Hi Patrick, I do exactly what you are trying to do - centrally collect a whole bunch of stuff via rsyslog and selectively forward on to QRadar. The trick is to use a template to rewrite the message, replacing the hostname with fromhost-ip:
template(name="QradarForwardMsgFormat" type="string"
string="<%pri%>%timestamp% %fromhost-ip% %syslogtag%%msg%")
Then I built a ruleset using this template so I can use 'call
ForwardToQRadar' from my filters:
ruleset(name="ForwardToQRadar") {
action(
name="forwardToQRadar"
type="omfwd"
Template="QradarForwardMsgFormat"
Target="<qradar hostname>"
Port="514"
Protocol="tcp"
)
)
Example filter:
if ($msg contains 'Teardown' )
then {
call ForwardToQRadar
}
You need to use this template for any log source you are trying to forward
that has a hostname string in the hostname location of the syslogheader. If
there is an IP address in the hostname location, you can forward on without
using the different template.
The annoying part is that all your log sources are going to come into QRadar
like 'WindowsAuthServer @ <ip address>' rather than '@ <hostname'. You lose
the friendliness of the hostname, but if you want, you can always rename the
log sources after they come in.
I believe omudpspoof could also work, but I never went down that route as we
prefer log collection via TCP.
Then later on if you want to get real fancy, you can set up a queue on the
ForwardToQRadar ruleset so when QRadar is down for patching logs will be
buffered and forwarded once QRadar is back up. I just got this worked a few
weeks ago and can share the full ruleset config if you're interested.
Hope that helps,
Dan
-----Original Message-----
From: rsyslog [mailto:[email protected]] On Behalf Of Rainer
Gerhards
Sent: Friday, December 23, 2016 8:09 AM
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] collect and forward w/o change
2016-12-23 14:02 GMT+01:00 Swartz, Patrick <[email protected]>:
> Hi David,
> Thanks for helping me understand.
> Something like this is what I 'thought' I wanted:
>
> Module (
> load="omudpspoof"
> )
> Template (
> name="spoofaddr"
> type="string"
> string="%HOSTNAME%" <--- to be pulled from the message instead of
I think I see what you mean. I also think this must be an ip address.
Assuming that the system you received the message from should be used by
omudpspoof, %fromhost-ip% should be what you are looking for.
Rainer
> hardcoded to a specific address.
> )
> Action (
> type="omudpspoof"
> target="192.168.1.1"
> sourcetemplate="spoofaddr"
> )
>
> I understand that the above doesn't work that way, but that line of
> thinking is where I thought I wanted to go.
>
> Thanks again for your patience.
>
> Patrick
>
> -----Original Message-----
> From: rsyslog [mailto:[email protected]] On Behalf Of
> David Lang
> Sent: Thursday, December 22, 2016 10:57 PM
> To: rsyslog-users <[email protected]>
> Subject: Re: [rsyslog] collect and forward w/o change
>
> On Fri, 23 Dec 2016, Swartz, Patrick wrote:
>
> > Remember when I said I was still a novice ... well...
> > I think I understand my mistake...
> >
> > From the debug:
> >
> > FROMHOST: 'whqlrsyslog01.mycompany.com',
> fromhost-ip:'10.20.12.52',
> > HOSTNAME: 'sftplprod01', PRI: 38,
> >
> > The server "whqlrsyslog01" is the rsyslog box that is forwarding,
> whereas "sftplprod01" is the original source.
> >
> > So, guess my question is more... is there a way I can setup the
> "FROMHOST" to use the "HOSTNAME" dynamically on the forward?
>
> FROMHOST and HOSTNAME have meaning on the local system, when you send
> a message, you send a string that can be formatted any way you want it to.
> But if you send messages through a relay, the thing receiving the
> message from the relay will see the fromhost/fromhost-ip as being the
> relay (as it should be, because that's where the network packets were
> sent from)
>
> omudpspoof was created to deal with badly written proprietary software
> that doesn't know how to deal with messages sent through a relay. It
> is slow and is abusing the network to function, but can sometimes be
> the right thing to do.
>
> If you need it, the documentation page shows how to use it.
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_do
> c_v8-2Dstable_configuration_modules_omudpspoof.html&d=DQICAg&c=kbmfwr1
> Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=0S5vJ8-FmQy6Qk5D6_T4U9EYbkCcMc4
> ijDuyUem89Lk&m=0m7CbiHKonz9xqdYcZ4ItxAIJ2jPQznKV8bcsU448hI&s=wMmDuB-Ue
> 7OnuySZQ8jCWmipyGOSnw4Q7CYMeLVH9vM&e=
>
> It's still not clear what you are trying to do.
