Mailing List Archive: forward raw syslog

forward raw syslog

Feb 24, 2021, 8:50 AM

Post #1 of 3 (333 views)

My setup rsyslog running on Ubuntu 18

At the moment syslog from firewall comes into rsyslog and then forwards them
onto Azure Sentinel. This is working as expected

We also have another on premise SIEM QRadar and I am trying to forward
messages to QRadar, the messages get forwarded but in QRadar they are seen
with as Unknown event

If I directly forward from the firewall to QRadar I do not get this issue
and I get the correct event as Firewall Drop

I have been reading this forum and tried various methods using the action
command as below

action(type="omfwd" Target="x.x.x.x" Port="514" Protocol="tcp" queue.type =
"LinkedList")

I suspect issue is the raw message not not being sent, does the above
forward on the raw message without any modification, or am I doing it wrong
and best way to forward the raw syslog message
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: forward raw syslog [ In reply to ]

rsyslog at lists

Feb 24, 2021, 9:08 AM

Post #2 of 3 (333 views)

Permalink

see https://www.rsyslog.com/doc/v8-stable/configuration/templates.html
you can create a template to write the message in whatever format you need.

an example is documented at
https://stackoverflow.com/questions/37023745/rsyslog-config-to-store-only-raw-message-msg-to-a-file
(in your case you may want to use rawmsg)

if you write the message out to a file with the templte RSYSLOG_DebugFormat, you
will see all the details

I have run into grief in the past with QRadar, IIRC it assigns a type of device
to a source IP address and only properly processes expected messages from that
type, ignoring the host field in the message

If I am remembering this correctly, you would need to setup the omspoof module
to send the messages.

It's worth doing a tcpdump on the qradar system to see what is different between
the message sent directly and the message relayed through rsyslog.

David Lang

On Wed, 24 Feb 2021, Abdulaziz Loonat via rsyslog wrote:

> Date: Wed, 24 Feb 2021 16:50:09 +0000
> From: Abdulaziz Loonat via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: Abdulaziz Loonat <loonat.a.l@gmail.com>
> Subject: [rsyslog] forward raw syslog
>
> My setup rsyslog running on Ubuntu 18
>
> At the moment syslog from firewall comes into rsyslog and then forwards them
> onto Azure Sentinel. This is working as expected
>
> We also have another on premise SIEM QRadar and I am trying to forward
> messages to QRadar, the messages get forwarded but in QRadar they are seen
> with as Unknown event
>
> If I directly forward from the firewall to QRadar I do not get this issue
> and I get the correct event as Firewall Drop
>
> I have been reading this forum and tried various methods using the action
> command as below
>
> action(type="omfwd" Target="x.x.x.x" Port="514" Protocol="tcp" queue.type =
> "LinkedList")
>
> I suspect issue is the raw message not not being sent, does the above
> forward on the raw message without any modification, or am I doing it wrong
> and best way to forward the raw syslog message
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: forward raw syslog [ In reply to ]

rsyslog at lists

Feb 24, 2021, 9:14 AM

Post #3 of 3 (333 views)

Permalink

template(name=“rawmsg” type=“string” string=“%rawmsg%\n”)

action(type="omfwd" Target="x.x.x.x" Port="514" Protocol="tcp" queue.type=“LinkedList” template=“rawmsg”)

Basic stuff. Regards,

> On Feb 24, 2021, at 10:50, Abdulaziz Loonat via rsyslog <rsyslog@lists.adiscon.com> wrote:
>
> action(type="omfwd" Target="x.x.x.x" Port="514" Protocol="tcp" queue.type =
> "LinkedList")

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.