<div dir="ltr"><div><div><div><div>hi Sandor,<br><br></div>these are my global options:<br><br>#<br># Global options.<br>#<br>options { chain_hostnames(yes); keep_hostname(yes); keep_timestamp(yes); flush_lines(0); perm(0640); stats_freq(3600); };<br><br></div>so spoof source is not necessary here ?<br><br></div>Thanks.<br><br></div>Denis<br></div><div class="gmail_extra"><br><div class="gmail_quote">2016-09-29 9:49 GMT+02:00 Sandor Geller <span dir="ltr">&lt;<a href="mailto:sandor.geller@ericsson.com" target="_blank">sandor.geller@ericsson.com</a>&gt;</span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
Source spoofing fakes the source IP address of the outgoing packets, as<br>
this can&#39;t work with connection-oriented protocols it is usable only<br>
with UDP datagrams.<br>
<br>
Actually source spoofing isn&#39;t needed in most cases and won&#39;t even work<br>
when spoofing protection is enabled in firewalls / routers and not all<br>
hosts are on the same subnet.<br>
<br>
Take a look at keep-hostname() and chain-hostnames()<br>
<br>
Regards,<br>
<br>
Sandor<br>
<span class=""><br>
On 09/29/2016 09:29 AM, Denis Dolinský wrote:<br>
&gt; Hi,<br>
&gt;<br>
&gt; yes, I need spoof_source to be enabled for source identification ...<br>
&gt;<br>
&gt; Denis<br>
&gt;<br>
&gt; 2016-09-28 16:44 GMT+02:00 Szalai, Attila<br>
</span>&gt; &lt;<a href="mailto:Attila.Szalai@morganstanley.com">Attila.Szalai@morganstanley.<wbr>com</a> &lt;mailto:<a href="mailto:Attila.Szalai@morganstanley.com">Attila.Szalai@<wbr>morganstanley.com</a>&gt;&gt;:<br>
&gt;<br>
&gt;     Just a quick note.____<br>
<span class="">&gt;<br>
&gt;     The warning message about the binding issue caused by the<br>
</span>&gt;     spoof_source option. Is that option necessary?____<br>
&gt;<br>
&gt;     __ __<br>
&gt;<br>
&gt;     *From:*<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a><br>
&gt;     &lt;mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a>&gt;<br>
&gt;     [mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a><br>
&gt;     &lt;mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a>&gt;] *On Behalf Of *Denis<br>
&gt;     Dolinský<br>
&gt;     *Sent:* Wednesday, September 28, 2016 3:47 PM<br>
&gt;<br>
&gt;<br>
&gt;     *To:* Syslog-ng users&#39; and developers&#39; mailing list<br>
&gt;     *Subject:* Re: [syslog-ng] syslog-ng forwarding and processing issue____<br>
&gt;<br>
&gt;     __ __<br>
&gt;<br>
&gt;     hi guys,____<br>
&gt;<br>
&gt;     __ __<br>
&gt;<br>
&gt;     this is stats:____<br>
&gt;<br>
&gt;     __ __<br>
<span class="">&gt;<br>
&gt;     destination;d_net_udp514;;a;<wbr>processed;13<br>
&gt;     source;s_net_udp514;;a;<wbr>processed;3<br>
&gt;     dst.syslog;d_net_udp514#0;udp,<wbr>192.168.3.1:514;a;dropped;0<br>
&gt;     dst.syslog;d_net_udp514#0;udp,<wbr>192.168.3.1:514;a;processed;10<br>
</span>&gt;     dst.syslog;d_net_udp514#0;udp,<wbr>192.168.3.1:514;a;stored;0____<br>
&gt;<br>
&gt;     __ __<br>
&gt;<br>
&gt;     from debug:____<br>
&gt;<br>
&gt;     __ __<br>
<span class="">&gt;<br>
&gt;     Incoming log entry; source=&#39;s_net_udp514#0&#39;,<br>
&gt;     line=&#39;&lt;78&gt; remote_server /usr/sbin/cron[24934]:<br>
&gt;     Can&#39;t bind hostname for the IP address, therefore using IP address<br>
</span>&gt;     as hostname; IP address=&#39;192.168.2.1&#39;____<br>
&gt;<br>
&gt;     __ __<br>
&gt;<br>
&gt;     Do you see anything what I do not do ?____<br>
&gt;<br>
&gt;     __ __<br>
&gt;<br>
&gt;     Thanks.____<br>
&gt;<br>
&gt;     __ __<br>
&gt;<br>
&gt;     Denis____<br>
&gt;<br>
&gt;     __ __<br>
<span class="">&gt;<br>
&gt;     2016-09-28 14:02 GMT+02:00 Szalai, Attila<br>
&gt;     &lt;<a href="mailto:Attila.Szalai@morganstanley.com">Attila.Szalai@morganstanley.<wbr>com</a><br>
</span>&gt;     &lt;mailto:<a href="mailto:Attila.Szalai@morganstanley.com">Attila.Szalai@<wbr>morganstanley.com</a>&gt;&gt;:____<br>
&gt;<br>
