[syslog-ng] syslog-ng forwarding and processing issue
Denis Dolinský
denis.dolinsky at gmail.com
Wed Sep 28 13:17:08 CEST 2016
Hi guys,
I have following setup in place:
remote server - 192.168.1.10
pseudomizer - syslog-ng PE in client mode - 192.168.2.10
SIEM - 192.168.3.10
So I am sending syslog logs from remote server to pseudomizer:
source src { internal()};
destination dst { udp ("192.168.2.10) port (514);};
log { source(src); destination (dst);
this is very old config from syslog v4
Then on pseudomizer - syslog-ng LTS 6.0.1 PE, I am collecting the logs,
processing them - removing private data, putting pseudonyms instead and
forwarding them to SIEM.
source s_net_udp514 {
syslog(
ip(192.168.2.10)
ip-protocol(4)
transport("udp")
so_rcvbuf(2097152)
);
};
source src {
internal();
unix-dgram("/dev/log");
system ();
};
destination d_net_udp514 {
syslog (
"192.168.3.10"
port(514)
transport(udp)
spoof_source(yes)
mark_mode(periodical));};
rewrite r_rewrite {
subst("admin", "pseudonym000001", value("MESSAGE"), flags("global"));
log {
source(s_net_udp514); source (src);
rewrite(r_rewrite); # do the pseudomizing
destination(d_net_udp514);
};
On SIEM device, I can see only pseudomizer internal logs (src), not
processed logs from remote server.
Any advice ?
Many thanks.
Denis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160928/8453d8a1/attachment.htm
More information about the syslog-ng
mailing list