How replace host IP on log before to send for SIEM? I need subst for new IP

Question

I'm using syslog-ng @3.25 in this case.

And I want to do the following:

Whenever I receive the logs:

<12>Oct 13 11:40:04 192.168.1.130 2023-10-13 14:40:04,649   sentinel -  CEF:0|SentinelOne|
<123>Oct 13 11:40:04 192.168.1.131 2023-10-13 14:40:04,649   sentinel -  CEF:0|SentinelOne|

I want it to be received like this in the SIEM:

<12>Oct 13 11:40:04 10.1.2.3 2023-10-13 14:40:04,649   sentinel -  CEF:0|SentinelOne|
<123>Oct 13 11:40:04 10.1.2.3 2023-10-13 14:40:04,649   sentinel -  CEF:0|SentinelOne|

That is, when the logs come from the ips: 192.168.1.130 and 192.168.1.131 It is sent with the IP: 10.1.2.3

I've already tried all these settings below, but there's always an error.

rewrite r_rewrite_set {
    set("myhost", value("HOST"));
    if match("^192\.168\.1\.130", value("myhost")) {
        set("myhost", "10.1.2.3");
    };
};


rewrite r_rewrite_subst{
    subst("192.168.1.130", "10.1.2.3", value("MESSAGE"));
};

filter f_rewrite_source_ip {
    host("192.168.1.130") or host("192.168.1.131") {
        set("10.1.2.3" value("HOST"));
    };
};

This is my conf:

# SOURCES
source s_internal_tcp {
        network(
                transport("tcp")
                port(514)
                max-connections(5000)
        );
};
source s_internal_udp {
        network(
                transport("udp")
                port(514)
        );
};

# FILTER
filter f_authorized_assets {
        host("192.168.1.132$") or
        host("192.168.1.130$") or
        host("192.168.1.131$") or
        host("192.168.1.129$")
};

filter f_final_filter {
    filter(f_authorized_assets);
};

# DESTINATIONS
destination d_nts_siem {
        network(
        "192.168.221.200"
                disk-buffer(
                        disk-buf-size(1073741824) # Default: 1MB. Set: 1GB
                        mem-buf-length(10000) # Default: 10k. Set: 10k
                        reliable(no)
                )
                throttle(1500) # EPS Limit
        );
};

# LOGS
# Syslog Server logs
log {
        source(s_src);
        filter(f_authorized_assets);
        destination(d_nts_siem);
};

# Demais logs
log {
        source(s_internal_tcp);
        source(s_internal_udp);   
    filter(f_final_filter);
filter(f_rewrite_filter);   
#template(t_rewrite_message);
#rewrite{set("myhost", value("HOST") + "10.1.2.3")};
#rewrite(r_rewrite_set, "${HOST}", "10.1.2.3");
destination(d_nts_siem);
};

Has anyone experienced this or have any ideas on how to do it?

Sandson Costa · Accepted Answer · 2023-10-17 02:03:28Z

1

I solved my own problem by myself.

I used:

rewrite r_rewrite_subst{
subst("192.168.1.130", "10.1.2.3", value("HOST"));
};

And I include the line:

rewrite(r_rewite_subst);

On log. That's it.

answered Oct 17, 2023 at 2:03

Sandson Costa

1317 bronze badges

Sign up to request clarification or add additional context in comments.

Collectives™ on Stack Overflow

How replace host IP on log before to send for SIEM? I need subst for new IP

1 Answer 1

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

1 Answer 1

Comments

Your Answer

Sign up or log in

Post as a guest

Related