<div dir="ltr">Hi, <div><br></div><div>The destination on your remote server and the source on the pseudomizer host do not match: the first one uses the udp() driver (RFC3164 protocol), while the second uses the syslog() driver (RFC5424) protocol. </div><div><br></div><div>Change the destination driver to syslog() on the remote server. (For more possibilities, see <a href="https://www.balabit.com/documents/syslog-ng-pe-latest-guides/en/syslog-ng-pe-guide-admin/html/concepts-things-to-consider.html">https://www.balabit.com/documents/syslog-ng-pe-latest-guides/en/syslog-ng-pe-guide-admin/html/concepts-things-to-consider.html</a> )</div><div><br></div><div>HTH</div><div><br></div><div>Robert</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 28, 2016 at 1:17 PM, Denis Dolinský <span dir="ltr"><<a href="mailto:denis.dolinsky@gmail.com" target="_blank">denis.dolinsky@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div><div><div><div><div><div><div><div><div>Hi guys,<br><br></div>I have following setup in place:<br></div>remote server - 192.168.1.10<br></div>pseudomizer - syslog-ng PE in client mode - 192.168.2.10<br></div>SIEM - 192.168.3.10<br><br></div>So I am sending syslog logs from remote server to pseudomizer:<br></div>source src { internal()};<br></div>destination dst { udp ("192.168.2.10) port (514);};<br></div>log { source(src); destination (dst);<br><br></div>this is very old config from syslog v4<br><br></div>Then on pseudomizer - syslog-ng LTS 6.0.1 PE, I am collecting the logs, processing them - removing private data, putting pseudonyms instead and forwarding them to SIEM.<br><br>source s_net_udp514 {<br> syslog(<br> ip(192.168.2.10)<br> ip-protocol(4)<br> transport("udp")<br> so_rcvbuf(2097152)<br> );<br>};<br><br>source src {<br> internal();<br> unix-dgram("/dev/log");<br> system ();<br>};<br><br>destination d_net_udp514 {<br> syslog ( <br> "192.168.3.10"<br> port(514) <br> transport(udp)<br> spoof_source(yes) <br> mark_mode(periodical));};<br>rewrite r_rewrite {<br>subst("admin", "pseudonym000001", value("MESSAGE"), flags("global"));<br><br>log {<br> source(s_net_udp514); source (src);<br> rewrite(r_rewrite); # do the pseudomizing<br> destination(d_net_udp514);<br>};<br><br></div>On SIEM device, I can see only pseudomizer internal logs (src), not processed logs from remote server.<br><br></div>Any advice ?<br><br></div>Many thanks.<span class="HOEnZb"><font color="#888888"><br><br></font></span></div><span class="HOEnZb"><font color="#888888">Denis<br></font></span></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>