[syslog-ng] Help with spoofing hostname

PAUL WILLIAMSON pwilliamson at mtb.com
Fri Jan 22 15:10:40 CET 2010 

Thanks for the suggestions yesterday.  As usual, 
there are multiple ways to solve the problem, each 
of them equally easy!  

Now on to my next issue...

We have a product called Symantic SIM (Security Information Manager)
that is on the receiving end of some forwarded messages.  I have 
the keep_hostname(yes) option enabled, and when our SIM gets the 
message, the originating hostname is in the message.  The problem is 
that is seems like the SIM is detecting that the message is coming from 
my loghost where Syslog-ng is installed, and tagging every message 
like it's from that instead of the actual host.  We've been over the 
config with their engineers and our security department, and this is what 
we got back from Symantec today.

"The hostname is available in the message, so it looks like that part is working.  The problem is this, the message the SSIM sees is:

<TIME> <Syslog Server IP> <Message>

The SSIM then puts the syslog server IP as the source and destination of the host.  Essentially the message needs to be sent to the SSIM as:

<TIME> <Originating device Source IP> <Message>

To do this, the message will need to be spoofed."

So, I have two questions:

1.  Can the messages be spoofed?
2.  Does anyone else use this product and would be willing to share configs (of either syslog-ng or SSIM).

Thanks,
Paul
************************************
This email may contain privileged and/or confidential information that is intended solely for the use of the addressee.  If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission.  If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy.  This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act.  You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information.
There are risks associated with the use of electronic transmission.  The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission.
************************************

More information about the syslog-ng mailing list