<div dir="ltr"><div><div><div><div>hi Sandor,<br><br></div>these are my global options:<br><br>#<br># Global options.<br>#<br>options { chain_hostnames(yes); keep_hostname(yes); keep_timestamp(yes); flush_lines(0); perm(0640); stats_freq(3600); };<br><br></div>so spoof source is not necessary here ?<br><br></div>Thanks.<br><br></div>Denis<br></div><div class="gmail_extra"><br><div class="gmail_quote">2016-09-29 9:49 GMT+02:00 Sandor Geller <span dir="ltr"><<a href="mailto:sandor.geller@ericsson.com" target="_blank">sandor.geller@ericsson.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
Source spoofing fakes the source IP address of the outgoing packets, as<br>
this can't work with connection-oriented protocols it is usable only<br>
with UDP datagrams.<br>
<br>
Actually source spoofing isn't needed in most cases and won't even work<br>
when spoofing protection is enabled in firewalls / routers and not all<br>
hosts are on the same subnet.<br>
<br>
Take a look at keep-hostname() and chain-hostnames()<br>
<br>
Regards,<br>
<br>
Sandor<br>
<span class=""><br>
On 09/29/2016 09:29 AM, Denis Dolinský wrote:<br>
> Hi,<br>
><br>
> yes, I need spoof_source to be enabled for source identification ...<br>
><br>
> Denis<br>
><br>
> 2016-09-28 16:44 GMT+02:00 Szalai, Attila<br>
</span>> <<a href="mailto:Attila.Szalai@morganstanley.com">Attila.Szalai@morganstanley.<wbr>com</a> <mailto:<a href="mailto:Attila.Szalai@morganstanley.com">Attila.Szalai@<wbr>morganstanley.com</a>>>:<br>
><br>
> Just a quick note.____<br>
<span class="">><br>
> The warning message about the binding issue caused by the<br>
</span>> spoof_source option. Is that option necessary?____<br>
><br>
> __ __<br>
><br>
> *From:*<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a><br>
> <mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a>><br>
> [mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a><br>
> <mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a>>] *On Behalf Of *Denis<br>
> Dolinský<br>
> *Sent:* Wednesday, September 28, 2016 3:47 PM<br>
><br>
><br>
> *To:* Syslog-ng users' and developers' mailing list<br>
> *Subject:* Re: [syslog-ng] syslog-ng forwarding and processing issue____<br>
><br>
> __ __<br>
><br>
> hi guys,____<br>
><br>
> __ __<br>
><br>
> this is stats:____<br>
><br>
> __ __<br>
<span class="">><br>
> destination;d_net_udp514;;a;<wbr>processed;13<br>
> source;s_net_udp514;;a;<wbr>processed;3<br>
> dst.syslog;d_net_udp514#0;udp,<wbr>192.168.3.1:514;a;dropped;0<br>
> dst.syslog;d_net_udp514#0;udp,<wbr>192.168.3.1:514;a;processed;10<br>
</span>> dst.syslog;d_net_udp514#0;udp,<wbr>192.168.3.1:514;a;stored;0____<br>
><br>
> __ __<br>
><br>
> from debug:____<br>
><br>
> __ __<br>
<span class="">><br>
> Incoming log entry; source='s_net_udp514#0',<br>
> line='<78> remote_server /usr/sbin/cron[24934]:<br>
> Can't bind hostname for the IP address, therefore using IP address<br>
</span>> as hostname; IP address='192.168.2.1'____<br>
><br>
> __ __<br>
><br>
> Do you see anything what I do not do ?____<br>
><br>
> __ __<br>
><br>
> Thanks.____<br>
><br>
> __ __<br>
><br>
> Denis____<br>
><br>
> __ __<br>
<span class="">><br>
> 2016-09-28 14:02 GMT+02:00 Szalai, Attila<br>
> <<a href="mailto:Attila.Szalai@morganstanley.com">Attila.Szalai@morganstanley.<wbr>com</a><br>
</span>> <mailto:<a href="mailto:Attila.Szalai@morganstanley.com">Attila.Szalai@<wbr>morganstanley.com</a>>>:____<br>
><br>
> Hi,____<br>
><br>
> ____<br>
<span class="">><br>
> In case of udp, the syslog source should handle receiving logs with<br>
> old and the new version too. (But that is more an exception than the<br>
> rule, so matching the receiver and the sender is a good idea<br>
</span>> generaly.)____<br>
><br>
> ____<br>
<span class="">><br>
> Before anything else I would check if the logs arrive to the<br>
> anonymizer host or not. The statistics can help on this. Also, if<br>
> there are parsing issue, the syslog-ng would tell this through its<br>
</span>> log.____<br>
><br>
> ____<br>
<span class="">><br>
> After that starting the syslog-ng with enabled debug logs can also<br>
</span>> help on discovering what happening with the received log.____<br>
><br>
> ____<br>
><br>
> *From:*<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a><br>
> <mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a>><br>
> [mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a><br>