&gt;     Hi,____<br>
&gt;<br>
&gt;      ____<br>
<span class="">&gt;<br>
&gt;     In case of udp, the syslog source should handle receiving logs with<br>
&gt;     old and the new version too. (But that is more an exception than the<br>
&gt;     rule, so matching the receiver and the sender is a good idea<br>
</span>&gt;     generaly.)____<br>
&gt;<br>
&gt;      ____<br>
<span class="">&gt;<br>
&gt;     Before anything else I would check if the logs arrive to the<br>
&gt;     anonymizer host or not. The statistics can help on this. Also, if<br>
&gt;     there are parsing issue, the syslog-ng would tell this through its<br>
</span>&gt;     log.____<br>
&gt;<br>
&gt;      ____<br>
<span class="">&gt;<br>
&gt;     After that starting the syslog-ng with enabled debug logs can also<br>
</span>&gt;     help on discovering what happening with the received log.____<br>
&gt;<br>
&gt;      ____<br>
&gt;<br>
&gt;     *From:*<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a><br>
&gt;     &lt;mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a>&gt;<br>
&gt;     [mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a><br>
&gt;     &lt;mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@<wbr>lists.balabit.hu</a>&gt;] *On Behalf Of *Fekete,<br>
&gt;     Róbert<br>
&gt;     *Sent:* Wednesday, September 28, 2016 1:47 PM<br>
&gt;     *To:* Syslog-ng users&#39; and developers&#39; mailing list<br>
&gt;     *Subject:* Re: [syslog-ng] syslog-ng forwarding and processing issue____<br>
&gt;<br>
&gt;      ____<br>
&gt;<br>
&gt;     Hi, ____<br>
&gt;<br>
&gt;      ____<br>
<span class="">&gt;<br>
&gt;     The destination on your remote server and the source on the<br>
&gt;     pseudomizer host do not match: the first one uses the udp() driver<br>
&gt;     (RFC3164 protocol), while the second uses the syslog() driver<br>
</span>&gt;     (RFC5424) protocol. ____<br>
&gt;<br>
&gt;      ____<br>
<span class="">&gt;<br>
&gt;     Change the destination driver to syslog() on the remote server. (For<br>
&gt;     more possibilities, see<br>
&gt;     <a href="https://www.balabit.com/documents/syslog-ng-pe-latest-guides/en/syslog-ng-pe-guide-admin/html/concepts-things-to-consider.html" rel="noreferrer" target="_blank">https://www.balabit.com/<wbr>documents/syslog-ng-pe-latest-<wbr>guides/en/syslog-ng-pe-guide-<wbr>admin/html/concepts-things-to-<wbr>consider.html</a><br>
</span>&gt;     &lt;<a href="https://www.balabit.com/documents/syslog-ng-pe-latest-guides/en/syslog-ng-pe-guide-admin/html/concepts-things-to-consider.html" rel="noreferrer" target="_blank">https://www.balabit.com/<wbr>documents/syslog-ng-pe-latest-<wbr>guides/en/syslog-ng-pe-guide-<wbr>admin/html/concepts-things-to-<wbr>consider.html</a>&gt; )____<br>
&gt;<br>
&gt;      ____<br>
&gt;<br>
&gt;     HTH____<br>
&gt;<br>
&gt;      ____<br>
&gt;<br>
&gt;     Robert____<br>
&gt;<br>
&gt;      ____<br>
<span class="">&gt;<br>
&gt;     On Wed, Sep 28, 2016 at 1:17 PM, Denis Dolinský<br>
</span>&gt;     &lt;<a href="mailto:denis.dolinsky@gmail.com">denis.dolinsky@gmail.com</a> &lt;mailto:<a href="mailto:denis.dolinsky@gmail.com">denis.dolinsky@gmail.<wbr>com</a>&gt;&gt; wrote:____<br>
&gt;<br>
&gt;     Hi guys,____<br>
&gt;<br>
&gt;     I have following setup in place:____<br>
&gt;<br>
&gt;     remote server - 192.168.1.10____<br>
&gt;<br>
&gt;     pseudomizer - syslog-ng PE in client mode - 192.168.2.10____<br>
&gt;<br>
&gt;     SIEM - 192.168.3.10____<br>
&gt;<br>
&gt;     So I am sending syslog logs from remote server to pseudomizer:____<br>
&gt;<br>
&gt;     source src { internal()};____<br>
&gt;<br>
&gt;     destination dst { udp (&quot;192.168.2.10) port (514);};____<br>
&gt;<br>
&gt;     log { source(src); destination (dst);____<br>
&gt;<br>
&gt;     this is very old config from syslog v4____<br>
<div><div class="h5">&gt;<br>
&gt;     Then on pseudomizer - syslog-ng LTS 6.0.1 PE, I am collecting the<br>
