I use imfile to gather application logs such as apache, tomcat, php, etc. and send those on to my syslog server along with the client machines normal syslog traffic. My syslog server then dutifully writes all the messages locally and additionally forwards the messages on to a SIEM product via omudpspoof.
Watching packet captures, I can see some messages are being spoofed and sent on to the SIEM, but some are not. At first glance, it appears that all regular syslog messages that are generated on the client are being spoofed and sent on to the SIEM, but most, if not all messages generated via imfile on the client are not being spoofed and sent on to the SIEM at all. I've tried the standard *.* :omudspoof: as well as $template spooftemplate,"$fromhost-ip% %rawmsg%" *.* :omudpspoof:;spooftemplate and $template spooftemplate,"%rawmsg%" *.* :omudpspoof:;spooftemplate All with the same effect. Am I missing something here? Is anyone else doing similar, or seen similar behavior? For the record, I'm running a patched version of 5.8.11. The patch, now that I'm reading it again, was to protect against calling more than one instance of libnet code in the omudpspoof module. -- Rick Brown Office of Information Technology Georgia Institute of Technology 258 4th Street N.W. Atlanta, GA 30332-0715 email: [email protected] ph: (404) 894-6175 Calendar: https://mail.gatech.edu/home/[email protected]?fmt=freebusy _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
