Hi guys,

I have following setup in place:

remote server - 192.168.1.10

pseudomizer - syslog-ng PE in client mode - 192.168.2.10

SIEM - 192.168.3.10

So I am sending syslog logs from remote server to pseudomizer:

source src { internal()};

destination dst { udp ("192.168.2.10) port (514);};

log { source(src); destination (dst);

this is very old config from syslog v4

Then on pseudomizer - syslog-ng LTS 6.0.1 PE, I am collecting the logs, processing them - removing private data, putting pseudonyms instead and forwarding them to SIEM.

source s_net_udp514 {
    syslog(
        ip(192.168.2.10)
        ip-protocol(4)
        transport("udp")
        so_rcvbuf(2097152)
        );
};

source src {
        internal();
        unix-dgram("/dev/log");
        system ();
};

destination d_net_udp514 {
         syslog (
         "192.168.3.10"
         port(514)
         transport(udp)
         spoof_source(yes)
         mark_mode(periodical));};
rewrite r_rewrite {
subst("admin", "pseudonym000001", value("MESSAGE"), flags("global"));

log {
        source(s_net_udp514); source (src);
        rewrite(r_rewrite); # do the pseudomizing
        destination(d_net_udp514);
};

On SIEM device, I can see only pseudomizer internal logs (src), not processed logs from remote server.

Any advice ?

Many thanks.

Denis

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq