<div dir="ltr">Thanks, could you say.<div>Do i need to PARSE the whole syslog ? Or can i use this rewrite function without parsing the message ? Just to add some fields to the end of the raw message ?</div><div><br></div><div>Thanks</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 16, 2020 at 8:58 AM Antal Nemes (anemes) <<a href="mailto:Antal.Nemes@oneidentity.com">Antal.Nemes@oneidentity.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">




<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
  Hello,<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
You can use the set rewrite rule:</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
<div><span style="font-family:Consolas,Courier,monospace">  rewrite { set("$MSG, SOURCEIP=$SOURCEIP" value(MSG)); };</span><br>
</div>
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
You can read more from the documentation<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<a href="https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.25/administration-guide/65#TOPIC-1349543" id="gmail-m_2878893851298690119LPNoLP947730" target="_blank">https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.25/administration-guide/65#TOPIC-1349543</a><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Br,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
  Antal<br>
</div>
<div id="gmail-m_2878893851298690119appendonsend"></div>
<hr style="display:inline-block;width:98%">
<div id="gmail-m_2878893851298690119divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>> on behalf of Edvinas Kairys <<a href="mailto:edvinas.email@gmail.com" target="_blank">edvinas.email@gmail.com</a>><br>
<b>Sent:</b> Wednesday, April 15, 2020 14:38<br>
<b>To:</b> Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a>><br>
<b>Subject:</b> Re: [syslog-ng] mystique with spoof_address</font>
<div> </div>
</div>
<div>
<div style="background-color:rgb(255,235,156);width:100%;border-style:solid;border-color:rgb(156,101,0);border-width:1pt;padding:2pt;font-size:10pt;line-height:12pt;font-family:Calibri;color:black;text-align:left">
<span style="color:rgb(156,101,0);font-weight:bold">CAUTION:</span> This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.</div>
<br>
<div>
<div dir="ltr">Thanks, yes this was my first guess. Anyway, due to too much (potential) of unexpected behavior of using spoofed address I dropped this idea.
<div><br>
</div>
<div>I'm trying to make a syslog-ng relay server (of 4-5 different Cisco devices) to forward logs to Logstash server. Somehow i need to save SOURCE IP address of every log and add it to message when forwarding to syslog server. Is it possible ? Could someone
 show some guidelines ? The best way to leave the message untouched, just to add some field to syslog message (for example the end). Thanks</div>
</div>
<br>
<div>
<div dir="ltr">On Thu, Apr 9, 2020 at 11:09 AM Antal Nemes (anemes) <<a href="mailto:Antal.Nemes@oneidentity.com" target="_blank">Antal.Nemes@oneidentity.com</a>> wrote:<br>
</div>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
  Hello,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
There is `rp_filter` kernel feature that might affect you: <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.theurbanpenguin.com%2Frp_filter-and-lpic-3-linux-security%2F&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C50c8a59c42834886a99f08d7e139f2af%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637225511320577362&sdata=cWXFxsEbmogJbovAiw8Dier%2FQGMn8crAr7YlX3IOAJM%3D&reserved=0" id="gmail-m_2878893851298690119x_gmail-m_7356987925205466506LPNoLP833119" target="_blank">
https://www.theurbanpenguin.com/rp_filter-and-lpic-3-linux-security/</a></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Or this may be other routing problem, firewall or selinux.</div>
<br>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt"> It would worth checking if the packet arrives to the next hop using tcpdump.<br>
</div>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Br,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
  Antal<br>
</div>
<div id="gmail-m_2878893851298690119x_gmail-m_7356987925205466506appendonsend"></div>
<hr style="display:inline-block;width:98%">
<div id="gmail-m_2878893851298690119x_gmail-m_7356987925205466506divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>>
 on behalf of Edvinas Kairys <<a href="mailto:edvinas.email@gmail.com" target="_blank">edvinas.email@gmail.com</a>><br>
<b>Sent:</b> Wednesday, April 8, 2020 19:57<br>
<b>To:</b> <a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a> <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a>><br>
<b>Subject:</b> [syslog-ng] mystique with spoof_address</font>
<div> </div>
</div>
<div>
<div style="background-color:rgb(255,235,156);width:100%;border-style:solid;border-color:rgb(156,101,0);border-width:1pt;padding:2pt;font-size:10pt;line-height:12pt;font-family:Calibri;color:black;text-align:left">
<span style="color:rgb(156,101,0);font-weight:bold">CAUTION:</span> This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.</div>
<br>
<div>
<div dir="ltr">
<div>  Hello, i installed (yum install) following version on Centos 7 box.
