This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Syslog forward from Log Decoders

MaximilianoCitt
Frequent Contributor
Frequent Contributor

‎2019-12-23 12:24 PM

Hi All!

I was reading the following article:

https://community.rsa.com/docs/DOC-64141 

 

and I've tested it, but I saw the decoder doesn't send the original IP of de original device into the syslog message, causing the reciever syslog server to see all the events comming from the same IP (the decoders IP).

May be I'm missing something or the decoder isn't able to send the device IP on the syslog message?

 

 

Regards,

Max

0 Likes
2 REPLIES 2

AlessioAlfonsi
Contributor Contributor
Contributor

‎2019-12-23 01:04 PM

Hi Max,

you can specify it using the "retainsource" attribute when you define the destination:

  name=(udp|tcp|tls):host:port[:(retainsource|rfc3164)]

 

More details on the link https://community.rsa.com/docs/DOC-80183

 

Cheers,

  Alessio

0 Likes

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2019-12-23 02:02 PM

Max.

 

I am not near my computer at the moment however we can forward logs maintaining the original source IP. It is a configuration setting in that log decoder explorer config.

 

If you hover over the setting where you put in the IP address of the destination there should be tooltips with the words like retain source or RC 3164.

 

When I get back a little bit later on I will add to this thread the configuration settings

 

Dave

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.