I'm new to the forum and Rsyslog. I'm on rsyslog 7.4.10 still.
I'm having an issue with getting Symantec 14 syslog into a SIEM via Rsyslog.
On the rsyslog box, there are 2 NICs.
one nic receives Syslog over UDP 514, at which point the log gets processed against our rule blocks in our config.
Then if the log is destined for a SIEM tool, it gets routed to the IP of a 2nd NIC over 5514 on the same rsyslog server which has the SIEM agent collecting and forwarding logs.
The problem is in the rule block I created, I'm assuming.
if $rawmsg contains_i ["ABC-DEFGH01"]
I'm trying to obfuscate the hostname and target IP for public sharing here in the forum, of course.
It appears the block works where it lives because when I change the prot and target IP to a different location for testing, the logs come into that other non-SIEM logging platform.
I also have other existing blocks that are working and able to route to the 2nd NIC, where the agent can send the logs to a SIEM tool.
I've also tried using "if $hostname contains_i", but no luck.
when I do a tcpdump on the second NIC, I should be seeing the traffic/Symantec log, but I do not.
I know I'm on an older version, but would definitely appreciate some assistance.