I recently stood up a SIEM/Log Collector-Processor and noted that SYSLOG messages being sent through my SME router via LAN-address UDP/TCP:514 to a address outside WAN; all messages are being stripped of their OriginHost (oHost) IPs and all messages appear as if they were coming from the WAN IP.
In more detail: VMware ESXi server, configured on 11.100.10.20, is configured to send SYSLOG messages to udp://180.100.10.72:514 - the SME is set to WAN: 180.100.10.5 and the LAN 11.100.10.0/24 (with DHCP enabled)
I ran a wireshark on the 180.100.10.72 box to review in the incoming packet traffic and all SYSLOG being sent through the SME router appears as 180.100.10.5 no matter the oHost.
I also tried to setup port forwarding over UDP/TCP 514 and reroute the SYSLOG that way, but it did not work.
in order for the SIEM to correctly and accurately function and process the LOG information being collected it must contain the proper oHost IP.
any/all help in getting this fixed is appreciated.
thanks, BloxGuy!