<div dir="ltr"><div><div><div><div>hi Sandor,<br><br></div>these are my global options:<br><br>#<br># Global options.<br>#<br>options { chain_hostnames(yes); keep_hostname(yes); keep_timestamp(yes); flush_lines(0); perm(0640); stats_freq(3600); };<br><br></div>so spoof source is not necessary here ?<br><br></div>Thanks.<br><br></div>Denis<br></div><div class="gmail_extra"><br><div class="gmail_quote">2016-09-29 9:49 GMT+02:00 Sandor Geller <span dir="ltr"><<a href="mailto:sandor.geller@ericsson.com" target="_blank">sandor.geller@ericsson.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
Source spoofing fakes the source IP address of the outgoing packets, as<br>
this can't work with connection-oriented protocols it is usable only<br>
with UDP datagrams.<br>
<br>
Actually source spoofing isn't needed in most cases and won't even work<br>
when spoofing protection is enabled in firewalls / routers and not all<br>
hosts are on the same subnet.<br>
<br>
Take a look at keep-hostname() and chain-hostnames()<br>
<br>
Regards,<br>
<br>
Sandor<br>
<span class=""><br>
On 09/29/2016 09:29 AM, Denis DolinskĂ˝ wrote:<br>
> Hi,<br>
><br>
> yes, I need spoof_source to be enabled for source identification ...<br>
><br>
> Denis<br>
><br>
> 2016-09-28 16:44 GMT+02:00 Szalai, Attila<br>
</span>> <<a href="mailto:Attila.Szalai@morganstanley.com">Attila.Szalai@morganstanley.<wbr>com</a> <mailto:<a href="mailto:Attila.Szalai@morganstanley.com">Attila.Szalai@<wbr>morganstanley.com</a>>>:<br>
><br>
>Â Â Â Just a quick note.____<br>
<span class="">><br>
>Â Â Â The warning message about the binding issue caused by the<br>
</span>>Â Â Â spoof_source option. Is that option necessary?____<br>
><br>
>Â Â Â __ __<br>
><br>
>Â Â Â *From:*<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a><br>
>Â Â Â <mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a>><br>
>Â Â Â [mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a><br>
>Â Â Â <mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a>>] *On Behalf Of *Denis<br>
>Â Â Â DolinskĂ˝<br>
>Â Â Â *Sent:* Wednesday, September 28, 2016 3:47 PM<br>
><br>
><br>
>Â Â Â *To:* Syslog-ng users' and developers' mailing list<br>
>Â Â Â *Subject:* Re: [syslog-ng] syslog-ng forwarding and processing issue____<br>
><br>
>Â Â Â __ __<br>
><br>
>Â Â Â hi guys,____<br>
><br>
>Â Â Â __ __<br>
><br>
>Â Â Â this is stats:____<br>
><br>
>Â Â Â __ __<br>
<span class="">><br>
>Â Â Â destination;d_net_udp514;;a;<wbr>processed;13<br>
>Â Â Â source;s_net_udp514;;a;<wbr>processed;3<br>
>Â Â Â dst.syslog;d_net_udp514#0;udp,<wbr>192.168.3.1:514;a;dropped;0<br>
>Â Â Â dst.syslog;d_net_udp514#0;udp,<wbr>192.168.3.1:514;a;processed;10<br>
</span>>Â Â Â dst.syslog;d_net_udp514#0;udp,<wbr>192.168.3.1:514;a;stored;0____<br>
><br>
>Â Â Â __ __<br>
><br>
>Â Â Â from debug:____<br>
><br>
>Â Â Â __ __<br>
<span class="">><br>
>Â Â Â Incoming log entry; source='s_net_udp514#0',<br>
>Â Â Â line='<78> remote_server /usr/sbin/cron[24934]:<br>
>Â Â Â Can't bind hostname for the IP address, therefore using IP address<br>
</span>>Â Â Â as hostname; IP address='192.168.2.1'____<br>
><br>
>Â Â Â __ __<br>
><br>
>Â Â Â Do you see anything what I do not do ?____<br>
><br>
>Â Â Â __ __<br>
><br>
>Â Â Â Thanks.____<br>
><br>
>Â Â Â __ __<br>
><br>
>Â Â Â Denis____<br>
><br>
>Â Â Â __ __<br>
<span class="">><br>
>Â Â Â 2016-09-28 14:02 GMT+02:00 Szalai, Attila<br>
>Â Â Â <<a href="mailto:Attila.Szalai@morganstanley.com">Attila.Szalai@morganstanley.<wbr>com</a><br>
</span>>Â Â Â <mailto:<a href="mailto:Attila.Szalai@morganstanley.com">Attila.Szalai@<wbr>morganstanley.com</a>>>:____<br>
