4 Replies Latest reply on Aug 28, 2017 8:52 AM by ksudki

    Solarwinds as syslog forwarder

    ksudki

      Dear community,

       

      I am searching a way to integrate events from network devices by using Solarwinds Orion as a relay.

       

      Solarwinds can add the source IP address in  the syslog headers as described in the below KB.

      Forward syslog message and retain original IP address - SolarWinds Worldwide, LLC. Help and Support

       

      Example of syslog message:

      <189>Original Address=<ip address> 38472738: 99221906: May 3 14:07:12.614 UTC: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (mac_address) on Interface Fa2/0/48 AuditSessionID <id>

       

      Is there a way to replace the source ip of the forwarder by the one in the header ?

       

      Thank you

        • 1. Re: Solarwinds as syslog forwarder
          abanaru

          Use the SYSLOG Relay function when configuring the Data Source(the solarwinds forwarder). Then add each network device separately with their original IP address and it should work.

          • 2. Re: Solarwinds as syslog forwarder
            ksudki

            Hello abanaru,

             

            This does not work unfortunately. Any other way to do it ?

            • 3. Re: Solarwinds as syslog forwarder
              sssyyy

              The syslog need to have original device source ip and date before it reach syslogNG i think, and do what abanaru said on ESM GUI.

              • 4. Re: Solarwinds as syslog forwarder
                ksudki

                I finally found a way to perform the above using a syslog-ng relay which will transform the events sent by Solarwinds into a format that mcafee recognizes

                 

                rewrite r_solarwinds{

                  subst("[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}", "", value("HOST"));

                  subst("Original","", value("MESSAGE"));

                  subst("<...>.Address=","", value("MESSAGE"));

                };

                source s_slw {

                    udp(

                        flags(

                            no-parse

                        ),

                    );

                };

                destination d_siem {

                    network(

                        'ip of siem here',

                        port(

                            514

                         ),

                    );

                };

                log {

                    source(s_slw);

                    rewrite(r_solarwinds);

                    destination(d_siem);

                };