>
> David Lang
> _______________________________________________
> rsyslog mailing list
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.adiscon.net_
> mailman_listinfo_rsyslog&d=DQICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2e
> aqQZhHbOU&r=0S5vJ8-FmQy6Qk5D6_T4U9EYbkCcMc4ijDuyUem89Lk&m=0m7CbiHKonz9
> xqdYcZ4ItxAIJ2jPQznKV8bcsU448hI&s=-xv7jrDVQw2XZm46m74kCQvOSzFhZiO4Kxv9
> oT3nnAA&e=
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_pr
> ofessional-2Dservices_&d=DQICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaq
> QZhHbOU&r=0S5vJ8-FmQy6Qk5D6_T4U9EYbkCcMc4ijDuyUem89Lk&m=0m7CbiHKonz9xq
> dYcZ4ItxAIJ2jPQznKV8bcsU448hI&s=EmImlAYAS02o_xV1fHPuGXsuJdeGY5d1IPao35
> x47es&e= What's up with rsyslog? Follow
>
https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rgerhards&d
=DQICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=0S5vJ8-FmQy6Qk5D6_T4
U9EYbkCcMc4ijDuyUem89Lk&m=0m7CbiHKonz9xqdYcZ4ItxAIJ2jPQznKV8bcsU448hI&s=jQJJ
jExdfchvHWTg6-jmIKShoOLEi9ZoZ41KDUhWuKs&e= NOTE WELL:
> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
>
> ----------------------------------------------------------------------
> This email and any files transmitted with it are confidential and
> intended solely for the use of the addressee. If you are not the
> intended addressee, then you have received this email in error and any
> use, dissemination, forwarding, printing, or copying of this email is
strictly prohibited.
> Please notify us immediately of your unintended receipt by reply and
> then delete this email and your reply. Tyson Foods, Inc. and its
> subsidiaries and affiliates will not be held liable to any person
> resulting from the unintended or unauthorized use of any information
> contained in this email or as a result of any additions or deletions
> of information originally contained in this email.
> _______________________________________________
> rsyslog mailing list
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.adiscon.net_
> mailman_listinfo_rsyslog&d=DQICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2e
> aqQZhHbOU&r=0S5vJ8-FmQy6Qk5D6_T4U9EYbkCcMc4ijDuyUem89Lk&m=0m7CbiHKonz9
> xqdYcZ4ItxAIJ2jPQznKV8bcsU448hI&s=-xv7jrDVQw2XZm46m74kCQvOSzFhZiO4Kxv9
> oT3nnAA&e=
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_pr
> ofessional-2Dservices_&d=DQICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaq
> QZhHbOU&r=0S5vJ8-FmQy6Qk5D6_T4U9EYbkCcMc4ijDuyUem89Lk&m=0m7CbiHKonz9xq
> dYcZ4ItxAIJ2jPQznKV8bcsU448hI&s=EmImlAYAS02o_xV1fHPuGXsuJdeGY5d1IPao35
> x47es&e= What's up with rsyslog? Follow
> https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rgerh
> ards&d=DQICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=0S5vJ8-F
> mQy6Qk5D6_T4U9EYbkCcMc4ijDuyUem89Lk&m=0m7CbiHKonz9xqdYcZ4ItxAIJ2jPQznK
> V8bcsU448hI&s=jQJJjExdfchvHWTg6-jmIKShoOLEi9ZoZ41KDUhWuKs&e=
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.adiscon.net_mailma
n_listinfo_rsyslog&d=DQICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=
0S5vJ8-FmQy6Qk5D6_T4U9EYbkCcMc4ijDuyUem89Lk&m=0m7CbiHKonz9xqdYcZ4ItxAIJ2jPQz
nKV8bcsU448hI&s=-xv7jrDVQw2XZm46m74kCQvOSzFhZiO4Kxv9oT3nnAA&e=
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_professi
onal-2Dservices_&d=DQICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=0S
5vJ8-FmQy6Qk5D6_T4U9EYbkCcMc4ijDuyUem89Lk&m=0m7CbiHKonz9xqdYcZ4ItxAIJ2jPQznK
V8bcsU448hI&s=EmImlAYAS02o_xV1fHPuGXsuJdeGY5d1IPao35x47es&e=
What's up with rsyslog? Follow
https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rgerhards&d
=DQICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=0S5vJ8-FmQy6Qk5D6_T4
U9EYbkCcMc4ijDuyUem89Lk&m=0m7CbiHKonz9xqdYcZ4ItxAIJ2jPQznKV8bcsU448hI&s=jQJJ
jExdfchvHWTg6-jmIKShoOLEi9ZoZ41KDUhWuKs&e=
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
