-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Syslog output doesn't send data to Qradar #8784
Comments
Can you reproduce with the latest 3.0 versions? |
@patrick-stephens Yes, I tried the same scenario on version 3.0.2 - the situation was exactly the same, no information about syslog output in log and no data in Qradar. Do you have any suggestions on what to try next? |
tcpdump or similar to see what's going on with the packets - also please follow the issue template as you've not indicated your platform and other useful info. |
I’d try the tcp or udp output instead first |
It looks like there was an issue on the qradar side, I added two fields syslog_message_key (required) and syslog_hostname_key and it works like a charm. In the logs, even with a functional setup, there is no output:syslog section which is a bit confusing, but it works so it's not a problem :) Thank you guys. |
Bug Report
Describe the bug
I'm trying to set up sending logs to QRadar via syslog output, but only TCP info logs (about connection) are arriving in QRadar (without the logs I'm sending).
My Fluentbit is running as a sidecar and in the file which I read with tail plugin and all other outputs, there are regular messages, but they're missing in QRadar.
My fluentbit version: 2.2.1
My log format is plain text like: SECURITY timestamp message
My confguration
At the start there is info about plugins:
and correct connection:
And when new log is found, I see other outputs in fluentbit log
But there is no syslog output...only 2 lines about connection to qradar_ip but no flush info or something.
I tried to add syslog_message_key (value log, but i tried message also) but without luck.
Changing format didnt help.
Is there anything that I need to add to send the data?
Thank you
The text was updated successfully, but these errors were encountered: