Hello all,
I’m working to get HAProxy to proxy syslogs from Cisco network equipment and Wazuh SEIM. I’m having an issue where the syslogs are not being properly decoded because of the header changes that HAProxy is making.
Example:
tcpdumpv -n -Q in port 514 on HAProxy
Msg: 17173731: SITE-CORE: Sep 23 11:43:44: %SEC-6-IPACCESSLOGP: list XYZ.SCAN denied tcp XXX.XXX.XXX.XXX(443) → 10.X.X.X(60464), 1 packet
Yeilds: tcpdumpv -n -Q in port 514 on Wazuh
Msg: Sep 23 15:46:41 10.X.X.X 17173731: SITE-CORE: Sep 23 11:43:44: %SEC-6-IPACCESSLOGP: list XYZ.SCAN denied tcp XXX.XXX.XXX.XXX(443) → 10.X.X.X(60464), 1 packet
I changed the frontend config to add the format flag which works and partly decodes.
log-forward syslog
dgram-bind <HAProxy IP>:514
log backend@mylog-rrb format rfc5424 local0
I would like to get HAProxy to either not alter the syslog data or remap the hostname of the device to the sent the message to the proper field in the header.
I have tried all of the option host { replace | fill | keep | append } options and nothing works.
Of note: I’m using HAProxy version 3.2.4, and logs are recieved and sent over UDP. Some of my Cisco devices don’t support sending logs in an RFC5424 format.
Thanks,
MJ
1 post - 1 participant