> <mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a>>] *On Behalf Of *Fekete,<br>
> Róbert<br>
> *Sent:* Wednesday, September 28, 2016 1:47 PM<br>
> *To:* Syslog-ng users' and developers' mailing list<br>
> *Subject:* Re: [syslog-ng] syslog-ng forwarding and processing issue____<br>
><br>
> ____<br>
><br>
> Hi, ____<br>
><br>
> ____<br>
<span class="">><br>
> The destination on your remote server and the source on the<br>
> pseudomizer host do not match: the first one uses the udp() driver<br>
> (RFC3164 protocol), while the second uses the syslog() driver<br>
</span>> (RFC5424) protocol. ____<br>
><br>
> ____<br>
<span class="">><br>
> Change the destination driver to syslog() on the remote server. (For<br>
> more possibilities, see<br>
> <a href="https://www.balabit.com/documents/syslog-ng-pe-latest-guides/en/syslog-ng-pe-guide-admin/html/concepts-things-to-consider.html" rel="noreferrer" target="_blank">https://www.balabit.com/<wbr>documents/syslog-ng-pe-latest-<wbr>guides/en/syslog-ng-pe-guide-<wbr>admin/html/concepts-things-to-<wbr>consider.html</a><br>
</span>> <<a href="https://www.balabit.com/documents/syslog-ng-pe-latest-guides/en/syslog-ng-pe-guide-admin/html/concepts-things-to-consider.html" rel="noreferrer" target="_blank">https://www.balabit.com/<wbr>documents/syslog-ng-pe-latest-<wbr>guides/en/syslog-ng-pe-guide-<wbr>admin/html/concepts-things-to-<wbr>consider.html</a>> )____<br>
><br>
> ____<br>
><br>
> HTH____<br>
><br>
> ____<br>
><br>
> Robert____<br>
><br>
> ____<br>
<span class="">><br>
> On Wed, Sep 28, 2016 at 1:17 PM, Denis Dolinský<br>
</span>> <<a href="mailto:denis.dolinsky@gmail.com">denis.dolinsky@gmail.com</a> <mailto:<a href="mailto:denis.dolinsky@gmail.com">denis.dolinsky@gmail.<wbr>com</a>>> wrote:____<br>
><br>
> Hi guys,____<br>
><br>
> I have following setup in place:____<br>
><br>
> remote server - 192.168.1.10____<br>
><br>
> pseudomizer - syslog-ng PE in client mode - 192.168.2.10____<br>
><br>
> SIEM - 192.168.3.10____<br>
><br>
> So I am sending syslog logs from remote server to pseudomizer:____<br>
><br>
> source src { internal()};____<br>
><br>
> destination dst { udp ("192.168.2.10) port (514);};____<br>
><br>
> log { source(src); destination (dst);____<br>
><br>
> this is very old config from syslog v4____<br>
<div><div class="h5">><br>
> Then on pseudomizer - syslog-ng LTS 6.0.1 PE, I am collecting the<br>
> logs, processing them - removing private data, putting pseudonyms<br>
> instead and forwarding them to SIEM.<br>
><br>
> source s_net_udp514 {<br>
> syslog(<br>
> ip(192.168.2.10)<br>
> ip-protocol(4)<br>
> transport("udp")<br>
> so_rcvbuf(2097152)<br>
> );<br>
> };<br>
><br>
> source src {<br>
> internal();<br>
> unix-dgram("/dev/log");<br>
> system ();<br>
> };<br>
><br>
> destination d_net_udp514 {<br>
> syslog (<br>
> "192.168.3.10"<br>
> port(514)<br>
> transport(udp)<br>
> spoof_source(yes)<br>
> mark_mode(periodical));};<br>
> rewrite r_rewrite {<br>
> subst("admin", "pseudonym000001", value("MESSAGE"), flags("global"));<br>
><br>
> log {<br>
> source(s_net_udp514); source (src);<br>
> rewrite(r_rewrite); # do the pseudomizing<br>
> destination(d_net_udp514);<br>
</div></div>> };____<br>
<span class="">><br>
> On SIEM device, I can see only pseudomizer internal logs (src), not<br>
</span>> processed logs from remote server.____<br>
><br>
> Any advice ?____<br>
><br>
> Many thanks.____<br>
><br>
> Denis____<br>
<span class="">><br>
><br>
> ______________________________<wbr>______________________________<wbr>__________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
> <<a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a>><br>
> Documentation:<br>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
> <<a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a>><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
</span>> <<a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a>>____<br>
><br>
> ____<br>
><br>
> __ __<br>
><br>
> ------------------------------<wbr>------------------------------<wbr>------------<br>
<span class="">><br>
><br>
> NOTICE: Morgan Stanley is not acting as a municipal advisor and the<br>
> opinions or views contained herein are not intended to be, and do<br>
> not constitute, advice within the meaning of Section 975 of the<br>
> Dodd-Frank Wall Street Reform and Consumer Protection Act. If you<br>
> have received this communication in error, please destroy all<br>
