[syslog-ng] Parse client IP out of Proxy Protocol Line in TCP syslog->ELB->syslog-ng
Nadine Miller
nadine.miller at defpoint.com
Thu Oct 15 19:28:25 CEST 2015
I've searched through the archives and spent some time trying to find
possible answers on the web, but haven't found a definitive answer.
I'm in a situation where I need to parse syslog streams being
forwarded through an AWS ELB. The normal configuration of the ELB
resets the source IP to be the ELB's IP address. Logs are coming from
multiple AWS VPCs, and we've already discovered duplicate hostnames
across different VPCs, which has mingled logs from different hosts
into one receiving log file.
The ELB has another mode, referred to as "Proxy Protocol" which adds a
single line to the TCP stream in the form:
PROXY_STRING + single space + INET_PROTOCOL + single space + CLIENT_IP
+ single space + PROXY_IP + single space + CLIENT_PORT + single space
+ PROXY_PORT + "\r\n"
Example:
PROXY TCP4 198.51.100.22 203.0.113.7 35646 80\r\n
Is it possible to use this proxy line in syslog-ng to properly
segregate the log messages? If so, what would be the best method to
use? I've done a lot of filtering/templating with normal UDP syslog
and syslog-ng, but this is the first time I've had to consider
something crazy like this.
Currently there is no option at this time to change configurations at
endpoints sending the syslog messages, nor can we remove the ELB.
For reference:
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html
Thanks in advance--
=N=
More information about the syslog-ng
mailing list