Forum Discussion
davidbrilliant
Jul 29, 2019Copper Contributor
Syslog host IP issues
Has anybody run into an issue within syslogs where IP addresses are showing up in the SyslogMessage column, but not in the the HostIP column? I am seeing ssh attempts from IP's but the originating IP is in the SysLogMessage description while HostIP shows unknown or 127.0.0.1. I believe this could also be what is causing my potentially malicious event map to show "No Data Was Found".
Any help would be greatly appreciated!
Hi
Is this syslog from a local machine with the agent? Or syslog CEF where a message is being sent via CEF to a machine with the agent?
Either way, could you share the source message format? and a screen capture of the data in the Azure Sentinel workspace?
- DeletedI have the same issues, one linux machine proxy and another linux rsyslog that send log to proxy, log appears correctly in sentinel but, hostip says unknownip
Anyone help me ?
Many Thanks,
Guido