Graylog forward syslog from RH Sources

Liuke · November 29, 2019, 1:07pm

Hi,
i have a problem with the syslog forwarding to a RSA Netwitness SIEM.

I’ll explain my situation:
i have some RedHat Linux sources that sends secure log by rsyslog configuration. After processing this log in graylog i have to forward this messages to RSA Netwitness platform using the Syslog Output Plugin.
There’s a way to remove the “graylog” that the plugin adds sending the message?
I’ll show you an example:

Normal event:
Nov 29 10:33:14 centos su: pam_unix(su-l:session): session opened for user root by root(uid=0)
Forwarded event:
Nov 29 10:33:14 graylog centos su: pam_unix(su-l:session): session opened for user root by root(uid=0)

jan · November 29, 2019, 4:07pm

he @Liuke

that plugin does not allow any modification - to answer your question, no it is not possible.

You would need to write your own plugin that allows this OR find another plugin

Liuke · December 3, 2019, 11:43am

Thanks Jan, as i expected.
The easiest way is to edit the parser on Netwitness side.

system · December 17, 2019, 11:43am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.