On Thu, 22 Dec 2016, Swartz, Patrick wrote:
Hello, I'm trying to work out how to use my rsyslog server as my central collection, then depending on the source forward the messages (or maybe only select few) to our Qradar instance.I've tried: ExtraNet.conf template(name="Extranet_app" type="string" string="/var/splunk-syslog/Extranet/%FROMHOST%/%FROMHOST%-%$NOW%.log") :fromhost-ip, startswith, "10.14.1" { action(type="omfile" dirCreateMode="0755" FileCreateMode="0644" dynaFile="Extranet_app") action(type="omfwd" Target="10.29.1.47" Port="514" Protocol="udp" ) stop } but, the what the "Target" gets looks like it comes from the rsyslog central server, and not the originating source. I've looked at 'omudpspoof' but the examples only show hardcoding the source address, which I may or may not know. Unless there was a way to use variables for 'omudpspoof' in the string value? (I tried that, but 'rsyslog -N1' complained about that) I'm sure I'm missing something, but still rather a rsyslog novice and would really appreciate any advice/suggestions.
first off, can you give us an example of a message that you receive and that gets transmitted differently.
what is it that gets changed that you want to not change? David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