&gt;     logs, processing them - removing private data, putting pseudonyms<br>
&gt;     instead and forwarding them to SIEM.<br>
&gt;<br>
&gt;     source s_net_udp514 {<br>
&gt;         syslog(<br>
&gt;             ip(192.168.2.10)<br>
&gt;             ip-protocol(4)<br>
&gt;             transport(&quot;udp&quot;)<br>
&gt;             so_rcvbuf(2097152)<br>
&gt;             );<br>
&gt;     };<br>
&gt;<br>
&gt;     source src {<br>
&gt;             internal();<br>
&gt;             unix-dgram(&quot;/dev/log&quot;);<br>
&gt;             system ();<br>
&gt;     };<br>
&gt;<br>
&gt;     destination d_net_udp514 {<br>
&gt;              syslog (<br>
&gt;              &quot;192.168.3.10&quot;<br>
&gt;              port(514)<br>
&gt;              transport(udp)<br>
&gt;              spoof_source(yes)<br>
&gt;              mark_mode(periodical));};<br>
&gt;     rewrite r_rewrite {<br>
&gt;     subst(&quot;admin&quot;, &quot;pseudonym000001&quot;, value(&quot;MESSAGE&quot;), flags(&quot;global&quot;));<br>
&gt;<br>
&gt;     log {<br>
&gt;             source(s_net_udp514); source (src);<br>
&gt;             rewrite(r_rewrite); # do the pseudomizing<br>
&gt;             destination(d_net_udp514);<br>
</div></div>&gt;     };____<br>
<span class="">&gt;<br>
&gt;     On SIEM device, I can see only pseudomizer internal logs (src), not<br>
</span>&gt;     processed logs from remote server.____<br>
&gt;<br>
&gt;     Any advice ?____<br>
&gt;<br>
&gt;     Many thanks.____<br>
&gt;<br>
&gt;     Denis____<br>
<span class="">&gt;<br>
&gt;<br>
&gt;     ______________________________<wbr>______________________________<wbr>__________________<br>
&gt;     Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
&gt;     &lt;<a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a>&gt;<br>
&gt;     Documentation:<br>
&gt;     <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
&gt;     &lt;<a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a>&gt;<br>
&gt;     FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
</span>&gt;     &lt;<a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a>&gt;____<br>
&gt;<br>
&gt;      ____<br>
&gt;<br>
&gt;     __ __<br>
&gt;<br>
&gt;     ------------------------------<wbr>------------------------------<wbr>------------<br>
<span class="">&gt;<br>
&gt;<br>
&gt;     NOTICE: Morgan Stanley is not acting as a municipal advisor and the<br>
&gt;     opinions or views contained herein are not intended to be, and do<br>
&gt;     not constitute, advice within the meaning of Section 975 of the<br>
&gt;     Dodd-Frank Wall Street Reform and Consumer Protection Act. If you<br>
&gt;     have received this communication in error, please destroy all<br>
&gt;     electronic and paper copies and notify the sender immediately.<br>
&gt;     Mistransmission is not intended to waive confidentiality or<br>
&gt;     privilege. Morgan Stanley reserves the right, to the extent<br>
&gt;     permitted under applicable law, to monitor electronic<br>
&gt;     communications. This message is subject to terms available at the<br>
&gt;     following link: <a href="http://www.morganstanley.com/disclaimers" rel="noreferrer" target="_blank">http://www.morganstanley.com/<wbr>disclaimers</a><br>
&gt;     &lt;<a href="http://www.morganstanley.com/disclaimers" rel="noreferrer" target="_blank">http://www.morganstanley.com/<wbr>disclaimers</a>&gt;  If you cannot access<br>
&gt;     these links, please notify us by reply message and we will send the<br>
&gt;     contents to you. By communicating with Morgan Stanley you consent to<br>
&gt;     the foregoing and to the voice recording of conversations with<br>
&gt;     personnel of Morgan Stanley.____<br>
&gt;<br>
&gt;<br>
</span><span class="">&gt;     ______________________________<wbr>______________________________<wbr>__________________<br>
&gt;     Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
