Yes, it is possible. It could be done either with multiple forwarders or collectors, both using filters. If you are using the Data Center Security collector, then I'd recommend to use different forwarders, to avoid adding extra load on the DCS database.
Depending on the event types, there are different attributes that contain IP addresses. However, all event types have a common attribute: device_ip, which is the IP address of the device/endpoint that logged the event.
To write a forwarder filter, you can use a string compare operators, such as ''='' or 'like'. For example: device_ip = "192.168.0.22" or device_ip like "192.168". The other option is to use the 'in' operator to check if a given IP address belongs to a subnet. For example: device_ip in "192.168.0.0/24".
------------------------------
Roumen
SED, Broadcom
------------------------------
Original Message:
Sent: 04-06-2020 04:42 PM
From: Mike Fefferman
Subject: Need to forward certain events by IP address to syslog receivers
I have a need to forward events based on IP address to different syslog receivers. Is it possible with ICDx? Or can this be achieved with multiple Data center security collectors?
I only see a way to filter on attributes, but not IP addresses.
------------------------------
Mike
WaveRider Security
CA
------------------------------