I'm trying to forward all syslog messages over TLS from our enviroment to an external syslog server (dest.syslog.example.com) using rsyslog. Unfortunately the source IP is changed to that of the relay host (fwd.syslog.example.com). I would like it to send the original source IP instead of the IP of the relay host while adhering to the RSYSLOG_SyslogProtocol23Format
format.
Current rsyslog configuration relevant for forwarding the syslog messages over TLS:
$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca.crt
# Run driver in TLS mode
$DefaultNetstreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer dest.syslog.example.com
$LocalHostName fwd.syslog.example.com
# Forward logging
*.* @@(o)dest.syslog.example.com:6514;RSYSLOG_SyslogProtocol23Format
Would it be possible to modify the fromhost-ip
to the original source IP?
I'm not sure if this is sufficient, but the built-in template
RSYSLOG_SyslogProtocol23Format
is defined asand you can replace
HOSTNAME
byfromhost
orfromhost-ip
: