On Mon, 2007-05-21 at 09:23 -0500, Ivey, Chris wrote:
As I was discussing this issue with a colleague this AM, the question arose as to whether or not the restamping of messages from syslog-ng can be turned on and off for selected destinations, or if that was a global option. Anyone know? If you can provide an example of the following we can provide some recommendations:
1. Original syslog message 2. Current forwarded syslog message (received by ArcSight) 3. Desired forwarded syslog message (the format ArcSight requires) 4. Your syslog-ng.conf (remove any IP's or other private info) Should be easy to solve either with templates or modifying syslog-ng options. Also let us know if there are multiple syslog-ng servers involved (e.g. Unix server forwarding to centralized syslog-ng server forwarding to ArcSight).