TSheahan
commented
7 years ago In our environment I solved this and other cases (such as wanting to prohibit hairpinning another syslog server) by running samplicator and customizing iptables
to implement your case -
(presuming earlier iptables -X to flush chains such as syslog_out) iptables -N syslog_out iptables -A OUTPUT -p udp --dport 514 -j syslog_out iptables -A syslog_out -s $firewall -d $solarwinds -j DROP iptables -A syslog_out -j ACCEPT
Is it possible to EXCLUDE source hosts/networks such that their messages are NOT forwarded?
Example: I have some hosts (firewalls) that send GBs of log messages every day and I don't want to forward those messages to our Solarwinds server, because it simply can't handle the load.
$data _center_network: 10.1.0.0/255.255.0.0 $firewall: 10.1.1.10 $solarwinds: 10.1.2.3
So, I'd like to be able to keep my configuration very simple by having something like this in my config:
$data _center_network:$solarwinds/514, !$firewall
I realize that I could just define every host I want logs forwarded from in the samplicator config, but that means I have to edit that config every time I have a new or changed router or switch.