A common configuration is for syslog events generated by a firewall being sent to LogLogic LMI and those same events getting forwarded by that LMI appliance to another host via that same firewall. The firewall may falsely determine a spoof attack is occurring. This will only occur when using UDP syslog from the LMI appliance. This is because when using UDP syslog LMI will forward the events using the original source IP inserted into the packet header. The firewall will be able to detect that the IP being used is its own IP and falsely determine another host is spoofing the firewall's IP.

1. Send the firewall's logs directly to the host that the LMI appliance is sending them.
2. Do not forward the firewall logs from the first LMI appliance to the other host and instead forward the firewall logs from the LMI appliance to to a different host that does not require traversing the firewall in question.
3. Use TCP syslog instead of UDP syslog. This will make the LMI appliance use it's own IP as the source in the packet header but the destination host will still be able to identify the original event source because LMI adds a new syslog header to the original message. This new header includes the original source IP.