Thank you, that worked!


Vadim Anatoly Pushkin 
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Scheidler, Balázs <balazs.scheidler@balabit.com>
Sent: Thursday, April 27, 2017 12:25:59 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Relay Server Config Help
 
Your dmz syslog relay is using the "new" rfc5424 format whereas your internal one tries to parse it as rfc3164.

You should probably use the tcp() driver and not syslog().

On Apr 26, 2017 23:44, "wiskbroom@hotmail.com" <wiskbroom@hotmail.com> wrote:

Hello;


I am running syslog-NG on a server inside of a DMZ, and on that server I'd like to just forward all messages into my internal syslog-NG server. I feel this is better than having to create a new firewall rule for each new DMZ node.


I have a simple syslog-NG config that looks like this:


---------START syslog-ng.conf-----------


@version:3.5

@include "scl.conf"

@include "/etc/syslog-ng/conf.d/*.conf"

 

 options {

    time-reap(30);

    mark-freq(10);

    keep-hostname(yes);

    chain_hostnames (off);

    flush_lines (0);

    time_reopen (10);

    log_fifo_size (1000);

    use_dns (yes);

    use_fqdn (no);

    create_dirs (no);

};

source s_relay {

         udp(ip(0.0.0.0) port(514) so_rcvbuf(425984));

         tcp(ip(0.0.0.0) port(514) max-connections(250) so_rcvbuf(425984) log_iw_size(25000) so_keepalive(yes) log_fetch_limit(100));

         syslog(ip(0.0.0.0) transport("tcp") port(1514) max-connections(500) log_iw_size(25000) flags("threaded") log_fetch_limit(100));

};

 

destination d_syslog_tcp { syslog("10.5.5.10" transport("tcp") port(514)); };


log { source(s_relay); destination(d_syslog_tcp); };

 

----------END syslog-NG.conf-------------


The problem that I am experiencing is that my messages, once received by my internal syslog-NG server, look like the following:


Apr 26 17:31:06 relay-sng-server 126 <30>1 2017-04-26T17:32:01-04:00 relay-client-host-X appserv - - - 606881792 140565409392384  INFO: @2 SessionExchange::ProcessTCPRead

Apr 26 17:31:06 relay-sng-server 124 <30>1 2017-04-26T17:32:01-04:00 relay-client-host-X appserv - - - 606881792 140565409392384 DEBUG: OpenSSLHandler::PerformHandshake



I am hoping not to muck around too much with my config for my internal syslog-NG servers, and want for the messages above to appear as coming from relay-client-host-X and NOT relay-sng-server.

It could potentially be nice to know that the message was first received by relay-sng-server, but...

I was considering opening another TCP port on my internal syslog servers, and using that to send from DMZ, then a rewrite, but that all seems far more complicated than necessary.  Am I missing something on my syslog-NG conf?

Any suggestions greatly appreciated!

Thanks all in advance,

-Vadim

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq