My setup rsyslog running on Ubuntu 18
At the moment syslog from firewall comes into rsyslog and then forwards them
onto Azure Sentinel. This is working as expected
We also have another on premise SIEM QRadar and I am trying to forward
messages to QRadar, the messages get forwarded but in QRadar they are seen
with as Unknown event
If I directly forward from the firewall to QRadar I do not get this issue
and I get the correct event as Firewall Drop
I have been reading this forum and tried various methods using the action
command as below
action(type="omfwd" Target="x.x.x.x" Port="514" Protocol="tcp" queue.type =
"LinkedList")
I suspect issue is the raw message not not being sent, does the above
forward on the raw message without any modification, or am I doing it wrong
and best way to forward the raw syslog message
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
At the moment syslog from firewall comes into rsyslog and then forwards them
onto Azure Sentinel. This is working as expected
We also have another on premise SIEM QRadar and I am trying to forward
messages to QRadar, the messages get forwarded but in QRadar they are seen
with as Unknown event
If I directly forward from the firewall to QRadar I do not get this issue
and I get the correct event as Firewall Drop
I have been reading this forum and tried various methods using the action
command as below
action(type="omfwd" Target="x.x.x.x" Port="514" Protocol="tcp" queue.type =
"LinkedList")
I suspect issue is the raw message not not being sent, does the above
forward on the raw message without any modification, or am I doing it wrong
and best way to forward the raw syslog message
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.