings:\n\n - **Directory path:** The directory path for files written.\n - **Maximum Buffered File Size (in bytes):** The maximum disk size used by the collector before backlogged messages are buffered to disk. The default is `1,073,741,824`. The maximum is `4,294,967,296`.\n12. Click the **Collector type** field and select a collector type. Each\n collector type has its own settings that you can configure. For details\n about the collector types and their settings, see\n [Determine the configuration](/chronicle/docs/install/install-forwarder#determinedata).\n\n13. Click **Submit**.\n\nDownload configuration files\n----------------------------\n\nDownloading the forwarder configuration files requires at least one collector. If you try to download a forwarder without a collector, you get an error.\n\nYou can download the forwarder configuration (`.conf`) file, authentication (`_auth.conf`) file, or both, for any forwarder listed in your Google SecOps instance as long as it has at least one collector. After downloading the files, deploy them on the Windows or Linux system where the Google SecOps forwarder resides.\n\nTo download forwarder configuration files:\n\n1. In the navigation bar, click **Settings**.\n2. Under Settings, click **Forwarders**. The page displays the list of forwarders.\n3. On the **Forwarders** page, find the forwarder you want. If the list of\n forwarders is long, use the **Search** field.\n\n4. Hold the pointer over the forwarder for which you want to download configuration files. The more_vert **expand menu icon** displays.\n\n5. Click the more_vert **expand menu icon**.\n\n6. Select **Download**.\n\n7. In the **Download forwarder configuration** dialog, do one of the following:\n\n - To download the forwarder configuration file, click the **download icon** next to the **`.conf`** file type.\n - To download the forwarder authentication file, click the **download icon** next to the **`_auth.conf`** file type.\n - To download both files, click **Download all**.\n\nManage forwarders\n-----------------\n\n### List the forwarders in a Google SecOps instance\n\n1. In the navigation bar, click **Settings**.\n2. Under Settings, click **Forwarders**. The page displays the list of forwarders.\n3. Optional: Sort the list by clicking the **Name** or **Last updated** column.\n\nOptionally, use the search field to narrow the results in your list.\n\n### Clone forwarders\n\nCloning lets you create a copy of one or more forwarder configurations.\n\nTo clone a forwarder configuration, follow these steps:\n\n1. On the Forwarders page, select the checkbox for each forwarder that you want to clone.\n\n2. Click the more_vert **expand menu icon**.\n\n3. Select **Clone**.\n\n4. Click **Clone**. A copy of each forwarder configuration is added.\n\n### Edit a forwarder configuration\n\n1. In the navigation bar, click **Settings**.\n2. Under Settings, click **Forwarders**. The page displays the list of forwarders.\n3. Hold the pointer over the forwarder for which you want to edit the configuration. The more_vert **expand menu icon** displays.\n\n4. Click the more_vert **expand menu icon**.\n\n5. Select **Edit forwarder configuration**.\n\n6. Make your changes to the configuration. For more information, see the configuration steps in the procedure for [adding forwarders](#add-forwarders).\n\n7. Click **Update**.\n\n### Delete forwarders\n\n1. On the Forwarders page, select the checkbox for each forwarder that you want to delete.\n\n2. Click the more_vert **expand menu icon**.\n\n3. Select **Delete**.\n\n4. In the Delete Forwarder dialog, click **Delete**.\n\nManage collectors\n-----------------\n\n### List the collectors in a Google SecOps instance\n\n1. In the navigation bar, click **Settings**.\n2. Under Settings, click **Forwarders**. The page displays the list of forwarders.\n3. Click the expander arrow next to the **Name** column heading. This expands all of the forwarders, displaying up to five collectors for each forwarder.\n4. If a forwarder has more than five collectors, click the **See all collectors** link.\n\n### Edit a collector configuration\n\n1. In the navigation bar, click **Settings**.\n2. Under Settings, click **Forwarders**. The page displays the list of forwarders.\n3. Click the arrow_right expander arrow of the forwarder for which you want to edit a collector.\n\n4. If there are more than five collectors, click the **See all collectors** link.\n\n5. Hold the pointer over the collector for which you want to edit the configuration. The **Edit** option displays.\n\n6. Click **Edit**.\n\n7. Make your changes to the configuration. For more information, see the configuration steps in the procedure for [adding collectors](#add-collectors).\n\n8. Click **Update**.\n\n### Delete a collector\n\n1. In the navigation bar, click **Settings**.\n2. Under Settings, click **Forwarders**. The page displays the list of forwarders.\n3. Click the arrow_right**expander arrow** of the forwarder for which you want to delete a collector.\n\n4. If there are more than five collectors, click the **See all collectors** link.\n\n5. Hold the pointer over the collector for which you want to edit the configuration. The **Delete** option displays.\n\n6. Click **Delete**.\n\n7. To confirm, click **Delete** in the Delete collector dialog.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
