rsyslog IP Spoofing

Comments 1

I have a new RHEL rsyslog central server I am using to replace a Windows Kiwi central server. Kiwi can spoof the IP of the incoming messages so that when it sends them out to our SIEM that appear to come from the original host. Both Kiwi and syslog-ng have this ability. I cannot find a way to do this with rsyslog and need some help. Can anyone assist me? I found information on omudpdpoof, but it appears this is not support on RHEL 6. Any suggestions would be appreciated. I am willing to use UDP or TCP.

Started 2016-05-18T14:16:49+00:00 by

Eric Leach

Newbie 5 points

Responses

SW Red Hat Guru 4017 points

23 May 2016 1:10 PM

Stephen Wadeley

Hello

1] Using UDP for logging possible security issues is not a good idea as it is an unreliable protocol.

2] Configuring the clients to send security related log messages via TCP directly to your SIEM logging system seems like a better idea.

3] For longer term convenience, you could ask the provider of the SIEM logging software to allow processing messages as you would like.

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

Responses