<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

  Hello,<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

You can use the set rewrite rule:</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

<div><span style="font-family: Consolas, Courier, monospace;">  rewrite { set("$MSG, SOURCEIP=$SOURCEIP" value(MSG)); };</span><br>

</div>

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

You can read more from the documentation<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<a href="https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.25/administration-guide/65#TOPIC-1349543" id="LPNoLP947730">https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.25/administration-guide/65#TOPIC-1349543</a><br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Br,</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

  Antal<br>

</div>

<div id="appendonsend"></div>

<hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Edvinas Kairys <edvinas.email@gmail.com><br>

<b>Sent:</b> Wednesday, April 15, 2020 14:38<br>

<b>To:</b> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>

<b>Subject:</b> Re: [syslog-ng] mystique with spoof_address</font>

<div> </div>

</div>

<div>

<div style="background-color:#FFEB9C; width:100%; border-style:solid; border-color:#9C6500; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:'Calibri'; color:Black; text-align:left">

<span style="color:#9C6500; font-weight:bold">CAUTION:</span> This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.</div>

<br>

<div>

<div dir="ltr">Thanks, yes this was my first guess. Anyway, due to too much (potential) of unexpected behavior of using spoofed address I dropped this idea.

<div><br>

</div>

<div>I'm trying to make a syslog-ng relay server (of 4-5 different Cisco devices) to forward logs to Logstash server. Somehow i need to save SOURCE IP address of every log and add it to message when forwarding to syslog server. Is it possible ? Could someone

 show some guidelines ? The best way to leave the message untouched, just to add some field to syslog message (for example the end). Thanks</div>

</div>

<br>

<div class="x_gmail_quote">

<div dir="ltr" class="x_gmail_attr">On Thu, Apr 9, 2020 at 11:09 AM Antal Nemes (anemes) <<a href="mailto:Antal.Nemes@oneidentity.com">Antal.Nemes@oneidentity.com</a>> wrote:<br>

</div>

<blockquote class="x_gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">

<div dir="ltr">

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

  Hello,</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

There is `rp_filter` kernel feature that might affect you: <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.theurbanpenguin.com%2Frp_filter-and-lpic-3-linux-security%2F&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C50c8a59c42834886a99f08d7e139f2af%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637225511320577362&sdata=cWXFxsEbmogJbovAiw8Dier%2FQGMn8crAr7YlX3IOAJM%3D&reserved=0" originalsrc="https://www.theurbanpenguin.com/rp_filter-and-lpic-3-linux-security/" shash="p+sJ5R2X/YW6FsM85CSNUlLb+PgniZd0Gcc3LdaFLF2XuHfgIRf25g1OIUigj2+nG+1hZJOBDLcukZiGsK25NishWeeIZQw4bpZofSbLIfHx41yEVD8NFIehUJJEWtsst1ghhkqBavurs6oeHByLyqy7A+SywIFHYh1EZ3/f3bk=" id="x_gmail-m_7356987925205466506LPNoLP833119" target="_blank">

https://www.theurbanpenguin.com/rp_filter-and-lpic-3-linux-security/</a></div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

Or this may be other routing problem, firewall or selinux.</div>

<br>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt"> It would worth checking if the packet arrives to the next hop using tcpdump.<br>

</div>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

Br,</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

  Antal<br>

</div>

<div id="x_gmail-m_7356987925205466506appendonsend"></div>

<hr style="display:inline-block; width:98%">

<div id="x_gmail-m_7356987925205466506divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>>

 on behalf of Edvinas Kairys <<a href="mailto:edvinas.email@gmail.com" target="_blank">edvinas.email@gmail.com</a>><br>

<b>Sent:</b> Wednesday, April 8, 2020 19:57<br>

<b>To:</b> <a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a> <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a>><br>

<b>Subject:</b> [syslog-ng] mystique with spoof_address</font>

<div> </div>

</div>

<div>

<div style="background-color:rgb(255,235,156); width:100%; border-style:solid; border-color:rgb(156,101,0); border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:Calibri; color:black; text-align:left">

<span style="color:rgb(156,101,0); font-weight:bold">CAUTION:</span> This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.</div>

<br>

<div>

<div dir="ltr">

<div>  Hello, i installed (yum install) following version on Centos 7 box.

