Hi,

Hoping someone has seen an easy fix for this. Sorry is it's specifically referenced somewhere I'm not seeing.

Dealing with a vendor who is not able to leverage the RFC headers or TCP input.

We have rsyslog relays in remote sites sending TCP/514 to syslog-ng and others locally sending directly to syslog-ng TCP/UDP 514.

The devices sending directly to syslog-ng are reporting to the IDS correctly. Hosts relaying through rsyslog are showing a source address of the relay.

/etc/rsyslog.d/forward.conf

$ActionQueueFileName fwdRule1 # unique name prefix for spool files

$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)

$ActionQueueSaveOnShutdown on # save messages to disk on shutdown

$ActionQueueType LinkedList # run asynchronously

$ActionResumeRetryCount -1 # infinite retries if host is down

# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional

*.* @@syslog-ngIP:514

/etc/syslog-ng/conf.d

source s_net_tcp {tcp(ip(0.0.0.0) port(514) max-connections(300) keep_hostname(yes) so_rcvbuf(262142) log_iw_size(25000)); };
source s_net_udp {syslog(ip(0.0.0.0) keep_hostname(yes) port(514) transport("udp") flags(no-hostname) so_rcvbuf(262142));};

destination d_ids {network("IDSHOSTNAME" spoof_source(yes) transport(udp) port(514) flags(syslog-protocol)); };

log { source(s_net_udp);
channel {filter(f_ids); destination (d_ids);};
channel {parser(pattern_db); destination (d_es);};
};

log { source(s_net_tcp);
channel {filter(f_ids); destination (d_ids);};
channel {parser(pattern_db); destination (d_es);};
};