Syslog host IP issues

Highlighted
New Contributor

Has anybody run into an issue within syslogs where IP addresses are showing up in the SyslogMessage column, but not in the the HostIP column? I am seeing ssh attempts from IP's but the originating IP is in the SysLogMessage description while HostIP shows unknown or 127.0.0.1. I believe this could also be what is causing my potentially malicious event map to show "No Data Was Found". 

 

Any help would be greatly appreciated!

1 Reply
Highlighted

Hi 

Is this syslog from a local machine with the agent?  Or syslog CEF where a message is being sent via CEF to a machine with the agent?

 

Either way, could you share the source message format?  and a screen capture of the data in the Azure Sentinel workspace?