On 12/26/2013 06:34 PM, termvrl term wrote: > Hi all, > > i would like to ask on rsyslog configuration, since i have use rsyslog > as syslog server to received log from security devices and use SEC to > correlate it before send it to SIEM. > But i notice that, rsyslog also send the original message it received > from the security deviced to the SIEM, is it possible? since i have use > it as SEC input, and take the SEC output for rsyslog forward to SIEM. > > Thanks
I have not quite understood what exactly you would like to do. Is my understanding correct that you want to: 1) get input from rsyslog into SEC, 2) send events from SEC to SIEM, 3) avoid sending events from rsyslog to SIEM? If my understanding is correct, wouldn't it be possible to configure rsyslog in a way that it is not sending any output to the SIEM host? Also, you don't rsyslog to send syslog events from SEC to another host, since SEC can issue such events with the 'udpsock' action. Finally, if you still wish to use rsyslog for all syslog message routing, you can very easily write an rsyslog filter for sending only SEC messages to remote host, for example: if $programname == 'sec' then @10.8.17.12 (the above filter assumes that all SEC syslog messages have the program name set to 'sec') kind regards, risto > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
