<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body><div>Just to verify, try a tcpdump of the traffic going through relay to see what syslog-ng is receiving. </div><div><br></div><div>Jim</div><div><br></div><div><br></div><div><br></div><div id="composer_signature"><div style="font-size:85%;color:#575757" dir="auto">Sent from my Verizon, Samsung Galaxy smartphone</div></div><div><br></div><div style="font-size:100%;color:#000000"><!-- originalMessage --><div>-------- Original message --------</div><div>From: Scot <scotrn@gmail.com> </div><div>Date: 2/5/18 3:21 PM (GMT-05:00) </div><div>To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> </div><div>Subject: [syslog-ng] Rsyslog relay or syslog-ng ? </div><div><br></div></div><div dir="ltr"><div>Hi, <br></div><div> </div><div> Hoping someone has seen an easy fix for this. Sorry is it's specifically referenced somewhere I'm not seeing. </div><div><br></div><div>Dealing with a vendor who is not able to leverage the RFC headers or TCP input. </div><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">We have rsyslog relays in remote sites sending TCP/514 to syslog-ng and others locally sending directly to syslog-ng TCP/UDP 514. </div><div><br></div>The devices sending directly to syslog-ng are reporting to the IDS correctly. Hosts relaying through rsyslog are showing a source address of the relay.<br></div><div><i><br></i></div><div><b style="">/etc/rsyslog.d/forward.conf<br></b></div><div><div><i>$ActionQueueFileName fwdRule1 # unique name prefix for spool files</i></div><div><i>$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)</i></div><div><i>$ActionQueueSaveOnShutdown on # save messages to disk on shutdown</i></div><div><i>$ActionQueueType LinkedList # run asynchronously</i></div><div><i>$ActionResumeRetryCount -1 # infinite retries if host is down</i></div></div><div><div><i># remote host is: name/ip:port, e.g. <a href="http://192.168.0.1:514">192.168.0.1:514</a>, port optional</i></div><div><i>*.* @@syslog-ngIP:514</i></div></div><div><br></div><div><br></div><div><br></div><div><b>/etc/syslog-ng/conf.d<br></b></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><i>source s_net_tcp {tcp(ip(0.0.0.0) port(514) max-connections(300) keep_hostname(yes) so_rcvbuf(262142) log_iw_size(25000)); };</i></div></div><div><div><i>source s_net_udp {syslog(ip(0.0.0.0) keep_hostname(yes) port(514) transport("udp") flags(no-hostname) so_rcvbuf(262142));};</i></div></div><div><b><i><br></i></b></div><div><b><i>destination d_ids {network("IDSHOSTNAME" spoof_source(yes) transport(udp) port(514) flags(syslog-protocol)); };</i></b></div><div><div><i><br></i></div></div><div><div><i>log { source(s_net_udp);</i></div></div><div><div><i> channel {filter(f_ids); destination (d_ids);};</i></div></div><div><div><i> channel {parser(pattern_db); destination (d_es);};</i></div></div><div><div><i>};</i></div></div><div><div><i><br></i></div></div><div><div><i>log { source(s_net_tcp);</i></div></div><div><div><i> channel {filter(f_ids); destination (d_ids);};</i></div></div><div><div><i> channel {parser(pattern_db); destination (d_es);};</i></div></div><div><div><i>};</i></div></div><div><i><br></i></div></blockquote><div> <br></div><div><br></div><div><br></div><div><br></div><div><br></div></div>
</body></html>