Rewriting the IP Header before Sending

I have a situation where I want to send syslog data (i.e. from a firewall) to two different logging environments (Elasticsearch and QRadar). If I send the original syslog data (from the firewall) to Logstash, can it rewrite the IP header information so that when it is received by Elasticsearch and QRadar that the message appears to come directly from the firewall? Basically I want QRadar not to realize that there’s something in the middle relaying the syslog data.


If you are asking whether logstash can spoof the TCP header on the outbound traffic then no, a user level process cannot do that.

In this case, yes but it would be UDP traffic. I’ve worked in the past with Nitro and it had a “data archival” function that would behave this way. I don’t know what it did in the background but all you had to do is supply the IP address as to where you wanted the data to sent too.