><br>
>Â Â Â Hi,____<br>
><br>
>Â Â Â ____<br>
<span class="">><br>
>Â Â Â In case of udp, the syslog source should handle receiving logs with<br>
>Â Â Â old and the new version too. (But that is more an exception than the<br>
>Â Â Â rule, so matching the receiver and the sender is a good idea<br>
</span>>Â Â Â generaly.)____<br>
><br>
>Â Â Â ____<br>
<span class="">><br>
>Â Â Â Before anything else I would check if the logs arrive to the<br>
>Â Â Â anonymizer host or not. The statistics can help on this. Also, if<br>
>Â Â Â there are parsing issue, the syslog-ng would tell this through its<br>
</span>>Â Â Â log.____<br>
><br>
>Â Â Â ____<br>
<span class="">><br>
>Â Â Â After that starting the syslog-ng with enabled debug logs can also<br>
</span>>Â Â Â help on discovering what happening with the received log.____<br>
><br>
>Â Â Â ____<br>
><br>
>Â Â Â *From:*<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a><br>
>Â Â Â <mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a>><br>
>Â Â Â [mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a><br>
>Â Â Â <mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a>>] *On Behalf Of *Fekete,<br>
>Â Â Â RĂłbert<br>
>Â Â Â *Sent:* Wednesday, September 28, 2016 1:47 PM<br>
>Â Â Â *To:* Syslog-ng users' and developers' mailing list<br>
>Â Â Â *Subject:* Re: [syslog-ng] syslog-ng forwarding and processing issue____<br>
><br>
>Â Â Â ____<br>
><br>
>Â Â Â Hi, ____<br>
><br>
>Â Â Â ____<br>
<span class="">><br>
>Â Â Â The destination on your remote server and the source on the<br>
>Â Â Â pseudomizer host do not match: the first one uses the udp() driver<br>
>Â Â Â (RFC3164 protocol), while the second uses the syslog() driver<br>
</span>>Â Â Â (RFC5424) protocol. ____<br>
><br>
>Â Â Â ____<br>
<span class="">><br>
>Â Â Â Change the destination driver to syslog() on the remote server. (For<br>
>Â Â Â more possibilities, see<br>
>Â Â Â <a href="https://www.balabit.com/documents/syslog-ng-pe-latest-guides/en/syslog-ng-pe-guide-admin/html/concepts-things-to-consider.html" rel="noreferrer" target="_blank">https://www.balabit.com/<wbr>documents/syslog-ng-pe-latest-<wbr>guides/en/syslog-ng-pe-guide-<wbr>admin/html/concepts-things-to-<wbr>consider.html</a><br>
</span>>Â Â Â <<a href="https://www.balabit.com/documents/syslog-ng-pe-latest-guides/en/syslog-ng-pe-guide-admin/html/concepts-things-to-consider.html" rel="noreferrer" target="_blank">https://www.balabit.com/<wbr>documents/syslog-ng-pe-latest-<wbr>guides/en/syslog-ng-pe-guide-<wbr>admin/html/concepts-things-to-<wbr>consider.html</a>> )____<br>
><br>
>Â Â Â ____<br>
><br>
>Â Â Â HTH____<br>
><br>
>Â Â Â ____<br>
><br>
>Â Â Â Robert____<br>
><br>
>Â Â Â ____<br>
<span class="">><br>
>Â Â Â On Wed, Sep 28, 2016 at 1:17 PM, Denis DolinskĂ˝<br>
</span>>Â Â Â <<a href="mailto:denis.dolinsky@gmail.com">denis.dolinsky@gmail.com</a> <mailto:<a href="mailto:denis.dolinsky@gmail.com">denis.dolinsky@gmail.<wbr>com</a>>> wrote:____<br>
><br>
>Â Â Â Hi guys,____<br>
><br>
>Â Â Â I have following setup in place:____<br>
><br>
>Â Â Â remote server - 192.168.1.10____<br>
><br>
>Â Â Â pseudomizer - syslog-ng PE in client mode - 192.168.2.10____<br>
><br>
>Â Â Â SIEM - 192.168.3.10____<br>
><br>
>Â Â Â So I am sending syslog logs from remote server to pseudomizer:____<br>
><br>
>Â Â Â source src { internal()};____<br>
><br>
>Â Â Â destination dst { udp ("192.168.2.10) port (514);};____<br>
><br>
>Â Â Â log { source(src); destination (dst);____<br>
><br>
>Â Â Â this is very old config from syslog v4____<br>
<div><div class="h5">><br>
>Â Â Â Then on pseudomizer - syslog-ng LTS 6.0.1 PE, I am collecting the<br>
