Hello,

I have a syslogNG based siem setup with customized rules like:

options {
         use_dns(no);
         use_fqdn(no);
         check_hostname(no);
         owner(root);
         group(root);
         perm(0640);
         dir_owner(root);
         dir_group(root);
         dir_perm(0750);
         create_dirs(yes);
         normalize_hostnames(yes);
         keep_hostname(yes);
         # disable stats
         stats_freq(0);
};



destination d_net_auth {
file("/var/log/corporate/$HOST_FROM/auth.log"); };
...

These settings will not do dns resolution will result that when hosts
sending their logs into this SIEM directories will be created by their
IP addresses where the logs go.

I would like to replicate this server on a second location without using
brute methods like rsyncing the whole directory structure daily. I have
configured syslogng to keep forwarding the logs to a remote destination
which works fine however I can't select the messages based on the same
criteria on the new log server because if I use the same config
everything will originate from the IP for logserver 1.  I need IP based
directories on the second loghost as well, everything to be identical.

I'm using syslogng 3.12.

Is there a workaround for this?

Thanks
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq