Welcome! Log In Create A New Profile

Advanced

Rewrite

January 10, 2017 03:42PM
Hi need some help I am load balancing my syslog traffic from my WAF device to
ngix server below and the servers in the pool are servers running rsyslog
currently the issue is when the logs hit the nginx server it re-writes the
source host name for example below in logs you see "nginx_vm" but you should be "WAF01".
Does any one have any suggestions to have this stop happening



# Nginx VM "nginx_vm"

stream {
upstream splunk_backend {
server 192.168.1.31:514;
server 192.168.1.32:514;
}

server {
listen 192.168.2.2:514;
listen 514 udp;
proxy_connect_timeout 1s;
proxy_timeout 10m;
proxy_pass splunk_backend;
proxy_buffer_size 64k;
proxy_next_upstream_timeout 1;
error_log /var/log/nginx/splunk.log info;

}
}


# MY IMPERVA WAF device "WAF01"

Jan 5 13:54:17 nginx_vm CEF: 0|Imperva Inc.|SecureSphere|11.0.0.3_0|Profile|unauthorized-http-req-content-t|Low|act=alert dst=10.10.240.35 dpt=80 duser=${Alert.username} src=41.104.58.1 spt=20872 proto=TCP rt=05 January 2017 1
8:54:17 cs1=Web Profile Policy cs1Label=Policy
Subject Author Posted

Rewrite

vegetax January 10, 2017 03:42PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 64
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 214 on March 20, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready