I recently stood up a haproxy 2.4.8 instance in order to take advantage of the log forward functionality. Currently, logs forwarded along via this instance are landing at our back-end SIEM, but the SIEM is treating the haproxy instance as the source IP of said logs. I’m hoping to determine whether log-forward natively forwards traffic similarly to the send-proxy option that can be defined on the server line in a backend config, or if I’m just missing something.
log-forward sendtosiem bind 192.168.100.100:514 dgram-bind 192.168.100.100:514 log fqdn.com:514 local0
(It is also possible that the SIEM itself isn’t properly configured to read the proxy-packets correctly. I have a ticket in with them to run that down. Just want to see what I should be expecting out of log-forward)