Hi need some help I am load balancing my syslog traffic from my WAF device
to
ngix server below and the servers in the pool are servers running rsyslog
currently the issue is when the logs hit the nginx server it re-writes the
source host name for example below in logs you see "nginx_vm" but you should
be "WAF01".
Does any one have any suggestions to have this stop happening
# Nginx VM "nginx_vm"
stream {
upstream splunk_backend {
server 192.168.1.31:514;
server 192.168.1.32:514;
}
server {
listen 192.168.2.2:514;
listen 514 udp;
proxy_connect_timeout 1s;
proxy_timeout 10m;
proxy_pass splunk_backend;
proxy_buffer_size 64k;
proxy_next_upstream_timeout 1;
error_log /var/log/nginx/splunk.log info;
}
}
# MY IMPERVA WAF device "WAF01"
Jan 5 13:54:17 nginx_vm CEF: 0|Imperva
Inc.|SecureSphere|11.0.0.3_0|Profile|unauthorized-http-req-content-t|Low|act=alert
dst=10.10.240.35 dpt=80 duser=${Alert.username} src=41.104.58.1 spt=20872
proto=TCP rt=05 January 2017 1
8:54:17 cs1=Web Profile Policy cs1Label=Policy
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,271913,271913#msg-271913
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
