Linux.com

Home Linux Community Forums Software Productivity Prevent rsyslog from writing messages from remote hosts to /var/log/messages

Prevent rsyslog from writing messages from remote hosts to /var/log/messages

Link to this post 03 Jul 13

If you forward from the original server to your logging server and your SIEM server, you'll preserve host.

*.* @@original.host
*.* @@siem.host

Link to this post 03 Jul 13

I Am Trying to Configure a Central Syslog server which will collect all the logs from client and forward it to SIEM Machine.

Central log server will act as a Relay server transparent to SIEM

And In the SIEM it would display client name instead of Central rsyslog server name

Link to this post 03 Jul 13

I understood that was what you wanted to do. My question was, why forward from the central logging server to SIEM? Unless there is processing done to the logs before they are forwarded, there is no benefit to sending them to the central logging server first then to SIEM, barring some network connectivity / trust problem.

The rules in my first reply will hopefully forward while preserving the hostname, however if you can simply forward to each host from the original server you're eliminating the need to preserve hostname, the proper hostname will show as the source on each target.

Link to this post 03 Jul 13

Thanks

I will try this one tommorow and let u know,

We have some Infrastructure requirement to set Central syslog as a transparent / relay server

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board