2
responses

Hi everyone,

Here is a brief overview of what I'm trying to do:

​
            +----------+ tcp1514 +-----+  tcp514 +---------+
            |Originator|---->----|Relay|---->----|Collector|
            +----------+         +-----+  syslog +---------+
           192.168.56.10      192.168.56.18     192.168.56.14 

Here is the message I get in RSA:

​ReceivedTimeStamp RelayHostname [LogMessage]

I would like to have this

​ReceivedTimeStamp OriginatorHostname [LogMessage]

I think I'm supposed to throw in an Exec: $Hostname=hostname(); somewhere, but where exactly ?

Here is what my conf files look like:

Originator:

​
<Input in>
    Module    im_file
    Recursive    TRUE
    File    'C:\\IIS\\*.log'
</Input>

<Output out>
    Module  om_tcp
    Host    192.168.56.18
    Port    1514
</Output>

<Route 1>
    Path    in => out
</Route>

Relay:

​
<Extension syslog>
    Module    xm_syslog
</Extension>

<Input in>
    Module im_tcp
    Port 1514
    Host 0.0.0.0
</Input>

<Output out>
    Module  om_tcp
    Host    192.168.56.14
    Port    514
    Exec    to_syslog_bsd();
</Output>
    
<Route 1>
    Path    in => out
</Route>

Thanks for your help.

AskedAugust 25, 2016 - 4:25pm

Answer (1)

to_syslog_bsd() will put the value of $Hostname in the generated syslog line. If it does not exist the local hostname is used. That's why you are seeing the relay's hostname there. To fix this you can:

  • add Exec parse_syslog() to your input so that $Hostname is filled,
  • remove to_syslog_bsd() so that the syslog data will be transferred unaltered.

In addition to the above since the data sent is not syslog you need to format it that way on the client:

<Output out>
   Module om_tcp
   Host 192.168.56.18
   Port 1514
   Exec $Message = raw_event; to_syslog_bsd();
</Output>

Comments (1)

  • fbrollo's picture

    Hey thank you for the reply.
    For some reason, it works even without "Exec $Message = $raw_event"; (by that I mean that when RSA is setup to receive syslog, it is receiving the data correctly.)