<div><br>
</div>
<div>syslog-ng 3.5.6<br>
Installer-Version: 3.5.6<br>
Revision: <br>
Compile-Date: Dec 30 2015 19:57:24<br>
Available-Modules: affile,afprog,afsocket-notls,afsocket-tls,afsocket,afstomp,afuser,basicfuncs,confgen,cryptofuncs,csvparser,dbparser,linux-kmsg-format,syslogformat,system-source<br>
Enable-Debug: off<br>
Enable-GProf: off<br>
Enable-Memtrace: off<br>
Enable-IPv6: on<br>
Enable-Spoof-Source: on<br>
Enable-TCP-Wrapper: on<br>
Enable-Linux-Caps: on<br>
Enable-Pcre: on<br>
</div>
<div><br>
</div>
<div>My goal is to forward syslog messages 'untouched' but to change the source address to original one. For that case i'm using spoof-address.</div>
<div><br>
</div>
<div>My conf is like this:</div>
<div><br>
</div>
<div>options {<br>
    flush_lines (0);<br>
    time_reopen (10);<br>
    log_fifo_size (1000);<br>
    chain_hostnames (off);<br>
    use_dns (no);<br>
    use_fqdn (no);<br>
    create_dirs (no);<br>
    keep_hostname (no);<br>
    mark-freq (0);<br>
};<br>
</div>
<div>source s_network {<br>
</div>
<div>     udp(ip(0.0.0.0) port(514) flags(no-parse));<br>
<br>
};<br>
</div>
<div>destination d_syslog_tcp { network("10.13.33.125" transport("udp") port(5140) spoof-source(yes)); };<br>
</div>
<div>log { source(s_network); destination(d_syslog_tcp); };<br>
log { source(s_network); filter(f_default); destination(d_mesg); };<br>
# Source additional configuration files (.conf extension only)<br>
@include "/etc/syslog-ng/conf.d/*.conf"<br>
</div>
<div><br>
</div>
<div>Strange thing, that when I enable spoof-source, some packets are not transmitted to the destination. Even TCPDUMP says that it's sent, but i dont see some logs on destination box.</div>
<div>Could it be something with spoof_source command ? Also i didn't compiled it because i saw that SPOOF functionality is on in syslog-ng -V output.</div>
<div><br>
</div>
<div>Any suggestions ?</div>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div></div>
</div>
</div>
</div>
</div>
</div>
______________________________________________________________________________<br>
Member info: <a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C50c8a59c42834886a99f08d7e139f2af%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637225511320577362&sdata=K0I0S%2B23LGIkiW5mkWGC2bgBNuAwePKLF1v0QrHS34E%3D&reserved=0" rel="noreferrer" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C50c8a59c42834886a99f08d7e139f2af%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637225511320587358&sdata=CHJzVIvJhwYtJ3eFmnr98wakkhXCp9EVPrw55NFxi1E%3D&reserved=0" rel="noreferrer" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7Cantal.nemes%40oneidentity.com%7C50c8a59c42834886a99f08d7e139f2af%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637225511320587358&sdata=HCaUdgc%2BE0xVFOEnx1Vten5J0J2iKeJk8nYGsuCjWtc%3D&reserved=0" rel="noreferrer" target="_blank">
http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote>
</div>
</div>
</div>
</div>

______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>