cancel
Showing results for 
Search instead for 
Did you mean: 
clath13
Level 9

Can you syslog to 2 devices?

Can I just add a second daemon.info line to the rsyslog.conf file to send my logs to a 2nd source?

Thanks,

Claire

0 Kudos
4 Replies
eelsasser
Level 15

Re: Can you syslog to 2 devices?

Yes.

Just add a second line.

0 Kudos
McAfee Employee

Re: Can you syslog to 2 devices?

You can indeed by adding a second line! But....

You might also want to consider sending specifically formatted messages to specific destinations.

Say you have a McAfee ESM and a splunk. The ESM logline uses the Nitro format, and the Splunk format uses CEF (for example).

To send a message to the syslog daemon we have this rule in the logging cycle, 6 = Info:

ESM is already configured as:

daemon.info @esm

OR possibly:

*.* @esm

If you do the following for splunk:

daemon.info @splunk

This would mean that esm and splunk receive both messages (the nitro format, and the splunk format).

  1. McAfeeWG|time_stamp=[01/Jan/2015:02:12:31 +0800]|auth_user=jsmith|src_ip=10.10.69.1|server_ip=172.224.247.54|host=www.mcafee.com|url_port=80|status_code=301|bytes_from_client=279|bytes_to_client=1149|categories=Business, Software/Hardware|rep_level=Minimal Risk|method=GET|url=http://www.mcafee.com/|media_type=text/html|application_name=|user_agent=Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)|block_res=0|block_reason=|virus_name=|hash=|filename=|filesize=753| 
  2. CEF:0|McAfee|Web Gateway|7.3.2|301|Proxy--|2|rt=Sep 02 2013 16:55:57 cat=Access Log dst=12.234.121.129 dhost=www.mcafee.com suser=jsmith src=10.10.69.1 requestMethod=GET request=http://www.mcafee.com/ app=HTTP cs3=HTTP/1.1 cs3Label=Protocol/Version cs4=Business, Software/Hardware cs4Label=URL Categories cs6=Minimal Risk cs6Label=Reputation fileType=text/html out=1182 requestClientApplication=Mozilla/5.0 Firefox/23.0 cs1= cs1Label=Virus Name cn1=0 cn1Label=Block Reason cs5=Default cs5Label=Policy 

If we want ESM to only get #1, and splunk to only get #2, we would modify the logging rule to use 7 (debug) instead of 6 (info). In the rsyslog conf we would have a line like:

daemon.=debug @splunk

This would ensure only daemon.debug events are sent to the second syslog server (splunk).

Hope this helps. If it doesnt matter what message is sent where, then adding a second line would be fine.

Best Regards.

Jon

0 Kudos
clath13
Level 9

Re: Can you syslog to 2 devices?

Hi Jon,

That is helpful.

Thank you,

Claire

0 Kudos
jebotha
Level 9

Re: Can you syslog to 2 devices?

Hi Jon

I am trying to understand the result of what you have described here. If we configure Log Handler 1 as Syslog (7. User-Defined.syslogline) and Log handler 2 as Syslog (7, User-Defined.syslogline_2) e.g., and then configure the ryslog file to use daemon.=debug @syslog_server1 and daemon.=info @syslog_server2, this means that syslog_server1 will receive all the debug level messages and above, and syslog_server2 only the info level messages if I understand correctly?

What if we need to have both servers receive exactly the same logs, just in different log line formats (e.g. if we are running two SIEM solutions in parallel.

Kind Regards

Jacques

0 Kudos