[rsyslog-notify] Forum Thread: Re: Forwarding FROM Central rsyslog server - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Wed Jan 22 02:55:29 CET 2014
User: dlang
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24117#p24117
Message:
----------
It's amazing how many SIM tools fail this basic requirement and look at the
source IP instead of the hostname in the message.
This is exactly why the omudpspoof module was written. It's performance is
poor compared to normal rsyslog forwarding because it needs to re-bind the
port for every message that it sends, but it can send messages via UDP and
the receiving machine sees the original source IP.
I would suggest having your systems send their logs to a relay box that
spoofs them to the OSSIM box and forwards them to the Splunk box(s) rather
than adding this load onto the Splunk system, but that's a judgement you
will need to make.
David Lang
More information about the rsyslog-notify
mailing list