How to forward copy of logs from Garylog server to another SIEM tool


(Vikram ) #1

Is there any way we can forward a copy of received logs from Graylog server to SIEM tool without changing logs/events header[ie: actual source and destination].

I tried output plugins but none of them seems to be working, am I missing something here.


(Jochen) #2

What format does your SIEM expect?
What headers do you mean specifically?
Which outputs (and which configuration) have you tried before and what was the result?


(Vikram ) #3

What format does your SIEM expect?

  • Syslog Format [Port UDP or TCP anything]

What headers do you mean specifically?

  • Source address of log generating device(Endpoint hosts, Firewalls, Routers]

Which outputs (and which configuration) have you tried before and what was the result?

  • Outputs STDOUT and Syslog (Imported)
  • Syslog Output Plugin configuration:-
    UDP Port- 514 or 10025
    Message Format: Full
    Protocol: UDP


(Vikram ) #4

Hi Jochen, do you have any suggestions for me- how can I address this issue.


(Jochen) #5

You probably have to write your own output plugin or post feature requests for the existing plugins if you want pristine message forwarding.

As it is, Graylog will almost always enrich the message with additional information.


(system) #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.