Hi,
In one of our system we are processing Squid Proxy logs in Qradar. These are received on syslog from the syslog relay and everything is almost fine, but we wanted to see the computer names in the logs, so we can use this information in a forensic situation, so we enabled the required config in squid and when I check the incoming logs everything is fine
<182>Jul 22 11:14:57 10.0.11.110 (squid-1): 1563786897.760 99406 <ip address of the computer> <hostname of the computer TCP_TUNNEL/200 6059 CONNECT mobile.pipe.aria.microsoft.com:443 - HIER_DIRECT/52.114.128.9
But, when I check the actual payload, the messages which are properly recognized by Qradar as Squid logs, the <hostname of the computer> field is replaced by the <ip address of the computer>, so I have exactly the same info in two fields
<182>Jul 22 11:20:22 10.0.11.110 (squid-1): 1563787222.592 5679 <ip address of the computer> <ip address of the computer> TCP_TUNNEL/200 3465 CONNECT us-u.openx.net:443 - HIER_DIRECT/173.241.240.143 -
Do you think this should be a support case or is there any quick (ven dirty) solution to fix this?
------------------------------
Thank you for your efforts
Laszlo Pal
------------------------------