>Â Â Â logs, processing them - removing private data, putting pseudonyms<br>
>Â Â Â instead and forwarding them to SIEM.<br>
><br>
>Â Â Â source s_net_udp514 {<br>
>Â Â Â Â Â syslog(<br>
>Â Â Â Â Â Â Â ip(192.168.2.10)<br>
>Â Â Â Â Â Â Â ip-protocol(4)<br>
>Â Â Â Â Â Â Â transport("udp")<br>
>Â Â Â Â Â Â Â so_rcvbuf(2097152)<br>
>Â Â Â Â Â Â Â );<br>
>Â Â Â };<br>
><br>
>Â Â Â source src {<br>
>Â Â Â Â Â Â Â internal();<br>
>Â Â Â Â Â Â Â unix-dgram("/dev/log");<br>
>Â Â Â Â Â Â Â system ();<br>
>Â Â Â };<br>
><br>
>Â Â Â destination d_net_udp514 {<br>
>Â Â Â Â Â Â Â syslog (<br>
>Â Â Â Â Â Â Â "192.168.3.10"<br>
>Â Â Â Â Â Â Â port(514)<br>
>Â Â Â Â Â Â Â transport(udp)<br>
>Â Â Â Â Â Â Â spoof_source(yes)<br>
>Â Â Â Â Â Â Â mark_mode(periodical));};<br>
>Â Â Â rewrite r_rewrite {<br>
>Â Â Â subst("admin", "pseudonym000001", value("MESSAGE"), flags("global"));<br>
><br>
>Â Â Â log {<br>
>Â Â Â Â Â Â Â source(s_net_udp514); source (src);<br>
>Â Â Â Â Â Â Â rewrite(r_rewrite); # do the pseudomizing<br>
>Â Â Â Â Â Â Â destination(d_net_udp514);<br>
</div></div>>Â Â Â };____<br>
<span class="">><br>
>Â Â Â On SIEM device, I can see only pseudomizer internal logs (src), not<br>
</span>>Â Â Â processed logs from remote server.____<br>
><br>
>Â Â Â Any advice ?____<br>
><br>
>Â Â Â Many thanks.____<br>
><br>
>Â Â Â Denis____<br>
<span class="">><br>
><br>
>Â Â Â ______________________________<wbr>______________________________<wbr>__________________<br>
>Â Â Â Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
>Â Â Â <<a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a>><br>
>Â Â Â Documentation:<br>
>Â Â Â <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
>Â Â Â <<a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a>><br>
>Â Â Â FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
</span>>Â Â Â <<a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a>>____<br>
><br>
>Â Â Â ____<br>
><br>
>Â Â Â __ __<br>
><br>
>Â Â Â ------------------------------<wbr>------------------------------<wbr>------------<br>
<span class="">><br>
><br>
>Â Â Â NOTICE: Morgan Stanley is not acting as a municipal advisor and the<br>
>Â Â Â opinions or views contained herein are not intended to be, and do<br>
>Â Â Â not constitute, advice within the meaning of Section 975 of the<br>
>Â Â Â Dodd-Frank Wall Street Reform and Consumer Protection Act. If you<br>
>Â Â Â have received this communication in error, please destroy all<br>
>Â Â Â electronic and paper copies and notify the sender immediately.<br>
>Â Â Â Mistransmission is not intended to waive confidentiality or<br>
>Â Â Â privilege. Morgan Stanley reserves the right, to the extent<br>
>Â Â Â permitted under applicable law, to monitor electronic<br>
>Â Â Â communications. This message is subject to terms available at the<br>
>Â Â Â following link: <a href="http://www.morganstanley.com/disclaimers" rel="noreferrer" target="_blank">http://www.morganstanley.com/<wbr>disclaimers</a><br>
>Â Â Â <<a href="http://www.morganstanley.com/disclaimers" rel="noreferrer" target="_blank">http://www.morganstanley.com/<wbr>disclaimers</a>>Â If you cannot access<br>
>Â Â Â these links, please notify us by reply message and we will send the<br>
>Â Â Â contents to you. By communicating with Morgan Stanley you consent to<br>
>Â Â Â the foregoing and to the voice recording of conversations with<br>
>Â Â Â personnel of Morgan Stanley.____<br>
><br>
><br>
</span><span class="">>Â Â Â ______________________________<wbr>______________________________<wbr>__________________<br>
