Michael, Let's say for the sake of discussion all syslogs arrive from here:
source s_general { tcp(ip(10.153.29.235) port (514) max-connections(1000) ); };
Now you could do this:
source s_general { tcp(ip(10.153.29.235) port (514) max-connections(1000) ); };
source s_loopback_local { udp(ip(127.0.0.1) port(5140)); # set properties to preserve hostnames } source s_loopback_tripwire { udp(ip(127.0.0.1) port(5141)); # set properties to preserve IP addresses } destination d_loopback_local { udp(ip(127.0.0.1) port(5140)); # set appropriate template } destination d_loopback_tripwire { udp(ip(127.0.0.1) port(5141)); # set appropriate template } log { source(s_general); destination(d_loopback_local); destination(d_loopback_tripwire); flags(final); } log { source(s_loopback_local); destination(***local storage log files***); } log { source(s_loopback_tripwire); destination(***remote relay to tripwire using d_tripwire_udp***); }
destination d_tripwire_udp { udp("10.153.29.249" port (514)); };
Is this description more clear? Cheers, Matthew. On Mon, Oct 25, 2010 at 07:57:08PM -0400, Worsham, Michael wrote:
Umm... what? Totally lost me there.