Hi mates,
in our enviroment all devices are sending logs to syslog-ng server which is relaying them to SA, but...
SA recognize all of those messages as "device.ip=10.0.0.5" (syslog server) instead of original device address - for example 10.0.0.1 (fw).
There is information about original address in header, so it shouldn't be so hard to parse that to this variable, but I realy don't know how to do that 
Has somebody solved this already?
Example of FW log which is parsed under device.ip of syslog server.
==================================
Jun 6 14:29:25 10.0.0.1 FW01: NetScreen device_id=FW01 [Root]system-notification-00257(traffic): start_time="2014-06-06 14:29:24" duration=0 policy_id=915 service=udp/port:44246 proto=17 src zone=DMZ dst zone=Untrust action=Deny sent=0 rcvd=109 src=10.1.1.1 dst=15.2.2.2 src_port=6881 dst_port=44246 session_id=0
==================================
==================================
Thanks for any help.
--
David
1 ACCEPTED SOLUTION
Accepted Solutions
Finaly I did it 
Its necessary to add "spoof_source(yes)" to destination definition in syslog-ng.conf
===========
destination SOME_NAME { udp("DST_HOST_IP" port (514) spoof_source(yes)); };
===========
but before this will work you need to be sure that you have syslog-ng compiled with spoof feature (which I didn't have 😕 )
===========
user@machine:~$ syslog-ng -V ("Enable-Spoof-Source: on" should be there.)
===========
Then it works as I wish to.
Finaly I did it
Its necessary to add "spoof_source(yes)" to destination definition in syslog-ng.conf
===========
destination SOME_NAME { udp("DST_HOST_IP" port (514) spoof_source(yes)); };
===========
but before this will work you need to be sure that you have syslog-ng compiled with spoof feature (which I didn't have 😕 )
===========
user@machine:~$ syslog-ng -V ("Enable-Spoof-Source: on" should be there.)
===========
Then it works as I wish to.
