On Mon, 2007-05-21 at 09:23 -0500, Ivey, Chris wrote:
> As I was discussing this issue with a colleague this AM, the question
> arose as to whether or not the restamping of messages from syslog-ng
> can be turned on and off for selected destinations, or if that was a
> global option. Anyone know?
If you can provide an example of the following we can provide some recommendations:
1. Original syslog message
2. Current forwarded syslog message (received by ArcSight)
3. Desired forwarded syslog message (the format ArcSight requires)
4. Your syslog-ng.conf (remove any IP's or other private info)
Should be easy to solve either with templates or modifying syslog-ng options. Also let us know if there are multiple syslog-ng servers involved (e.g. Unix server forwarding to centralized syslog-ng server forwarding to ArcSight).