On Thu, 8 Oct 2015, Dave Caplinger wrote:
I'm not sure I follow... here's what I think you've built based on the thread
so far:
Your entire log forwarding path looks like:
Source --> Loghost --{VPN}--> Collector --> SEIM
A B C D E
(This is entirely reasonable; we do something similar. So similar, I want to
make sure I'm not reading too much into what you've described!)
If this is what you do, then one thing you can do is have loghost B add metadata
to the log that says what site it is before sending it on, and the Collector can
use that to decide what to do with it.
I do this by setting !trusted!X variables and then forwarding the message with
the template (either using mmjsonparse initially or setting $!msg = $msg)
<%pri%>%timereported% %hostname% %syslogtag% @cee:%$!%
I set a bunch of things
origserver (fromhost-ip from the first hop)
environment (equivalent to your site)
edge!* for various things I want to track from the relay box
what time it arrive at the relay
which relay it went through
which input it used
and sometimes I add some other things
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
