Remember when I said I was still a novice ... well...
I think I understand my mistake...
>From the debug:
FROMHOST: 'whqlrsyslog01.mycompany.com', fromhost-ip:'10.20.12.52',
HOSTNAME: 'sftplprod01', PRI: 38,
The server "whqlrsyslog01" is the rsyslog box that is forwarding, whereas
"sftplprod01" is the original source.
So, guess my question is more... is there a way I can setup the "FROMHOST" to
use the "HOSTNAME" dynamically on the forward?
Many thanks,
Patrick
-----Original Message-----
From: rsyslog [mailto:[email protected]] On Behalf Of David Lang
Sent: Thursday, December 22, 2016 7:10 PM
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] collect and forward w/o change
On Thu, 22 Dec 2016, Swartz, Patrick wrote:
> Hello,
> I'm trying to work out how to use my rsyslog server as my central collection,
> then depending on the source forward the messages (or maybe only select few)
> to our Qradar instance.
>
> I've tried:
> ExtraNet.conf
> template(name="Extranet_app" type="string"
> string="/var/splunk-syslog/Extranet/%FROMHOST%/%FROMHOST%-%$NOW%.log")
> :fromhost-ip, startswith, "10.14.1" {
> action(type="omfile" dirCreateMode="0755" FileCreateMode="0644"
> dynaFile="Extranet_app") action(type="omfwd" Target="10.29.1.47"
> Port="514" Protocol="udp" ) stop }
>
> but, the what the "Target" gets looks like it comes from the rsyslog central
> server, and not the originating source.
>
> I've looked at 'omudpspoof' but the examples only show hardcoding the
> source address, which I may or may not know. Unless there was a way to
> use variables for 'omudpspoof' in the string value? (I tried that,
> but 'rsyslog -N1' complained about that)
>
> I'm sure I'm missing something, but still rather a rsyslog novice and would
> really appreciate any advice/suggestions.
first off, can you give us an example of a message that you receive and that
gets transmitted differently.
what is it that gets changed that you want to not change?
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
----------------------------------------------------------------------
This email and any files transmitted with it are confidential and intended
solely for the use of the addressee. If you are not the intended addressee,
then you have received this email in error and any use, dissemination,
forwarding, printing, or copying of this email is strictly prohibited. Please
notify us immediately of your unintended receipt by reply and then delete this
email and your reply. Tyson Foods, Inc. and its subsidiaries and affiliates
will not be held liable to any person resulting from the unintended or
unauthorized use of any information contained in this email or as a result of
any additions or deletions of information originally contained in this email.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
