NXLog as syslog relay | Log collection solutions

#1 ptrivino 2 years ago

At the moment, I need a solution to a particular problem. I need to use a syslog relay agent to receive syslog data at the NXLog host, and relay it to another collector. This is to reduce the number of firewall rules needed to get syslogs from more secure areas of the network out to our SIEM. I would especially like to be able to have the source of the syslog be the same as the original source host - i.e. I don't want all 5 hosts for which I am relaying syslog data, to appear in the SIEM as if the source is the NXLog relay host.

I am just beginning to look into this so any assistance is appreciated.

Paul

Permalink

#2 rafDeactivated Nxlog ✓ 2 years ago

#1 ptrivino

At the moment, I need a solution to a particular problem. I need to use a syslog relay agent to receive syslog data at the NXLog host, and relay it to another collector. This is to reduce the number of firewall rules needed to get syslogs from more secure areas of the network out to our SIEM. I would especially like to be able to have the source of the syslog be the same as the original source host - i.e. I don't want all 5 hosts for which I am relaying syslog data, to appear in the SIEM as if the source is the NXLog relay host. I am just beginning to look into this so any assistance is appreciated. Paul

Hey,

Correct me if I'm wrong - so you'd like to substitute all the incoming hosts from all machines with a single one, assigned to your relay machine?

In the simplest approach, you may use Exec block, something like this:

Exec $Hostname = 'myhost';

would work for hard-coded hostname. You can also use hostname() procedure for this purpose.

Hope this helps!

Rafal