AnsweredAssumed Answered

How to override "device.ip" meta with the right one?

Question asked by David Bursik on Jun 9, 2014
Latest reply on Jun 17, 2014 by David Bursik

Hi mates,

in our enviroment all devices are sending logs to syslog-ng server which is relaying them to SA, but...

 

SA recognize all of those messages as "device.ip=10.0.0.5" (syslog server) instead of original device address - for example 10.0.0.1 (fw).

 

There is information about original address in header, so it shouldn't be so hard to parse that to this variable, but I realy don't know how to do that

 

Has somebody solved this already?

 

 

Example of FW log which is parsed under device.ip of syslog server.

 

 

==================================

 

Jun 6 14:29:25 10.0.0.1 FW01: NetScreen device_id=FW01 [Root]system-notification-00257(traffic): start_time="2014-06-06 14:29:24" duration=0 policy_id=915 service=udp/port:44246 proto=17 src zone=DMZ dst zone=Untrust action=Deny sent=0 rcvd=109 src=10.1.1.1 dst=15.2.2.2 src_port=6881 dst_port=44246 session_id=0

 

==================================

 

86246

 

 

==================================

 

Thanks for any help.

 

--

David

Outcomes