cancel
Showing results for 
Search instead for 
Did you mean: 

MWG syslog / rsyslog.conf for dual destination by facility

Hello community,

I have basically a common need for a configuration. 

We are sending 2 syslog messages at access in 2 different format both to the same syslog server. there it gets divided and forwarded to splunk and a proprietary siem system. So now the question is how to distinguish the message. Basically MWG gives you just the option to change the severity, which would be a misuse of a field which is not intended to be used for this. Also if you want to send different messages with different severities (like info for access and access to a randsomware site as alert) would not be possible.

The idea is now to use the facility as 16-23 are custom localx definition. Till now I did not manage to configure rsyslog with this option. I used the config like:

if ($msg contains "CEF") { action(type="omfwd" Target.......}

Now before sending I would like to change in the if statement the property syslogfacility from 3 to 16. I tried two handle it with: https://www.rsyslog.com/doc/v8-stable/configuration/property_replacer.html but I do not have success. 

Does someone of here have more experience and knowledge with rsyslog configuration?

 

Regards and many thanks for fast response.

Chris

 

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.