<div><br>

</div>

<div>syslog-ng 3.5.6<br>

Installer-Version: 3.5.6<br>

Revision: <br>

Compile-Date: Dec 30 2015 19:57:24<br>

Available-Modules: affile,afprog,afsocket-notls,afsocket-tls,afsocket,afstomp,afuser,basicfuncs,confgen,cryptofuncs,csvparser,dbparser,linux-kmsg-format,syslogformat,system-source<br>

Enable-Debug: off<br>

Enable-GProf: off<br>

Enable-Memtrace: off<br>

Enable-IPv6: on<br>

Enable-Spoof-Source: on<br>

Enable-TCP-Wrapper: on<br>

Enable-Linux-Caps: on<br>

Enable-Pcre: on<br>

</div>

<div><br>

</div>

<div>My goal is to forward syslog messages 'untouched' but to change the source address to original one. For that case i'm using spoof-address.</div>

<div><br>

</div>

<div>My conf is like this:</div>

<div><br>

</div>

<div>options {<br>

    flush_lines (0);<br>

    time_reopen (10);<br>

    log_fifo_size (1000);<br>

    chain_hostnames (off);<br>

    use_dns (no);<br>

    use_fqdn (no);<br>

    create_dirs (no);<br>

    keep_hostname (no);<br>

    mark-freq (0);<br>

};<br>

</div>

<div>source s_network {<br>

</div>

<div>     udp(ip(0.0.0.0) port(514) flags(no-parse));<br>

<br>

};<br>

</div>

<div>destination d_syslog_tcp { network("10.13.33.125" transport("udp") port(5140) spoof-source(yes)); };<br>

</div>

<div>log { source(s_network); destination(d_syslog_tcp); };<br>

log { source(s_network); filter(f_default); destination(d_mesg); };<br>

# Source additional configuration files (.conf extension only)<br>

@include "/etc/syslog-ng/conf.d/*.conf"<br>

</div>

<div><br>

</div>

<div>Strange thing, that when I enable spoof-source, some packets are not transmitted to the destination. Even TCPDUMP says that it's sent, but i dont see some logs on destination box.</div>

<div>Could it be something with spoof_source command ? Also i didn't compiled it because i saw that SPOOF functionality is on in syslog-ng -V output.</div>

<div><br>

</div>

<div>Any suggestions ?</div>

<div><br>

</div>

<div>Thanks</div>

<div><br>

</div>

<div><br>

</div>

<div><br>

</div>

<div></div>

</div>

</div>

</div>

</div>

</div>

______________________________________________________________________________<br>

Member info: <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C50c8a59c42834886a99f08d7e139f2af%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637225511320577362&sdata=K0I0S%2B23LGIkiW5mkWGC2bgBNuAwePKLF1v0QrHS34E%3D&reserved=0" originalsrc="https://lists.balabit.hu/mailman/listinfo/syslog-ng" shash="wL0fAzLmowIXG/4zYNxWxoM8/SN46f+GNBFOMeiV8v1eYXGftn2wLV/B0KLBG6107wvSkksKvYojsk0jEEMfgQpmISTU4glJBiQE+LqYithbphBXGPQjrZhP/kdXOvYjLygHoBL+k+XA/H8AOnN0UVPC2tHbYVB894GUqJG9kqM=" rel="noreferrer" target="_blank">

https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

Documentation: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C50c8a59c42834886a99f08d7e139f2af%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637225511320587358&sdata=CHJzVIvJhwYtJ3eFmnr98wakkhXCp9EVPrw55NFxi1E%3D&reserved=0" originalsrc="http://www.balabit.com/support/documentation/?product=syslog-ng" shash="OBZzKBGgYVkjgelVXqbXq/MhI0N4zADwY5R/39zxPSPtVLRbMEiuoch/herWDmnj8Rq7Rl1bJl9IhzFuMTv1MTn60elo1flYybJf9PvkUPO9vtD9Z2GHsGz04ltLq7dSWCg6DDjN5A12kJxQCDaoRn72tCyXS0p2Q86TOZK25Vg=" rel="noreferrer" target="_blank">

http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

FAQ: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C50c8a59c42834886a99f08d7e139f2af%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637225511320587358&sdata=HCaUdgc%2BE0xVFOEnx1Vten5J0J2iKeJk8nYGsuCjWtc%3D&reserved=0" originalsrc="http://www.balabit.com/wiki/syslog-ng-faq" shash="JvEX7tA5vrd2srzrd71Kblxl18f455ShfZelVtVHIs8GD+GLjLDOkF5LhTHSwe+N4xFV8MolEDcKeHJEmjpa4zwKq26FlNy/bWO+mR9esWE4uVDzBLme06LHXaIfKgpq/f9opFt8ylCfc6zwxX46SWiXeZrTKDqMgv6Bdc4LxLE=" rel="noreferrer" target="_blank">

http://www.balabit.com/wiki/syslog-ng-faq</a><br>

<br>

</blockquote>

</div>

</div>

</div>

</body>

</html>