>Â Â Â Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
>Â Â Â <<a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a>><br>
>Â Â Â Documentation:<br>
>Â Â Â <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
>Â Â Â <<a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a>><br>
>Â Â Â FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
</span>>Â Â Â <<a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a>><br>
><br>
>Â Â Â ____<br>
><br>
><br>
><br>
><br>
>Â Â Â -- ____<br>
><br>
>Â Â Â Ing. Denis DolinskĂ˝<br>
>Â Â Â <a href="mailto:denis.dolinsky@gmail.com">denis.dolinsky@gmail.com</a> <mailto:<a href="mailto:denis.dolinsky@gmail.com">denis.dolinsky@gmail.<wbr>com</a>><br>
>Â Â Â private cell: _<a href="tel:%2B421%20907%20530711" value="+421907530711">+421 907 530711</a> <tel:%2B421%20907%20530711>___<wbr>__<br>
><br>
><br>
><br>
>Â Â Â ------------------------------<wbr>------------------------------<wbr>------------<br>
<span class="">><br>
>Â Â Â NOTICE: Morgan Stanley is not acting as a municipal advisor and the<br>
>Â Â Â opinions or views contained herein are not intended to be, and do<br>
>Â Â Â not constitute, advice within the meaning of Section 975 of the<br>
>Â Â Â Dodd-Frank Wall Street Reform and Consumer Protection Act. If you<br>
>Â Â Â have received this communication in error, please destroy all<br>
>Â Â Â electronic and paper copies and notify the sender immediately.<br>
>Â Â Â Mistransmission is not intended to waive confidentiality or<br>
>Â Â Â privilege. Morgan Stanley reserves the right, to the extent<br>
>Â Â Â permitted under applicable law, to monitor electronic<br>
>Â Â Â communications. This message is subject to terms available at the<br>
>Â Â Â following link: <a href="http://www.morganstanley.com/disclaimers" rel="noreferrer" target="_blank">http://www.morganstanley.com/<wbr>disclaimers</a><br>
>Â Â Â <<a href="http://www.morganstanley.com/disclaimers" rel="noreferrer" target="_blank">http://www.morganstanley.com/<wbr>disclaimers</a>>Â If you cannot access<br>
>Â Â Â these links, please notify us by reply message and we will send the<br>
>Â Â Â contents to you. By communicating with Morgan Stanley you consent to<br>
>Â Â Â the foregoing and to the voice recording of conversations with<br>
>Â Â Â personnel of Morgan Stanley.<br>
><br>
><br>
>Â Â Â ______________________________<wbr>______________________________<wbr>__________________<br>
>Â Â Â Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
</span><span class="">>Â Â Â <<a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a>><br>
>Â Â Â Documentation:<br>
>Â Â Â <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
>Â Â Â <<a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a>><br>
>Â Â Â FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
</span><span class="">>Â Â Â <<a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a>><br>
><br>
><br>
><br>
><br>
><br>
> --<br>
> Ing. Denis DolinskĂ˝<br>
</span>> <a href="mailto:denis.dolinsky@gmail.com">denis.dolinsky@gmail.com</a> <mailto:<a href="mailto:denis.dolinsky@gmail.com">denis.dolinsky@gmail.<wbr>com</a>><br>
> private cell: _<a href="tel:%2B421%20907%20530711" value="+421907530711">+421 907 530711</a>_<br>
<div class="HOEnZb"><div class="h5">><br>
><br>
> ______________________________<wbr>______________________________<wbr>__________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
><br>
<br>
<br>
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Ing. Denis DolinskĂ˝<br>
<a href="mailto:denis.dolinsky@gmail.com" target="_blank">denis.dolinsky@gmail.com</a><br>
private cell: <u>+421 907 530711</u></div>
</div>