I have a window server that receives logs from other windows hosts (log collector) and from this last one, events are sent to a Fortisiem. The problem is that in SIEM the IP that appears is always the collector's IP and all host events are identified by that IP.
Is it possible to keep the original IP of each host?
My out config:
Exec $EventTime = integer($EventTime) / 1000000;
Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
Exec $Message = to_json(); to_syslog_snare();