> electronic and paper copies and notify the sender immediately.<br>
> Mistransmission is not intended to waive confidentiality or<br>
> privilege. Morgan Stanley reserves the right, to the extent<br>
> permitted under applicable law, to monitor electronic<br>
> communications. This message is subject to terms available at the<br>
> following link: <a href="http://www.morganstanley.com/disclaimers" rel="noreferrer" target="_blank">http://www.morganstanley.com/<wbr>disclaimers</a><br>
> <<a href="http://www.morganstanley.com/disclaimers" rel="noreferrer" target="_blank">http://www.morganstanley.com/<wbr>disclaimers</a>> If you cannot access<br>
> these links, please notify us by reply message and we will send the<br>
> contents to you. By communicating with Morgan Stanley you consent to<br>
> the foregoing and to the voice recording of conversations with<br>
> personnel of Morgan Stanley.____<br>
><br>
><br>
</span><span class="">> ______________________________<wbr>______________________________<wbr>__________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
> <<a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a>><br>
> Documentation:<br>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
> <<a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a>><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
</span>> <<a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a>><br>
><br>
> ____<br>
><br>
><br>
><br>
><br>
> -- ____<br>
><br>
> Ing. Denis Dolinský<br>
> <a href="mailto:denis.dolinsky@gmail.com">denis.dolinsky@gmail.com</a> <mailto:<a href="mailto:denis.dolinsky@gmail.com">denis.dolinsky@gmail.<wbr>com</a>><br>
> private cell: _<a href="tel:%2B421%20907%20530711" value="+421907530711">+421 907 530711</a> <tel:%2B421%20907%20530711>___<wbr>__<br>
><br>
><br>
><br>
> ------------------------------<wbr>------------------------------<wbr>------------<br>
<span class="">><br>
> NOTICE: Morgan Stanley is not acting as a municipal advisor and the<br>
> opinions or views contained herein are not intended to be, and do<br>
> not constitute, advice within the meaning of Section 975 of the<br>
> Dodd-Frank Wall Street Reform and Consumer Protection Act. If you<br>
> have received this communication in error, please destroy all<br>
> electronic and paper copies and notify the sender immediately.<br>
> Mistransmission is not intended to waive confidentiality or<br>
> privilege. Morgan Stanley reserves the right, to the extent<br>
> permitted under applicable law, to monitor electronic<br>
> communications. This message is subject to terms available at the<br>
> following link: <a href="http://www.morganstanley.com/disclaimers" rel="noreferrer" target="_blank">http://www.morganstanley.com/<wbr>disclaimers</a><br>
> <<a href="http://www.morganstanley.com/disclaimers" rel="noreferrer" target="_blank">http://www.morganstanley.com/<wbr>disclaimers</a>> If you cannot access<br>
> these links, please notify us by reply message and we will send the<br>
> contents to you. By communicating with Morgan Stanley you consent to<br>
> the foregoing and to the voice recording of conversations with<br>
> personnel of Morgan Stanley.<br>
><br>
><br>
> ______________________________<wbr>______________________________<wbr>__________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
</span><span class="">> <<a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a>><br>
> Documentation:<br>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
> <<a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a>><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
</span><span class="">> <<a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a>><br>
><br>
><br>
><br>
><br>
><br>
> --<br>
> Ing. Denis Dolinský<br>
</span>> <a href="mailto:denis.dolinsky@gmail.com">denis.dolinsky@gmail.com</a> <mailto:<a href="mailto:denis.dolinsky@gmail.com">denis.dolinsky@gmail.<wbr>com</a>><br>
> private cell: _<a href="tel:%2B421%20907%20530711" value="+421907530711">+421 907 530711</a>_<br>
<div class="HOEnZb"><div class="h5">><br>
><br>
> ______________________________<wbr>______________________________<wbr>__________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
><br>
<br>
<br>
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Ing. Denis Dolinský<br>
<a href="mailto:denis.dolinsky@gmail.com" target="_blank">denis.dolinsky@gmail.com</a><br>
private cell: <u>+421 907 530711</u></div>
</div>