How to change a Linux Log Source identifier in the syslog event
One of our QRadar deployments is collecting Linux OS log source type events from a large number of log sources on our company's network. We have a couple instances where the log source identifiers are identical, but obviously the FQDN and IP Addresses are different.
In order to circumvent these duplicates we need to change the actual log source identifier in the actual syslog event to be a unique value and we are considerinf using the ip address in these cases. Changing the actual hostname on the server is not an option. Does anyone know how to permanently change the syslog event id in these Linux events?
For syslog-ng it can be done using a rewrite sub ex:
rewrite r_rewrite_subst { subst("some_hostname", "10.1.1.2", value("HOST")); };
destinations destination d_messages { file("/var/log/messages"); }; destination qradar { udp("qradar-ip" port(514)); };
log { source(s_local); rewrite(r_rewrite_subst); destination(d_messages); destination(qradar); };
So it sounds like you're asking how to change it in the source system, if that's the case the answer isn't completely straightforward as it would depend on which syslog engine the remote system is even using, rsyslog, syslog-ng (most likely), etc...
You should be able to change the syslog configuration to send a string of your choice in the hostname portion of the syslog payload rather than taking it from a system variable if you need to force it.
This isn't so much a QRadar question as a linux system administration question if I'm understanding it correctly.