Let's Talk
Let's Talk

Syslog forwarding , bogus ip adres

Tags:
#1 Martijng

We are in the process of ditching solarwinds kiwi syslog because its not performing, and is instable after every .net update. We mostly use syslog as an proxy between the customer network and our own datacenter where the siem is located.

One of the things we heavely use is an filter like log received from

host x.x.x.x message text contains " modsecurity "

then forward the log to our siem but with an bogus ip adres like 127.0.12.1 we use this to split the logs to seperate logsources is such a filter possible with NXLog (community) we want to purchase the software but need to build a poc first

what we want to accomplish first, before doing fancy stuff is

listen on udp port 514 , forward that logs to an remote syslog server

i was thinking it was something simple like :

Module xm_syslog 
<Input in>
    Module  im_udp
    Host    0.0.0.0
    Port    514
    Exec    parse_syslog();
</Input>

<Output outtcp>
    Module  om_tcp
    Host    10.202.5.10
    Port    530
    Exec    to_syslog_bsd();
</Output>

<Route 1>
    Path  in => out, outtcp
</Route>

but that doesn rly do anything

Permalink
#2 MisazivDeactivated Nxlog ✓
#1 Martijng
We are in the process of ditching solarwinds kiwi syslog because its not performing, and is instable after every .net update. We mostly use syslog as an proxy between the customer network and our own datacenter where the siem is located. One of the things we heavely use is an filter like log received from host x.x.x.x message text contains " modsecurity " then forward the log to our siem but with an bogus ip adres like 127.0.12.1 we use this to split the logs to seperate logsources is such a filter possible with NXLog (community) we want to purchase the software but need to build a poc first what we want to accomplish first, before doing fancy stuff is listen on udp port 514 , forward that logs to an remote syslog server i was thinking it was something simple like : Module xm_syslog <Input in> Module im_udp Host 0.0.0.0 Port 514 Exec parse_syslog(); </Input> <Output outtcp> Module om_tcp Host 10.202.5.10 Port 530 Exec to_syslog_bsd(); </Output> <Route 1> Path in => out, outtcp </Route> but that doesn rly do anything

Hi,

You can also request a trial and try out all of the features of the NXLog Enterprise Edition.

As for your code, parsing and then sending to syslog does nothing since nothing is modified in the middle, and I assume that source is syslog already.

As for the filtering it is absolutely possible, please take a look at this section of the manual: https://nxlog.co/documentation/nxlog-user-guide/filtering.html

Let me know if it is helpful and I can also help you to set it up as well.

~MisaZ
Login to see more