It's a tricky question and the answer is not that straightforward.
There is an option - using module called omudpspoof which sends out UDP
datagrams with spoofed source IP. However this requires rsyslog running
with root user (which is not the best idea) since it needs to manipulate
raw sockets.
But.
This works only for UDP. For TCP the connection will always have the
real source address since it obviously needs to do two-way traffic. And
TCP is much more reliable in terms of delivering messages than UDP.
So it probably would be best for you to "pack" the event on the source
server (for example - into a json structure) along with the source IP
and send it to the destination server to "unpack".
Unless of course your destination solution is some another system which
can't do this "unpacking".
On 01.04.2021 15:29, rsyslog--- via rsyslog wrote:
Hi,
I configured all my servers with to send all to a central server with
"*.* @192.168.0.10:2514" which works great.
For some test and proof-of-concepts, i'd like to have the syslog
messages also to a second logserver. However, adding "*.*
@192.168.0.22:514" on the central server 192.168.0.10 makes all
messages appear to originate from there instead of the original source
ip.
Because we don't wanna go edit all servers, nor do we like to have all
messages to go twice over the wan, *IS* there a way to send the syslog
from the first syslog server to the second while preserving the
original source ip ??
Thnx, Ton
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
