2019-12-23 12:24 PM
Hi All!
I was reading the following article:
https://community.rsa.com/docs/DOC-64141
and I've tested it, but I saw the decoder doesn't send the original IP of de original device into the syslog message, causing the reciever syslog server to see all the events comming from the same IP (the decoders IP).
May be I'm missing something or the decoder isn't able to send the device IP on the syslog message?
Regards,
Max
2019-12-23 01:04 PM
Hi Max,
you can specify it using the "retainsource" attribute when you define the destination:
name=(udp|tcp|tls):host:port[:(retainsource|rfc3164)]
More details on the link https://community.rsa.com/docs/DOC-80183
Cheers,
Alessio
2019-12-23 02:02 PM
Max.
I am not near my computer at the moment however we can forward logs maintaining the original source IP. It is a configuration setting in that log decoder explorer config.
If you hover over the setting where you put in the IP address of the destination there should be tooltips with the words like retain source or RC 3164.
When I get back a little bit later on I will add to this thread the configuration settings
Dave