5 Replies Latest reply on Jun 6, 2016 3:04 PM by kdevmu

    Can LEM accept RSYSLOG?

    kdevmu

      My Firewall is sending logs to rsyslog server which forwards the syslogs to LEM. Problem here is, in Rsyslog we have enabled OMUDPSPOOF module in order to change the source IP of the node which actually wraps the syslog in to 'lsyslog' format. So I just want to check whether due to this LEM is not able to detect the node or what? Can see the logs forwarded from rsyslog server to LEM and connector for the firewall is already enabled still dont see it detecting this node.

       

      Please help.

        • Re: Can LEM accept RSYSLOG?
          curtisi

          The connector is going to be expecting a specific format, likely the original format of the firewall.  If rsyslog manipulates/changes the log lines, the connector isn't going to know what to do with that data any more.

           

          We have some intelligence for syslog servers modifying data built around Kiwi Syslog, so this may be something that could be sent up as a feature request.

          • Re: Can LEM accept RSYSLOG?
            HolyGuacamole

            Can you rsyslog log to a text file in an unmodified format? If so, you should be able to install the LEM Agent on the rsyslog server, and enable a connector on the agent node to read the firewall log from this text file

              • Re: Can LEM accept RSYSLOG?
                kdevmu

                Great. So if I install Lem agent on rsyslog server, which IP will it detect for the Node?? I mean to say how LEM agent will read the Node's IP and show it on LEM console??

                  • Re: Can LEM accept RSYSLOG?
                    HolyGuacamole

                    The key question is - can rsyslog log to a text file in an *unmodified* format? If so, the approach should work. It will associate the logs with the source IP and also consume 1 node license for each log source

                    the process is outlined in the evaluation guide - see the last section

                    http://www.solarwinds.com/documentation/LEM/Docs/LEM_Evaluation_Guide.pdf

                      • Re: Can LEM accept RSYSLOG?
                        kdevmu

                        Ok. I will check in rsyslog. I have one more scenario.

                        Firewall is deployed in customer location and from there it points syslog to syslog-ng server which acts as a relay and relays logs to central syslog-ng server which then forwards logs to LEM.

                        Firewall~Syslog-NG relay~syslog-ng central~LEM

                         

                        Two problems here.

                         

                        1. I don't see actual IP of Firewall node on LEM as it comes through syslog-ng relay and server.

                        2. Even If I get actual IP of Node as it's running on Pppoe so IP keeps on changing and it appears as multiple node on LEM.

                         

                        How to deal with this? Can use LEM agent on relay or syslog-ng server??