&gt;     &lt;<a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a>&gt;<br>
&gt;     Documentation:<br>
&gt;     <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
&gt;     &lt;<a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a>&gt;<br>
&gt;     FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
</span>&gt;     &lt;<a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a>&gt;<br>
&gt;<br>
&gt;     ____<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;     -- ____<br>
&gt;<br>
&gt;     Ing. Denis Dolinský<br>
&gt;     <a href="mailto:denis.dolinsky@gmail.com">denis.dolinsky@gmail.com</a> &lt;mailto:<a href="mailto:denis.dolinsky@gmail.com">denis.dolinsky@gmail.<wbr>com</a>&gt;<br>
&gt;     private cell: _<a href="tel:%2B421%20907%20530711" value="+421907530711">+421 907 530711</a> &lt;tel:%2B421%20907%20530711&gt;___<wbr>__<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;     ------------------------------<wbr>------------------------------<wbr>------------<br>
<span class="">&gt;<br>
&gt;     NOTICE: Morgan Stanley is not acting as a municipal advisor and the<br>
&gt;     opinions or views contained herein are not intended to be, and do<br>
&gt;     not constitute, advice within the meaning of Section 975 of the<br>
&gt;     Dodd-Frank Wall Street Reform and Consumer Protection Act. If you<br>
&gt;     have received this communication in error, please destroy all<br>
&gt;     electronic and paper copies and notify the sender immediately.<br>
&gt;     Mistransmission is not intended to waive confidentiality or<br>
&gt;     privilege. Morgan Stanley reserves the right, to the extent<br>
&gt;     permitted under applicable law, to monitor electronic<br>
&gt;     communications. This message is subject to terms available at the<br>
&gt;     following link: <a href="http://www.morganstanley.com/disclaimers" rel="noreferrer" target="_blank">http://www.morganstanley.com/<wbr>disclaimers</a><br>
&gt;     &lt;<a href="http://www.morganstanley.com/disclaimers" rel="noreferrer" target="_blank">http://www.morganstanley.com/<wbr>disclaimers</a>&gt;  If you cannot access<br>
&gt;     these links, please notify us by reply message and we will send the<br>
&gt;     contents to you. By communicating with Morgan Stanley you consent to<br>
&gt;     the foregoing and to the voice recording of conversations with<br>
&gt;     personnel of Morgan Stanley.<br>
&gt;<br>
&gt;<br>
&gt;     ______________________________<wbr>______________________________<wbr>__________________<br>
&gt;     Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
</span><span class="">&gt;     &lt;<a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a>&gt;<br>
&gt;     Documentation:<br>
&gt;     <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
&gt;     &lt;<a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a>&gt;<br>
&gt;     FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
</span><span class="">&gt;     &lt;<a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a>&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; --<br>
&gt; Ing. Denis Dolinský<br>
</span>&gt; <a href="mailto:denis.dolinsky@gmail.com">denis.dolinsky@gmail.com</a> &lt;mailto:<a href="mailto:denis.dolinsky@gmail.com">denis.dolinsky@gmail.<wbr>com</a>&gt;<br>
&gt; private cell: _<a href="tel:%2B421%20907%20530711" value="+421907530711">+421 907 530711</a>_<br>
<div class="HOEnZb"><div class="h5">&gt;<br>
&gt;<br>
&gt; ______________________________<wbr>______________________________<wbr>__________________<br>
&gt; Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
&gt; Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
&gt; FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
&gt;<br>
<br>
<br>
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Ing. Denis Dolinský<br>
<a href="mailto:denis.dolinsky@gmail.com" target="_blank">denis.dolinsky@gmail.com</a><br>
private cell: <u>+421 907 530711</u></div>
</div>