[rsyslog-notify] Forum Thread: Re: omudspoof and ASA - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Tue Feb 11 23:59:32 CET 2014
User: zangfro
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24213#p24213
Message:
----------
The vlan that the rsyslog server (192.127.15.7) is on, is the vlan that ASA
interface (192.127.15.14) is the Default GW for.
Flow is such: ASA Syslog Message w/o filter (Src=192.127.15.14) ---->
rSyslog FWD ASA Syslog Message to remote (omudpspoof
Src-ip=(192.127.15.14), not src-ip of rsyslog server) ----> ASA (drop
src-ip of syslog message same as int)
I think the reason why we are doing that and spoofing in general, and i
think i understand your reply, sorry its been a long day, is that we have
two SIEMs and 1 can parse the rsyslog message without spoofing just fine,
but our other cannot and we had to implement spoofing to accommodate that
software, so that is why its a blanket config.
I'm pretty new to this software, so if i am missing something here i
apologize.
More information about the rsyslog-notify
mailing list