Mailing List Archive

include additional fields in forwarded log
Hi, Im using ubuntu18, rsyslog v8.x. I have applied custom template
*templ1* and
forwarding all logs to central log server 10.168.0.100 using plain tcp. i
checked traffic on same forwarding client and observed that %fromhost-ip%
is not sent (hostname is seen in sent traffic). how can i include this
fromhost-ip field in forwarded logs to a siem software. this help me to
identify logs source hosts correctly

$KLogPermitNonKernelFacility on

$template templ1,"%PRI% %TIMESTAMP% %fromhost-ip%
%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
$ActionFileDefaultTemplate templ1

$RepeatedMsgReduction on
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

*.* @@10.168.0.100
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: include additional fields in forwarded log [ In reply to ]
The network destination does not use the "file" default template.  You
need to change the "forwarding" default template.  I don't have the
exact syntax at hand, but I'm sure the documentation page does.

Regards,



On 9/21/20 12:49 PM, panda miki via rsyslog wrote:
> Hi, Im using ubuntu18, rsyslog v8.x. I have applied custom template
> *templ1* and
> forwarding all logs to central log server 10.168.0.100 using plain tcp. i
> checked traffic on same forwarding client and observed that %fromhost-ip%
> is not sent (hostname is seen in sent traffic). how can i include this
> fromhost-ip field in forwarded logs to a siem software. this help me to
> identify logs source hosts correctly
>
> $KLogPermitNonKernelFacility on
>
> $template templ1,"%PRI% %TIMESTAMP% %fromhost-ip%
> %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
> $ActionFileDefaultTemplate templ1
>
> $RepeatedMsgReduction on
> $FileOwner syslog
> $FileGroup adm
> $FileCreateMode 0640
> $DirCreateMode 0755
> $Umask 0022
> $PrivDropToUser syslog
> $PrivDropToGroup syslog
>
> *.* @@10.168.0.100
> $WorkDirectory /var/spool/rsyslog
> $IncludeConfig /etc/rsyslog.d/*.conf
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.


_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.