This may seem obvious but I would just like confirmation that filters on IP address ranges or subnet masks are compared to the Source IP from the UDP/TCP packet header. The documentation does not state this specifically.
Not how syslog works. All the filters do is extract the information from the syslog your sending to the kiwi syslog server and shows the filtered results.
The IP Address/Range filters do filter on source IP and not the content of the syslog message. In order to filter on message content, you have to use the message filters and regex expressions or write a script to parse the actual syslog message.
Well i could be wrong but i have not found any solarwinds documentation reporting kiwi syslog as a packet sniffer. As far as im aware its based off syslog.
Thanks, Acy. I should really have said "the source IP from the IP datagram" to be more accurate.
That source IP is captured by Kiwi, jamesatloop1. However, that doesn't make it a packet sniffer. Here's a quote from the "Forward to another host" section of the manual:
Normally, the syslog protocol is unable to maintain the original sender's address when forwarding/relaying syslog messages. This is because the senders address is taken from the received UDP or TCP packet.
The reason for my question was that other (non-IP) filters act on the content of the syslog message. I just wanted to be sure that a source IP, sent as hostname in the content, would not be used as the basis for filtering.
