Forward the original raw message to a SIEM system

Hi, folks at Balabit/One Identity,

We would like to configure Syslog-ng PE forward the original raw message as it is been received, to a SIEM system.

How should we /opt/syslog-ng/etc/syslog-ng.conf for the source and destination that Syslog-ng PE does not tamper with the original syslog header and message content.

Thank you!


Parents Reply Children
  • If the original message is a syslog formatted message you don't need any of these options.
    The original message can be forwarded by using keep-hostname(yes) and keep-timestamp(yes) on the source.

    But, if the log is non-syslog formatted then you have the two options to forward the original message.

    1. no-parse
      The original message will be placed in the MESSAGE part of the outgoing log message. So the receiver can process the original message by working only on the MESSAGE part.
    2. store-raw-message
      This option does not modify the format of the log message but places the original log in the ${RAWMSG} macro.
      With that you can forward the original message to the remote side if needed with the template("${RAWMSG}") configured in the destination.
      Also, you can forward it via syslog() and put the original message in the SDATA.