My setup rsyslog running on Ubuntu 18 At the moment syslog from firewall comes into rsyslog and then forwards them onto Azure Sentinel. This is working as expected
We also have another on premise SIEM QRadar and I am trying to forward messages to QRadar, the messages get forwarded but in QRadar they are seen with as Unknown event If I directly forward from the firewall to QRadar I do not get this issue and I get the correct event as Firewall Drop I have been reading this forum and tried various methods using the action command as below action(type="omfwd" Target="x.x.x.x" Port="514" Protocol="tcp" queue.type = "LinkedList") I suspect issue is the raw message not not being sent, does the above forward on the raw message without any modification, or am I doing it wrong and best way to forward the raw syslog message _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
