Showing results for 
Search instead for 
Did you mean: 

Generic syslog, syslog-ng and other sources.

I have an environment where syslog data from many systems (incluing linux, windows, ePO and others) are collected and then transported by Apache NiFi.

Nifi has a syslog writer but, of course, all events appear from the same IP address. The ERCs can differentiate and perform correlation on syslog from one IP based on host name, but this functionality appears limited (at least by the drop-down in the config UI) to data sources based on syslog-ng.

I don't yet have enough of a system to test this myself, so I was wondering if anyone knew if "syslog-ng" in this case is shorthand for "something that aggregates syslog" (so I may be able to get away with just pointing at the NiFi endpoint) or whether I actually need to put a syslog-ng instance between NiFi and my receiver?



Tags (3)
1 Reply

Re: Generic syslog, syslog-ng and other sources.

This is probably frowned upon, but I'm going to answer my own question.


NiFi seems to be the Swiss Army Chainsaw of data movement, so it can arbitrarily change the originating IP address, either to reinstate the original (having looked up the hostname) or to indicate what class of device generated the message (by oher means).

In either case, the ERC can be set up as if it were handling syslog data from the original device.  Which is very cool.

Tags (4)
Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.