<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Hello Armando!<br>
<br>
Keep-hostname should work, the only thing that comes to my mind is that hostname is not found in the log message.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Maybe it is not entirely rfc5424 or rfc3164 compliant.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Both syslog-parser() and syslog() source fallbacks to parse the message as rfc3164 if rfc5424 fails. </div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
As most of the fields are optional in rfc3164, some fields will not have a value. In the case of HOST, the default value is syslog-ng's ip address it listens.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
You can check the parsing process with the -t (trace) option of syslog-ng.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
here is an example with keep-hostnames(yes) option if I sent the "some message" line into syslog-ng:</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<span>[2019-07-23T14:19:38.891117] Initial message parsing follows;<br>
</span>
<div>[2019-07-23T14:19:38.891188] Setting value; name='PROGRAM', value='some', msg='0x7ff940002c60'<br>
</div>
<div>[2019-07-23T14:19:38.891226] Setting value; name='LEGACY_MSGHDR', value='some ', msg='0x7ff940002c60'<br>
</div>
<div>[2019-07-23T14:19:38.891249] Setting value; name='MESSAGE', value='message', msg='0x7ff940002c60'<br>
</div>
<div>[2019-07-23T14:19:38.891327] Setting value; name='HOST_FROM', value='127.0.0.1', msg='0x7ff940002c60'<br>
</div>
<div>[2019-07-23T14:19:38.891348] Setting value; name='HOST', value='127.0.0.1', msg='0x7ff940002c60'<br>
</div>
<span></span><br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
You can see that HOST is set to the localhost ip address as the message did not contain a host field.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Regards,<br>
Gabor</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Armando Martires <amartires@smartechnologies.pt><br>
<b>Sent:</b> Tuesday, July 23, 2019 11:53<br>
<b>To:</b> syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu><br>
<b>Subject:</b> [syslog-ng] SYSLOG to SNMP TRAP relay server, how can I spoof source address</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.<br>
<br>
<br>
Hello,<br>
<br>
I set up a Syslog-ng relay server to relay syslog messages as SNMP traps.<br>
The relay is working sending a SNMP TRAP whenever a SYSLOG message is<br>
received,<br>
but the source seems to be the syslog-ng server and not the client host<br>
that originated the syslog message.<br>
<br>
This is my config:<br>
<br>
options {<br>
time_reopen (10);<br>
log_fifo_size (1000);<br>
chain_hostnames (off);<br>
use_dns (no);<br>
use_fqdn (no);<br>
create_dirs (no);<br>
keep_hostname (yes);<br>
chain_hostnames (no);<br>
};<br>
<br>
source s_labs_itsm {<br>
syslog(ip("192.168.50.20") transport("udp"));<br>
};<br>
<br>
destination d_local {<br>
file("/var/log/messages_${HOST}");<br>
};<br>
<br>
destination d_ss {<br>
snmp(<br>
host("192.168.50.10")<br>
version("v2c")<br>
community("public")<br>
trap-obj('.1.3.6.1.6.3.1.1.4.1.0', 'Objectid',<br>
'.1.3.6.1.4.1.18372.3.1.1.1.2.1')<br>
snmp-obj('.1.3.6.1.4.1.18372.3.1.1.1.1.1.0', 'Octetstring',<br>
'${MESSAGE}')<br>
snmp-obj('.1.3.6.1.4.1.18372.3.1.1.1.1.2.0', 'Octetstring',<br>
'admin')<br>
snmp-obj('.1.3.6.1.4.1.18372.3.1.1.1.1.3.0', 'Ipaddress',<br>
'${HOST}')<br>
);<br>
};<br>
<br>
log {<br>
source(s_labs_itsm); destination(d_local); destination(d_ss);<br>
};<br>
<br>
<br>
Can anyone help me out understanding what I'm doing wrong?<br>
Thanks!<br>
--<br>
Armando Mártires<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cea508b380949407b96ed08d70f53d905%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C636994725150165501&sdata=NyoZ8t6Z0IMcmlOjmhZsCkq0lwcdTciCoRz3ZsLT9J0%3D&reserved=0">
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cea508b380949407b96ed08d70f53d905%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C636994725150165501&sdata=NyoZ8t6Z0IMcmlOjmhZsCkq0lwcdTciCoRz3ZsLT9J0%3D&reserved=0</a><br>
Documentation: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cea508b380949407b96ed08d70f53d905%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C636994725150165501&sdata=SNOV0oH4JQCDsyyTh0QbszIpvqzRC2B3KhFfYUnkjjc%3D&reserved=0">
https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cea508b380949407b96ed08d70f53d905%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C636994725150165501&sdata=SNOV0oH4JQCDsyyTh0QbszIpvqzRC2B3KhFfYUnkjjc%3D&reserved=0</a><br>
FAQ: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cea508b380949407b96ed08d70f53d905%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C636994725150165501&sdata=yFFYF2ENZOULTZ%2FOECw4AKzUUnJKgZbu8ALnA3Y3Vgg%3D&reserved=0">
https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cgabor.nagy%40oneidentity.com%7Cea508b380949407b96ed08d70f53d905%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C636994725150165501&sdata=yFFYF2ENZOULTZ%2FOECw4AKzUUnJKgZbu8ALnA3Y3Vgg%3D&reserved=0</a><br>
<br>
</div>
</span></font></div>
</body>
</html>