[rsyslog-notify] Forum Thread: relay select hosts through rsyslog to a SOC? - (Mode 'post')
noreply at adiscon.com
noreply at adiscon.com
Tue May 5 23:42:39 CEST 2015
User: dkoleary
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25493#p25493
Message:
----------
Hey;
I have OEL 6.5 running rsyslog 5.8.10. I know, quite old but still the
only one available w/o going to source...
I have three (and soon to be four) separate datacenters with a skosh over
1100 linux clients all forwarding to three (and soon to be four) rsyslog
collectors. That part works great and I absolutely love it, even with the
antique version available via yum repos.
My company's recently signed an agreement with a security operations center
and I need to forward some but not all of my logs to their syslog
collector. I would prefer to do this from the syslog collectors as it's
easier to hit 3-4 systems to update relay lists than it is 1100.
in short, what I'm looking for is processing on the central loggers like:
1. Is the message from one that should be relayed:
a. yes: relay message ensuring original source IP remains the source
IP; continue with normal processing.
b. No: continue with normal processing.
Some initial googling resulted in phrases like relay chain and omudpspoof -
which apparently should be a dead last resort.
Can anyone point me in the right direction?
Thanks for your time/help/suggestions.
Doug O'Leary
More information about the rsyslog-notify
mailing list