Hi guys,
I have following setup in place:
remote server - 192.168.1.10
pseudomizer - syslog-ng PE in client mode - 192.168.2.10
SIEM - 192.168.3.10
So I am sending syslog logs from remote server to pseudomizer:
source src { internal()};
destination dst { udp ("192.168.2.10) port (514);};
log { source(src); destination (dst);
this is very old config from syslog v4
Then on pseudomizer - syslog-ng LTS 6.0.1 PE, I am collecting the logs, processing them - removing private data, putting pseudonyms instead and forwarding them to SIEM.
source s_net_udp514 {
syslog(
ip(192.168.2.10)
ip-protocol(4)
transport("udp")
so_rcvbuf(2097152)
);
};
source src {
internal();
unix-dgram("/dev/log");
system ();
};
destination d_net_udp514 {
syslog (
"192.168.3.10"
port(514)
transport(udp)
spoof_source(yes)
mark_mode(periodical));};
rewrite r_rewrite {
subst("admin", "pseudonym000001", value("MESSAGE"), flags("global"));
log {
source(s_net_udp514); source (src);
rewrite(r_rewrite); # do the pseudomizing
destination(d_net_udp514);
};
On SIEM device, I can see only pseudomizer internal logs (src), not processed logs from remote server.