Syslog forward from Log Decoders
I was reading the following article:
and I've tested it, but I saw the decoder doesn't send the original IP of de original device into the syslog message, causing the reciever syslog server to see all the events comming from the same IP (the decoders IP).
May be I'm missing something or the decoder isn't able to send the device IP on the syslog message?
- app rule
- Community Thread
- Forum Thread
- Log Decoder
- RSA NetWitness
- RSA NetWitness Platform
you can specify it using the "retainsource" attribute when you define the destination:
More details on the link https://community.rsa.com/docs/DOC-80183
I am not near my computer at the moment however we can forward logs maintaining the original source IP. It is a configuration setting in that log decoder explorer config.
If you hover over the setting where you put in the IP address of the destination there should be tooltips with the words like retain source or RC 3164.
When I get back a little bit later on I will add to this thread the configuration settings