see https://www.rsyslog.com/doc/v8-stable/configuration/templates.html
you can create a template to write the message in whatever format you need.
an example is documented at
https://stackoverflow.com/questions/37023745/rsyslog-config-to-store-only-raw-message-msg-to-a-file
(in your case you may want to use rawmsg)
if you write the message out to a file with the templte RSYSLOG_DebugFormat, you
will see all the details
I have run into grief in the past with QRadar, IIRC it assigns a type of device
to a source IP address and only properly processes expected messages from that
type, ignoring the host field in the message
If I am remembering this correctly, you would need to setup the omspoof module
to send the messages.
It's worth doing a tcpdump on the qradar system to see what is different between
the message sent directly and the message relayed through rsyslog.
David Lang
On Wed, 24 Feb 2021, Abdulaziz Loonat via rsyslog wrote:
Date: Wed, 24 Feb 2021 16:50:09 +0000
From: Abdulaziz Loonat via rsyslog <[email protected]>
To: [email protected]
Cc: Abdulaziz Loonat <[email protected]>
Subject: [rsyslog] forward raw syslog
My setup rsyslog running on Ubuntu 18
At the moment syslog from firewall comes into rsyslog and then forwards them
onto Azure Sentinel. This is working as expected
We also have another on premise SIEM QRadar and I am trying to forward
messages to QRadar, the messages get forwarded but in QRadar they are seen
with as Unknown event
If I directly forward from the firewall to QRadar I do not get this issue
and I get the correct event as Firewall Drop
I have been reading this forum and tried various methods using the action
command as below
action(type="omfwd" Target="x.x.x.x" Port="514" Protocol="tcp" queue.type =
"LinkedList")
I suspect issue is the raw message not not being sent, does the above
forward on the raw message without any modification, or am I doing it wrong
and best way to forward the raw syslog message
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
