I have an environment where syslog data from many systems (incluing linux, windows, ePO and others) are collected and then transported by Apache NiFi.
Nifi has a syslog writer but, of course, all events appear from the same IP address. The ERCs can differentiate and perform correlation on syslog from one IP based on host name, but this functionality appears limited (at least by the drop-down in the config UI) to data sources based on syslog-ng.
I don't yet have enough of a system to test this myself, so I was wondering if anyone knew if "syslog-ng" in this case is shorthand for "something that aggregates syslog" (so I may be able to get away with just pointing at the NiFi endpoint) or whether I actually need to put a syslog-ng instance between NiFi and my receiver?
This is probably frowned upon, but I'm going to answer my own question.
NiFi seems to be the Swiss Army Chainsaw of data movement, so it can arbitrarily change the originating IP address, either to reinstate the original (having looked up the hostname) or to indicate what class of device generated the message (by oher means).
In either case, the ERC can be set up as if it were handling syslog data from the original device. Which is very cool.