I have a situation where I want to send syslog data (i.e. from a firewall) to two different logging environments (Elasticsearch and QRadar). If I send the original syslog data (from the firewall) to Logstash, can it rewrite the IP header information so that when it is received by Elasticsearch and QRadar that the message appears to come directly from the firewall? Basically I want QRadar not to realize that there’s something in the middle relaying the syslog data.
In this case, yes but it would be UDP traffic. I’ve worked in the past with Nitro and it had a “data archival” function that would behave this way. I don’t know what it did in the background but all you had to do is supply the IP address as to where you wanted the data to sent too.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.