cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

MWG syslog / rsyslog.conf for dual destination by facility

Hello community,

I have basically a common need for a configuration. 

We are sending 2 syslog messages at access in 2 different format both to the same syslog server. there it gets divided and forwarded to splunk and a proprietary siem system. So now the question is how to distinguish the message. Basically MWG gives you just the option to change the severity, which would be a misuse of a field which is not intended to be used for this. Also if you want to send different messages with different severities (like info for access and access to a randsomware site as alert) would not be possible.

The idea is now to use the facility as 16-23 are custom localx definition. Till now I did not manage to configure rsyslog with this option. I used the config like:

if ($msg contains "CEF") { action(type="omfwd" Target.......}

Now before sending I would like to change in the if statement the property syslogfacility from 3 to 16. I tried two handle it with: https://www.rsyslog.com/doc/v8-stable/configuration/property_replacer.html but I do not have success. 

Does someone of here have more experience and knowledge with rsyslog configuration?

 

Regards and many thanks for fast response.

Chris

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community