<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr">
<p>Thank you, that worked!<br>
</p>
<p><br>
</p>
<div id="Signature">Vadim Anatoly Pushkin </div>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Scheidler, Balázs <balazs.scheidler@balabit.com><br>
<b>Sent:</b> Thursday, April 27, 2017 12:25:59 AM<br>
<b>To:</b> Syslog-ng users' and developers' mailing list<br>
<b>Subject:</b> Re: [syslog-ng] Relay Server Config Help</font>
<div> </div>
</div>
<div>
<div dir="auto">Your dmz syslog relay is using the "new" rfc5424 format whereas your internal one tries to parse it as rfc3164.
<div dir="auto"><br>
</div>
<div dir="auto">You should probably use the tcp() driver and not syslog().</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Apr 26, 2017 23:44, "<a href="mailto:wiskbroom@hotmail.com">wiskbroom@hotmail.com</a>" <<a href="mailto:wiskbroom@hotmail.com">wiskbroom@hotmail.com</a>> wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div id="m_977665401801609537divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif" dir="ltr">
<p>Hello;</p>
<p><br>
</p>
<p>I am running syslog-NG on a server inside of a DMZ, and on that server I'd like to just forward all messages into my internal syslog-NG server. I feel this is better than having to create a new firewall rule for each new DMZ node.</p>
<p><br>
</p>
<p>I have a simple syslog-NG config that looks like this:</p>
<p><br>
</p>
<p><span style="font-size:9pt">---------START syslog-ng.conf-----------</span></p>
<p><br>
</p>
<p></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt">@version:3.5<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt">@include "scl.conf"<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt">@include "/etc/syslog-ng/conf.d/*.conf"<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt"><u></u> </span><span style="font-family:"Arial","sans-serif";font-size:9pt">options {<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt"> time-reap(30);<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt"> mark-freq(10);<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt"> keep-hostname(yes);<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt"> chain_hostnames (off);<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt"> flush_lines (0);<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt"> time_reopen (10);<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt"> log_fifo_size (1000);<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt"> use_dns (yes);<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt"> use_fqdn (no);<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt"> create_dirs (no);<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt">};<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt">source s_relay {<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt"> udp(ip(0.0.0.0) port(514) so_rcvbuf(425984));
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt"> tcp(ip(0.0.0.0) port(514) max-connections(250) so_rcvbuf(425984) log_iw_size(25000) so_keepalive(yes) log_fetch_limit(100));<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt"> syslog(ip(0.0.0.0) transport("tcp") port(1514) max-connections(500) log_iw_size(25000) flags("threaded") log_fetch_limit(100));<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt">};<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt">destination d_syslog_tcp { syslog("10.5.5.10" transport("tcp") port(514)); };<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt"><br>
</span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt">log { source(s_relay); destination(d_syslog_tcp); };<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";font-size:9pt"><u></u> </span></p>
<p></p>
<p><span style="font-size:9pt">----------END syslog-NG.conf-------------</span></p>
<p><br>
</p>
<p>The problem that I am experiencing is that my messages, once received by my internal syslog-NG server, look like the following:</p>
<p><br>
</p>
<p class="MsoNormal">Apr 26 17:31:06 <span style="color:rgb(255,0,0)">relay-sng-server
</span>126 <30>1 2017-04-26T17:32:01-04:00 <span style="color:rgb(255,0,0)">relay-client-host-X</span> appserv - - - 606881792 140565409392384 INFO: @2 SessionExchange::ProcessTCPRea<wbr>d<u></u><u></u></p>
<p class="MsoNormal">Apr 26 17:31:06 <span style="color:rgb(255,0,0)">relay-sng-server
</span>124 <30>1 2017-04-26T17:32:01-04:00<span style="color:rgb(255,0,0)"> relay-client-host-X</span> appserv - - - 606881792 140565409392384 DEBUG: OpenSSLHandler::PerformHandsha<wbr>ke</p>
<div><br>
</div>
<div><br>
</div>
<div>I am hoping not to muck around too much with my config for my internal syslog-NG servers, and want for the messages above to appear as coming from
<span>relay-client-host-X</span> and NOT <span>relay-sng-server. </span></div>
<div><span><br>
</span></div>
<div><span>It could potentially be nice to know that the message was first received by
<span>relay-sng-server</span>, but...</span></div>
<div><span><br>
</span></div>
<div><span>I was considering opening another TCP port on my internal syslog servers, and using that to send from DMZ, then a rewrite, but that all seems far more complicated than necessary. Am I missing something on my syslog-NG conf?</span></div>
<div><span><br>
</span></div>
<div><span>Any suggestions greatly appreciated!</span></div>
<div><span><br>
</span></div>
<div><span>Thanks all in advance,</span><br>
</div>
<div id="m_977665401801609537Signature"><br>
</div>
<div>-Vadim </div>
</div>
</div>
<br>
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">
https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">
http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">
http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br>
</blockquote>
</div>
</div>
</div>
</body>
</html>