Syslog forwarding , bogus ip adres
Martijng
We are in the process of ditching solarwinds kiwi syslog because its not performing, and is instable after every .net update. We mostly use syslog as an proxy between the customer network and our own datacenter where the siem is located.
One of the things we heavely use is an filter like log received from
host x.x.x.x
message text contains " modsecurity "
then forward the log to our siem but with an bogus ip adres like 127.0.12.1 we use this to split the logs to seperate logsources is such a filter possible with NXLog (community) we want to purchase the software but need to build a poc first
what we want to accomplish first, before doing fancy stuff is
listen on udp port 514 , forward that logs to an remote syslog server
i was thinking it was something simple like :
Module xm_syslog
Module im_udp
Host 0.0.0.0
Port 514
Exec parse_syslog();
Module om_tcp
Host 10.202.5.10
Port 530
Exec to_syslog_bsd();
Path in => out, outtcp
but that doesn rly do anything