[rsyslog-notify] Forum Thread: [PARSING] Rsyslog parsing for SIEM - (Mode 'post')
noreply at adiscon.com
noreply at adiscon.com
Wed Feb 17 10:03:55 CET 2016
User: ltex
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26344#p26344
Message:
----------
Hi,
We are using rsyslog to gather information from multuplie sources (RHEL,
CentoS'ses, etc) as a sys log, and forward it to our Debian rsyslog server.
This Debian is forwarding to SIEM listener all the logs that he gets from
the end-points.
In the rsyslog server we wrote a rule, that will parse the incoming logs,
and add an timestamp and the IP of the incoming end-point.
And in the syslog of the rsyslog server (Debian), I really see all of this.
Hovewer, when Debian is forwarding this log to the SIEM, in SIEM I see only
the data that comes after the timestamp & IP... (so we cannot see in the
SIEM what is the ORIGINAL endpoint that generated this log).
Can this some how be solved?
D.
More information about the rsyslog-notify
mailing list