AnsweredAssumed Answered

Syslog forward from Log Decoders

Question asked by Maximiliano Cittadini on Dec 23, 2019
Latest reply on Dec 23, 2019 by Dave Glover

Like • Show 0 Likes0
Comment • 2

Hi All!

I was reading the following article:

Decoder: Configure Syslog Forwarding to Destination

and I've tested it, but I saw the decoder doesn't send the original IP of de original device into the syslog message, causing the reciever syslog server to see all the events comming from the same IP (the decoders IP).

May be I'm missing something or the decoder isn't able to send the device IP on the syslog message?

Regards,

Max

No one else has this question

Outcomes

2 Replies

Alessio Alfonsi Dec 23, 2019 1:04 PM
Mark Correct
Correct Answer
Hi Max,
you can specify it using the "retainsource" attribute when you define the destination:
name=(udp|tcp|tls):host:port[:(retainsource|rfc3164)]

More details on the link https://community.rsa.com/docs/DOC-80183

Cheers,
Alessio
Like • Show 0 Likes0
Actions
Dave Glover Dec 23, 2019 2:02 PM
Mark Correct
Correct Answer
Max.

I am not near my computer at the moment however we can forward logs maintaining the original source IP. It is a configuration setting in that log decoder explorer config.

If you hover over the setting where you put in the IP address of the destination there should be tooltips with the words like retain source or RC 3164.

When I get back a little bit later on I will add to this thread the configuration settings

Dave
Like • Show 0 Likes0
Actions